There Is No Going Dark: Another Vendor Selling Tool That Cracks All iPhones

from the FBI's-dystopian-fiction-develops-another-plot-hole dept

The FBI continues to push its "going dark" theory. It's not interested in the truth. It would rather have a legislative mandate or a string of favorable court decisions than utilize options vendors have made available. These are the candles the FBI will forgo to publicly curse the darkness. A recent Inspector General's report made it crystal clear: those charged with finding a way to crack open the San Bernardino shooter's cell phone slow-walked their search in hopes of ending up with a judicial mandate forcing Apple to crack its own encryption.

The complaints about the darkness continue, even as vendors like Cellebrite have shown they can crack any iPhone given enough money and time. There are solutions out there, but the FBI doesn't want them. Cellebrite isn't the only company with an iPhone crack for sale. As Joseph Cox reports for Motherboard, another device has surfaced that can brute force its way past iPhone lock screens. The FBI may continue its disingenuous push for weakened encryption, but law enforcement agencies around the nation are more than willing to pay for a solution that doesn't involve Congressional reps or federal judges.

Grayshift has been shopping its iPhone cracking technology to police forces. The firm, which includes an ex-Apple security engineer on its staff, provided demonstrations to potential customers, according to one email.

"I attended your demo presentation recently held at the Montgomery County Police Headquarters and was pleased by your product's potential," an Assistant Commander from the Technical Investigations Section at the Maryland State Police wrote in an email to Grayshift in March.

The GrayKey itself is a small, 4x4 inches box with two lightning cables for connecting iPhones, according to photographs published by cybersecurity firm Malwarebytes. The device comes in two versions: a $15,000 one which requires online connectivity and allows 300 unlocks (or $50 per phone), and and an offline, $30,000 version which can crack as many iPhones as the customer wants. Marketing material seen byForbes says GrayKey can unlock devices running iterations of Apple's latest mobile operating system iOS 11, including on the iPhone X, Apple's most recent phone.

According to documents obtained by Motherboard, multiple state and local law enforcement agencies have purchased Grayshift's device. The documents also show many agencies expressing an interest in picking up a GrayKey, including some at the federal level, like the DEA and, oddly enough, the FBI. The FBI doesn't appear to have acquired one yet, but if that's the case, it's lagging behind local PDs with less funding and tech expertise. It's also trailing the State Department, which has already acquired at least one of the devices.

The device comes in two flavors: an online version with a fixed number of unlocks or an offline version that retails for twice as much ($30,000) but can be used as often as the purchaser wants (or until Apple fixes the vulnerability, whichever comes first). The brute force method deployed takes anywhere from 2 hours to several days, depending on passcode complexity.

"Going dark" is a convenient lie. The FBI has been deliberately misconstruing reality for a couple of years now, beginning with then-director James Comey's coining of the phrase. Even while Comey was peddling his "going dark" theory to security researchers, Congressional reps, and federal judges, the FBI was rarely having trouble accessing device contents. In 2016, the FBI admitted it could access the contents of passcode-protected devices 87% of the time. Somehow, despite only incremental changes in encryption offerings, the small number of locked devices has grown from ~880 to over 7,000 in two years. This suggests FBI officials are more interested in generating a "going dark" narrative than actually deploying available tech to access contents of seized devices.

The existence of another device capable of cracking iPhone encryption should be good news for the FBI. Other law enforcement agencies apparently view this as a plus. The downside for those not employed by the government is that there's a vulnerability in iPhones Apple hasn't fixed yet. And, given the intense secrecy surrounding vendors of exploits, we have no idea how many governments have purchased iPhone-cracking devices. It's unlikely Hacking Team is the only exploit vendor selling to authoritarian governments and UN-blacklisted countries. It's just the only one to have been caught doing it. An exploit is an exploit and it will be used by the good and the bad.

Not that relegating it to "good" law enforcement agencies is necessarily a huge improvement. Authoritarian regimes may use tools like this to go after critics and stifle dissent, but let's not forget the FBI has a long history of doing exactly the same thing under the guise of protecting public safety. And, at this point, the FBI isn't being honest about its weapons stockpiles during this Crypto Cold War. Sure, it needs to retain some sort of tactical advantage -- whether it's pursuing bad guys or legislation -- but it should never be granted full credibility when it talks about thousands of unlocked phones, the coming darkness, and how much security we should be forced to give up in the name of public safety.

