Apple Finally Shuts Down Security Flaw Used By Phone-Cracking Vendor

from the indiscriminate-protection dept

In a move that will anger law enforcement (but really isn't about law enforcement), Apple has succeeded in killing an exploit that allowed a third-party vendor to crack iPhones for investigators. A few months ago, Apple announced it was fixing the flaw that allowed products like GrayKey to bypass built-in security features to engage in brute force password guessing. Thomas Brewster of Forbes confirms the fix is finally in.

Multiple sources familiar with the GrayKey tech tell Forbes the device can no longer break the passcodes of any iPhone running iOS 12 or above. On those devices, GrayKey can only do what’s called a “partial extraction,” sources from the forensic community said. That means police using the tool can only draw out unencrypted files and some metadata, such as file sizes and folder structures.

Some in law enforcement may view this as confirmation of their "going dark" complaints and claim that Apple cares more about its customers than it does about fighting crime. As if that was bad thing. Apple should care more about what its customers want and need than government access to locked devices. A security hole is a hole that can be used by everyone who can exploit it. There's no way to prevent a flaw from being exploited by criminals even if law enforcement agencies find the exploit super-useful.

Grayshift's products are still somewhat useful, but it's going to be hard to justify a premium price for a stunted service. This new development might be Grayshift's fault. Soon after Apple announced one fix for an exploit used by Grayshift, the company bragged it could still crack phones just as easily. This appears to have prompted closer examination of the problem Apple thought it fixed with the first round of patching. The second pass has blunted the exploit's usefulness, even if it hasn't made it completely impossible to access some data contained in locked devices.

Even with the fix in play, law enforcement complaints about "darkness" are overblown. There are other technical solutions available, along with a wealth on information stored by third parties and cloud services. The more technical solutions won't scale, but that's not really something law enforcement should complain about. Security protections for phone owners shouldn't be viewed as weapons deployed against law enforcement. Phone manufacturers have an obligation to their customers to protect their personal data, and encryption is just one of the tools deployed to keep customers' information out of the hands of others. That some of the "others" are cops and investigators is just a side effect of providing solid products and service.

This won't make government critics of Apple any happier, though. And its closing of security holes is just going to lead to more demands for anti-encryption laws. Very few legislators seem interested in mandating backdoors, so these complaints aren't gaining any traction. But government agencies like the FBI have endless time and infinite resources, so the calls for backdoors will never completely cease -- not as long as there's a chance a major tragedy might prompt reckless Congressional action.

Apple's protection of its users is great, but its sincerity should be questioned when