Filed Under: doj, encryption, fbi, going dark, hacking, iphones, smartphones
Companies: apple, cellebrite, grayshift

Federal Backpage Indictment Shows SESTA Unnecessary, Contains Zero Sex Trafficking Charges

from the all-about-the-sex-trafficking-except-when-it-isn't-really-about-that dept

Last Friday, the DOJ somehow managed to seize Backpage's websites, despite SESTA/FOSTA still lying on the president's desk waiting for a signature. The anti-Section 230 law, d/b/a an anti-sex trafficking statute, was declared a necessity by supporters -- the only thing able to pierce service provider immunity and somehow bring sex traffickers to justice by... [checks notes] arresting or fining tech company executives.

The indictment [PDF] behind the DOJ site seizures has finally been made public. It contains a wealth of details about Backpage's adult ads business and a plethora of charges (93) levelled at seven Backpage principals, including founders Michael Lacey and James Larkin.

What you won't find amongst the charges is anything about sex trafficking. Lacey is charged with 79 felonies, which include money laundering (which occurred after credit card companies were pressured into refusing to process Backpage ad payments), conspiracy, and 50 counts of Travel Act violations. Because Backpage processed adult ads for sex traffickers all over the nation, prosecutors are able to bring federal charges for state-level "facilitating prostitution" violations against Backpage execs under the theory these electronic transactions "crossed" state lines.

So, for all the handwringing about sex trafficking and "untouchable" tech execs, the DOJ has nailed a handful of execs and foregone any concerns about their apparent role in sex trafficking. What the indictment shows is Backpage allegedly facilitated a whole lot of consensual sex between paying customers and sex workers. The indictment also inadvertently shows how Backpage made things safer for sex workers.

In one internal email, LACEY actually bragged about the company's contributions to the prostitution industry: "Backpage is part of the solution. Eliminating adult advertising will in no way eliminate or even reduce the incidence of prostitution in this country… For the very first time, the oldest profession in the world has transparency, record keeping and safeguards."

To the government, this is a bad thing. To sex workers, it was a way to pre-screen customers and reduce their own risks. The government really doesn't care if sex workers are beaten, raped, or killed. It would rather force the oldest profession as far underground as possible and presumably let attrition cull the supply side. Meanwhile, it will busy itself with arresting the demand side, because that's the easiest way for it to rack up convictions. It quotes an affidavit from a Boston PD detective stating that "since 2010," the PD had arrested "over 100 buyers of sex of both adults and minors through Backpage.com ads." And this stops sex trafficking how? There's no mention of pimps being arrested despite the same detective making the sworn statement that "nearly all" cases associated with Backpage "involve pimp-controlled prostitution."

But that's about all the nice things I have to say about Backpage. The indictment contains details from internal documents showing ad moderators routinely stripped references to underage sex from ads so they could still allow the ads to run and presumably reach customers. They also show Backpage never implemented recommendations from NCMEC (National Center for Missing and Exploited Children) and researchers to better police ads for possible abuse of minors. The communications obtained by the government also show Backpage withheld info from NCMEC to keep its referrals to less than 500 a month. So, while it was referring plenty of stuff to the child exploitation clearinghouse, it was also holding stuff back so as not to appear to be a clearinghouse for child exploitation.

As for the efforts it made to strip ads of terms and pictures that might have given away the illegal nature of the acts being advertised, I'm less appalled. To be sure, this sort of facilitation is illegal. But the moderation efforts, in some cases, prevented illegal ads from being posted and only allowed those through that eliminated indications sex was being exchanged for money. The ads were likely legal post-moderation, but the acts being slyly advertised, not so much.

The bottom line appears to have been the main consideration -- not adherence to multiple statutes in the multiple states Backpage served customers. That leads to another fact routinely trumpeted by politicians and prosecutors: that the vast majority of Backpage's income came from "illegal" sex-for-sale ads. It's a fact but it's somewhat misleading. Sex ads were the only base service Backpage charged for. It was always going to make the most money from these ad sales. It's not because they were so much more profitable on their own. There's just nothing else to compare it to. Something that costs something is always going to generate more income than stuff given away for free.

On top of that, this ad section -- where Backpage made money -- was already killed by Backpage voluntarily. People selling and buying sex didn't just vanish, though. It migrated to other sections of the site, just like it did when Craigslist killed their adult services section off years ago. The market didn't disappear. It just became a little bit tougher to locate.

Whether you believe Backpage execs are scapegoats or pariahs, one thing is certain: legislators didn't need to tamper with Section 230 protections to make this happen. Plenty of existing statutes were available for prosecutors to wield against the website and its founders. And for all the talk of sex trafficking over the weekend, there's not a single charge related to sex trafficking in the long list being presented to a federal judge.

Filed Under: doj, sesta
Companies: backpage

FBI Is Using Classified Tools For Regular Investigations And That's Going To End Up Hurting Everyone

from the when-'going-dark'-just-means-parallel-construction dept

A recent Inspector General's report laid bare the FBI's real motivations in the San Bernardino shooting case. It didn't want a technical solution. It wanted judicial precedent. While the DOJ presented its claims that no tech breakthrough was forthcoming, the FBI's left and right hands were operating independently. Technically, this means Comey and the DOJ did not lie when they told a federal judge and Congress (respectively) that an All Writs Act order was the only solution.

But dig deeper into the report, and you'll find information much more damning than some truth-fudging. One division of the FBI, which had been explicitly asked to search for a way to hack into the locked iPhone, only made a half-assed effort to do so, in hopes of slow-walking the FBI into favorable precedent. The FBI's cryptographic unit (CEAU) was supposed to keep looking for a solution, but it didn't. It asked some cursory questions and then sat back to watch the courtroom drama.

Another area of the agency -- one supposedly limited to national security investigations -- did manage to find a solution via a third party. The Remote Operations Unit had this vendor drop everything else and work on an iPhone crack to help the CEAU out. Unfortunately for the helpful ROU official, the CEAU head didn't really want a solution and was irritated when one was found.

The reason the CEAU and ROU weren't speaking to each other directly was related to the ROU chief's belief its tools were not meant to be used in standard criminal investigations. The CEAU, however, felt it could use national security tools possessed by the ROU whenever necessary, even when the investigations had nothing to do with the agency's national security work.

Joseph Cox at Motherboard points to a couple of footnotes in the Inspector General's report that indicate the FBI has ignored this "wall" at least twice in the past.

One mentions the ROU chief, based on long standing policy, sees a “line in the sand” against using national security tools in criminal cases—this was why the ROU initially did not get involved at all with finding a solution to unlocking the San Bernardino iPhone.

[...]

“The ROU Chief was aware of two instances in which the FBI invoked these procedures,” a footnote in the report reads. In other words, although it seemingly only happened twice, the FBI has asked for permission to use classified hacking techniques in a criminal case.

The report does not provide any more info about the FBI's internal wall-breaking, but Cox speculates it may have something to do with its child porn investigations. The malware the FBI deployed to expose visitors of darkweb child porn sites was originally unclassified, but the FBI attempted to classify the exploit post-deployment for supposed national security reasons. And, indeed, the FBI has deployed this twice (that we know of) to target child porn site visitors.

The wall is there for a reason. If the exploits and tools are classified, the use in standard criminal investigations raises the chances they'll be exposed in court. It also initiates mission creep. Powerful tools become routinely-deployed exploits, eventually lessening their effectiveness and slowly (but surely) stripping away the layers of opacity surrounding them.

This is what has happened with Stingray devices. Originally, the repurposed military gear was used in only the most dire situations. Now, they're used to track people stealing fast food. In the process, the tool no one ever wanted to talk about has gone mainstream, with extensive paper trails emanating from courtroom decisions and public records requests.

The FBI had concerns Stingrays would become exactly what they are now: standard equipment, rather than overpowered tools that should only be deployed when public safety is threatened. It knew the slippery slope towards standardized use would end up exposing the devices and their capabilities. This is why it tied up agencies with non-disclosure agreements and demands it be consulted whenever info about Stingrays was requested by the public or at risk of being disclosed in court.

But there's another side effect of breaking down this wall between national security and vanilla law enforcement. The implications of this range far beyond the possible burning of a useful investigative tool. When the FBI uses classified tools to engage in normal investigations, defendants are placed at a severe disadvantage.

“When hacking tools are classified, reliance on them in regular criminal investigations is likely to severely undermine a defendant’s constitutional rights by complicating discovery into and confrontation of their details,” Brett Kaufman, a staff attorney at the ACLU, told Motherboard in an email. “If hacking tools are used at all, the government should seek a warrant to employ them, and it must fully disclose to a judge sufficient information, in clear language, about how the tools work and what they will do,” he added.

Perhaps the FBI's Remote Operations Unit was more aware, or simply more considerate, of the Constitutional implications of bringing hacking tools over the wall. The CEAU chief, at least according to this report, was less concerned about the constitutional implications but extremely worried any new tool might undermine the DOJ's push for compelled assistance precedent. As a whole, the FBI is only mildly concerned about violating rights. The agency's continuous creation of easily-indicted "terrorists" is only part of the problem. Beyond that, the agency appears to be willing to use any tools to achieve any ends… including ignoring its many options if there's a chance a court might deliver an opinion it can use to force US companies to crack open devices for it.

Filed Under: doj, fbi, san bernardino

Politicians Who Said SESTA Was Needed To Takedown Backpage Claim Victory Over Backpage Takedown... Without SESTA

from the say-what-now? dept

From the very beginning of SESTA and FOSTA, its backers kept insisting that the bill was necessary to takedown Backpage.com. Indeed, Senator Rob Portman, in announcing SESTA, entitled his press release "Senators Introduce Bipartisan Legislation to Hold Backpage Accountable." And he's spent the past six months pointing to Backpage as the reason we absolutely needed SESTA. At launch, his quote was the following:

For too long, courts around the country have ruled that Backpage can continue to facilitate illegal sex trafficking online with no repercussions. The Communications Decency Act is a well-intentioned law, but it was never intended to help protect sex traffickers who prey on the most innocent and vulnerable among us.

Except, as we pointed out multiple times, that's not at all what courts have said. What they've said is that CDA 230 immunizes the site from certain types of liability. But as two recent courts -- not to mention the DOJ shutting down Backpage on Friday -- have made clear, nothing in CDA 230 immunizes Backpage from illegal activity that it directly engaged in.

So you'd think that maybe, just maybe, Senator Portman would recognize that SESTA was a giant unnecessary boondoggle that puts a ton of people and speech at risk. But, nope. Instead, he's released a statement praising the action and pretending that SESTA will "hold online sex traffickers accountable."

“I’m pleased that Congress has taken additional steps by passing my SESTA legislation to let sex trafficking victims seek justice and allow state and local law enforcement to swiftly prosecute websites that violate federal sex trafficking laws. This bipartisan measure will make it easier to hold online sex traffickers accountable, and I look forward to seeing President Trump sign this bill into law next week.”

Except not a single thing in SESTA holds online sex traffickers accountable. Indeed, it does the exact opposite of that, in that it makes it that much more difficult for law enforcement to track down actual sex traffickers. Prior to SESTA, websites (including Backpage) frequently worked with law enforcement to help them track down those using their platforms for illegal activity. Under SESTA, no site will be willing to assist law enforcement in such a manner, because doing so will provide evidence of "knowledge" and thus, potentially, criminal liability. This sweeps the problem of sex trafficking under the rug, which might make Senator Portman feel better, but does nothing to tackle the actual problem, and makes it that much more difficult to find and prosecute actual traffickers, let alone find and rescue victims held against their will.

Still, at least Senator Portman acknowledges that SESTA/FOSTA has not been signed into law yet. That basic fact apparently escaped Representative Mimi Walters, who provided the amendment that attached SESTA to FOSTA in the House. She actually took to Twitter to claim that Backpage was shut down because of her amendment:

That's pretty incredible, considering her bill hasn't been signed into law yet. You would think that a Representative would know that her own bill wasn't a law yet, wouldn't you? Or does Congress not work that way? Anyway, SESTA/FOSTA is not the law yet, and it clearly wasn't used to take down Backpage. And, of course, what was Rep. Walters' reason for pushing SESTA in the first place? The need to take down Backpage. So, not only is she not admitting that her law (which she said was necessary) was not, in fact, necessary, she's now living in a fantasy world where her law must have helped, despite it not yet being a law.

Can we elect better people to Congress please?

Then we have Senator John McCain. His wife has been at the forefront of the anti-Backpage campaign for many years. Indeed, many people I spoke to on Capitol Hill said that it was John and Cindy McCain's support for SESTA that made the bill viable in the first place. So it's no surprise that Cindy McCain was quick to tell the media how good the seizure is, calling it a "good day." And then the Senator put out the following statement celebrating the takedown, but oddly insisting it proves why SESTA was needed.

The seizure of the malicious sex marketplace Backpage.com marks an important step forward in the fight against human trafficking. This builds on the historic effort in Congress to reform the law that for too long has protected websites like Backpage from being held liable for enabling the sale of young women and children. Today’s action sends a strong message to Backpage and any other company facilitating online sex trafficking that they will be held accountable for these horrific crimes.

But, considering that Backpage was taken down prior to SESTA becoming law, how can McCain honestly claim that the law protected Backpage from being held liable? It did not. It only protected them from liability for actions of third parties. It has never protected the site from liability for its own actions. And the takedown on Friday proved that. So it's quite bizarre for McCain to pretend otherwise.

Either way, all of this is yet more evidence that SESTA was never truly about going after Backpage. That was all just a convenient excuse to gut Section 230 of the CDA and pave the way for changing some of the fundamental open parts of the internet, closing them off and putting up more and more gatekeepers. That those who supported SESTA and insisted it was necessary to take down Backpage are now pretending otherwise just underlines that fact.

Filed Under: cda 230, cindy mccain, doj, fosta, intermediary liability, john mccain, mimi walters, rob portman, sesta
Companies: backpage

DOJ Seizes And Shuts Down Backpage.com (Before SESTA Has Even Been Signed)

from the well,-well,-well dept

So here's a Friday evening surprise: the DOJ has just seized Backpage. If you visit the site now you will see the following graphic:

It notes that additional information will be provided soon, and we'll update this post when that occurs. But first, there are a few important things to note. Before and after SESTA was voted on by Congress, we noted that while supporters of SESTA kept pointing to Backpage as the reason we needed to change CDA 230, there were two reasons why we thought it was premature to make such a change. The first was that there was a court in Massachusetts considering whether or not Backpage had lost its CDA 230 immunity by being an active participant in creating trafficking ads. And the second, more important, one was that there were many reports claiming that a DOJ grand jury was investigating Backpage, and nothing in CDA 230 stopped that from happening (federal crimes are exempt from CDA 230).

Last week the Massachusetts court ruled that Backpage had lost its CDA 230 immunity for at least one victim, and this week a court in Florida ruled the same thing (though for dubious reasons).

And now the DOJ has seized the entire site, suggesting that the grand jury found the evidence it needed to take it down (we'll reserve judgment on that evidence until the indictment is out).

And while SESTA has been approved by Congress, it is still not the law. The President is likely going to sign it next week.

So we have a pretty big open question: if SESTA was supposedly necessary to take down Backpage -- and yet now both of the key reasons many of us noted that Backpage probably wasn't protected have been not just proven true, but resulted in Backpage being seized -- why do we still need SESTA?

We'll be back with more later when the details are out, but for the SESTA supporters out there, let's hear your answers.

Filed Under: cda 230, doj, fosta, intermediary liability, seizure, sesta, sex trafficking
Companies: backpage

DOJ Asks Supreme Court To Dump Microsoft Case, Let It Use New CLOUD Act To Demand Overseas Data

from the sighs-and-eyerolling-from-DOJ-counsel dept

As expected, the DOJ has asked the Supreme Court to toss the Microsoft case. The appeal sitting before the court deals with collecting data overseas using US-issued warrants, rather than mutual assistance treaties. As the DOJ argues in its motion to vacate [PDF], the passage of the CLOUD Act -- stapled to the tail end of 2,200-page budget bill -- makes this argument moot. For all intents and purposes, the new law (which apparently still has no effective date) grants the government the power to demand production of data stored overseas by US companies using a regular magistrate's warrant.

The motion goes further than just asking the Supreme Court to drop the case. It also takes some time to complain about Microsoft inconveniencing the DOJ by forcing it to acquire another warrant for the same info under the newly-granted authority. The DOJ, despite its apparent compliance with Microsoft's request, spends a few paragraphs explaining why it shouldn't need to do the thing it already did.

The application of the CLOUD Act to the original Section 2703 warrant at issue in this case would not be retroactive. Microsoft’s production of the requested information has not been “completed,” Landgraf, 511 U.S. at 270, as it remains possible for Microsoft to comply fully with the government’s demand for disclosure. The Section 2703 warrant remained valid after the CLOUD Act, and no real consequences have attached to Microsoft’s failure to comply with the warrant up to this point.

[...]

Nevertheless, Microsoft has refused to acknowledge either that the CLOUD Act applies to the Section 2703 warrant at issue in this case or that Microsoft plans to disclose the required information under the original warrant.

Microsoft's objection hinges on unresolved contempt charges stemming from the case it successfully appealed twice. According to Microsoft, its compliance with the old warrant might trigger retroactive charges, which would be problematic for it. The DOJ points out no sanctions were ever threatened by the district court, which only entered contempt charges to allow the decision to be appealed.

Nonetheless, an exasperated DOJ has complied with Microsoft's demand that a new warrant issued under the CLOUD Act be provided.

Accordingly, on March 30, 2018, the government applied for a new warrant covering the relevant information requested in the Section 2703 warrant at issue in this case. A magistrate judge issued the warrant that same day. Under the new warrant, which will replace the original warrant and which the CLOUD Act indisputably governs, Microsoft must produce any covered information within its “possession, custody, or control.” CLOUD Act § 103(a). Microsoft no longer has any basis for suggesting that such a warrant is impermissibly extraterritorial because it reaches foreign-stored data, which was the sole contention in its motion to quash.

And it returns to the subject again to remind the court how much of a pain in the ass Microsoft is being about all of this.

The government does not believe that seeking a new warrant was necessary in order to compel Microsoft to act: In light of the CLOUD Act, Microsoft should have simply complied with the existing warrant, to which it can have no valid legal objection...

The last loose end the government seeks to have tied up is the appeals court decision, which the DOJ claims could cause future jurisdictional issues for warrants issued by that circuit. It also lets the Supreme Court know it thinks the lower decision should also be vacated because it's just so (subjectively) wrong.

Leaving the court of appeals’ decision in place as circuit precedent could therefore generate uncertainty in future extraterritoriality, Fourth Amendment, or subpoena cases arising in the Second Circuit. Given the serious flaws in the court’s reasoning, this case implicates the traditional need for vacatur to “clear[] the path for future relitigation of the issues” and to “eliminate[] a judgment, review of which was prevented through happenstance.”

The DOJ gets the win it wanted, but won't have circuit precedent to rely on. Instead, it got a whole new law to use to force US companies to turn over data stored outside of the US. It will now be able to meddle in international affairs and open the door for similar meddling by other countries not quite as respectful of civil liberties as we are.

Filed Under: 4th amendment, cloud act, data, doj, due process, overseas data, privacy, subpoenas, supreme court, surveillance, warrants
Companies: microsoft

US Might Start A Nuclear War... Because Iranians Wanted Access To Academic Papers Locked Behind A Paywall?

from the seems-a-little-harsh dept

You probably saw one of the many stories about the US government charging nine Iranians with "conducting massive cyber theft campaign on behalf of the Islamic Revolutionary Guard Corps", as the Department of Justice put it in its press release on the move:

"These nine Iranian nationals allegedly stole more than 31 terabytes of documents and data from more than 140 American universities, 30 American companies, five American government agencies, and also more than 176 universities in 21 foreign countries," said Deputy Attorney General Rosenstein. "For many of these intrusions, the defendants acted at the behest of the Iranian government and, specifically, the Iranian Revolutionary Guard Corps. The Department of Justice will aggressively investigate and prosecute hostile actors who attempt to profit from America's ideas by infiltrating our computer systems and stealing intellectual property. This case is important because it will disrupt the defendants' hacking operations and deter similar crimes."

That certainly sounds pretty serious, not least because some believe the US government may use this is a pretext for military action against Iran, possibly involving nuclear strikes. But what exactly did those Iranians allegedly steal?

The members of the conspiracy used stolen account credentials to obtain unauthorized access to victim professor accounts, which they used to steal research, and other academic data and documents, including, among other things, academic journals, theses, dissertations, and electronic books.

That is, they "stole" things like "academic journals, theses, dissertations, and electronic books" -- you know, the stuff that professors routinely publish as part of their work. The stuff that they desperately want as many people to read as possible, since that's how ideas spread, and academic credit is assigned. So rather than some "massive cyber theft" on behalf of the Islamic Revolutionary Guard Corps, is this not actually a bunch of people making copies of academic materials they and others want to read? We already know that Iranians have a particular hunger for academic knowledge of exactly this kind. An article published in Science in 2016 analyzed who was downloading unauthorized copies of scientific papers from Sci-Hub. Here's one striking result:

Of the 24,000 city locations to which [Sci-Hub downloaders] cluster, the busiest is Tehran, with 1.27 million requests. Much of that is from Iranians using programs to automatically download huge swaths of Sci-Hub's papers to make a local mirror of the site, [Sci-Hub's founder] Elbakyan says. Rahimi, the engineering student in Tehran, confirms this. "There are several Persian sites similar to Sci-Hub," he says. "So you should consider Iranian illegal [paper] downloads to be five to six times higher" than what Sci-Hub alone reveals.

Given that concentration of downloads from Sci-Hub in Iran, it's almost surprising the accused needed to break into US universities at all. The Department of Justice press release says that this activity has been going on since 2013, so maybe Iranians hadn't turned to Sci-Hub at that point. And perhaps there was other information they were seeking that was not available on Sci-Hub. A surprisingly precise figure of 31 terabytes in total is mentioned: how, exactly, was that calculated? After all, making copies of documents does not remove them, and people who break into systems tend not to leave notes about what they have "exfiltrated". It's hard to escape the feeling that 31 terabytes is simply the total amount of data they could have copied with all the credentials they obtained, and is used in the press release to make the incident sound bigger than it really is in order to justify any subsequent bellicose actions.

Of course, however much of whatever material was downloaded, breaking into other people's systems and accounts using stolen credentials is never justified. It's likely that the 8,000 compromised email accounts exposed a great deal of highly-sensitive personal information, which would arguably be a much more serious matter than the fact that journals, theses, dissertations, and electronic books were downloaded.

Still, this story doesn't really seem to be about 1337 Iranian government haxxors trying to undermine the US university system with a "massive cyber theft", as the over-the-top press release rather implies. It's more a bunch of unscrupulous individuals using fairly simple phishing techniques to get their hands on otherwise unavailable academic material, apparently to sell to others, at least according to the Department of Justice. It also suggests that if more of this academic work were freely available under open access licenses for everyone's benefit, rather than locked up behind paywalls, there would be less of an incentive for people to engage in this kind of illegal behavior. To say nothing of less risk of a nuclear war.

Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+

Filed Under: cyber theft, cybersecurity, doj, hacking, iran, islamic revolutionary guard, open access

DOJ Back To Pushing For Legislation Targeting Encryption

from the CLIPPER-CHIP-2K18 dept

The New York Times is reporting that the War on Encryption continues, with a renewed push for legislation the Justice Department couldn't talk Obama into.

Federal law enforcement officials are renewing a push for a legal mandate that tech companies build tools into smartphones and other devices that would allow access to encrypted data in criminal investigations.

F.B.I. and Justice Department officials have been quietly meeting with security researchers who have been working on approaches to provide such “extraordinary access” to encrypted devices, according to people familiar with the talks.

[...]

Against that backdrop, law enforcement officials have revived talks inside the executive branch over whether to ask Congress to enact legislation mandating the access mechanisms.

FBI Director Chris Wray still has yet to hand over his list of agreeable security experts to Sen. Ron Wyden. Wray continues to assert there's a way to solve the "going dark" problem that won't involve make device encryption less secure, but every suggestion he offers involves making device encryption less secure. There are a few techies looking for solutions, and that small group may be who Wray believes can talk legislators into prepping a mandated access bill.

A National Academy of Sciences committee completed an 18-month study of the encryption debate, publishing a report last month. While it largely described challenges to solving the problem, one section cited presentations by several technologists who are developing potential approaches.

They included Ray Ozzie, a former chief software architect at Microsoft; Stefan Savage, a computer science professor at the University of California, San Diego; and Ernie Brickell, a former chief security officer at Intel.

The solutions presented by this group are more of the same: key escrow, weakened encryption, or technological assistance mandates. None of these work out particularly well for customers, as each options provides additional attack vectors for criminals, not just law enforcement. So, even if Wray hopes to rely on more sympathetic tech experts, he's still going to run into the same facts: you cannot provide access to law enforcement without increasing the chance of access by criminals and state-sponsored hackers.

It appears the DOJ isn't interested in letting the perfect be the enemy of the good. And why should it? It won't be affected by mandated access and/or weakened encryption. Those affected most will be members of the general public, and they simply don't matter when the FBI's agitating for destroying the encryption the public relies on to keep their devices and communications secure.

[O]ne Justice Department official familiar with the deliberations contended that it might not be necessary to come up with a foolproof system, arguing that a solution that would work for ordinary, less-savvy criminals was still worth pursuing.

Take a long look at that statement. This is the DOJ saying it's willing to sacrifice the security of millions of Americans to make sure it can round up the nation's least intelligent criminals. This isn't a balance anyone outside of the FBI's inner circle will be happy with. Wray and others routinely claim encryption is preventing them from solving serious crimes and hunting down dangerous criminals, but when all is said and done, it will apparently be satisfied locking up the most inept suspects.

Filed Under: backdoors, doj, encryption, fbi, going dark, legislation, responsible encryption

DOJ Readying Warrants In Carter Page Investigation For Public Release

from the giving-the-Republicans-what-they-may-not-want dept

For the first time since the FISA court opened for national security business, the DOJ is considering declassifying FISA warrant applications. The documents are linked to the FBI's surveillance of former Trump campaign aide, Carter Page. Both sides of the political aisle have asked for these documents, which is something you'd think they'd have wanted to see before issuing their takes on perceived surveillance improprieties.

Devin Nunes -- following the release of his memo -- sent a letter to the FISA court asking it to clear the warrants for public release. The court's reply, penned by Judge Rosemary Collyer, pointed out two things. First, the FISA court had never released these documents publicly, nor was it in the best position to do so. It is only tasked with determining whether or not surveillance is warranted and to what restrictions it must adhere. It does not have the innate power to declassify documents, nor can it arbitrarily decide what documents have gathered enough public interest to outweigh the government's perpetual demands for secrecy.

The court did point out this release could be achieved much faster if Nunes directed his question to the DOJ, which does have the power to declassify its own investigation documents. It doesn't appear Devin Nunes has approached the DOJ but litigants in an FOIA lawsuit have, and they're looking at possibly obtaining the documents Devin Nunes requested from the FISA court.

The government is considering an unprecedented disclosure of parts of a controversial secret surveillance order that justified the monitoring of former Trump campaign aide Carter Page.

Responding to a legal challenge brought by USA TODAY and the James Madison Project, Justice Department lawyers Friday cast the ongoing review as “novel, complex and time-consuming.”

“The government has never, in any litigation civil or criminal, processed FISA (Foreign Intelligence Surveillance Act) applications for release to the public,” Justice lawyers wrote in a five-page filing.

The filing [PDF] notes that the President's unilateral decision (over the DOJ's objection) of releasing the Nunes memo has forced it to reverse some of its Glomar declarations in ongoing FOIA lawsuits, since it's impossible to maintain a stance of non-confirmation and non-denial when the White House is handing out confirmation left and right.

The DOJ has asked for four months to review the documents before returning to the court with its final answer on public release. There will probably be further delays from this point, as the DOJ will need the FISA court to officially unseal documents before it can turn these over to the litigants. It notes the plaintiffs are not happy with this timetable, but points to the presumed complexity of a task it has never undertaken previously as the reason it needs 120 days before the litigation can move forward.

This administration continues to break new grounds in inadvertent transparency. However, the release of these documents may further undermine the Nunes Memo narrative, so legislators and White House officials hellbent on using the FISA court to score political points should be careful what they wish for.

Filed Under: carter page, devin nunes, doj, fbi, fisa court, fisc, warrants

The Future The FBI Wants: Secure Phones For Criminals, Broken Encryption For Everyone Else

from the safety's-just-another-word-for-nothing-left-to-lose dept

The old truism is in play again with the FBI's renewed CryptoWar: if X is outlawed, only criminals will have X. In this case, it's secure encryption. The FBI may not be trying to get encryption banned, but it does want it weakened. No backdoors, claims FBI director Chris Wray, just holes for the government to use at its pleasure. So, if the FBI gets it way, the only truly secure encryption will be in the hands of criminals… exactly the sort of people the FBI claims it needs weakened encryption to catch.

For years, a slew of shadowy companies have sold so-called encrypted phones, custom BlackBerry or Android devices that sometimes have the camera and microphone removed and only send secure messages through private networks. Several of those firms allegedly cater primarily for criminal organizations.

Now, the FBI has arrested the owner of one of the most established companies, Phantom Secure, as part of a complex law enforcement operation, according to court records and sources familiar with the matter.

Phantom makes phones solely for criminals, unlike Apple or Android manufacturers, who only have a certain percentage of criminals in their userbases. All of these companies may provide the protection of encryption, but only one actively targets a criminal market. Encryption protects everyone, not just criminals, but that fact is usually paved over with subtle-as-10-tons-of-asphalt comments from the FBI director while portraying the FBI as the nation's white knight and cell phone manufacturers as profit-driven sociopaths.

These companies marketing directly to criminals do more to protect data and communications than vanilla smartphones. Remote wipe capability is built in. Often, cameras and microphones are removed, along with GPS software/hardware. It's more security than most people need, but then again, most people aren't cartel members.

The thing is, the FBI director doesn't care if you're law-abiding. He wants your encryption options limited and weakened so the contents can be accessed. This makes your smartphone more susceptible to being accessed by criminals, rather than just G-men. And these criminals accessing your phone will probably have phones the FBI can't even access, even with backdoors or key escrow or easily-cracked encryption. Chris Wray claims this is all about public safety, but he's willing to make the public less safe to gain the access he wants.

While I understand the concern of the inability to access evidence, the fact remains no solution involving compromised encryption will make the public safer. And while I understand the concern, the concern itself is overstated and accompanied by smoke-and-mirrors presentations. The FBI points to stacks of locked phones, but says nothing about the many tools at its disposal: phone-cracking companies, judges, contempt charges, good old fashioned consent requests, or whether all cases involving these phones remain at a standstill. The FBI does not argue in good faith, and the access it wants can only be had by sacrificing the security and safety of law-abiding citizens.

Filed Under: doj, encryption, fbi, going dark, security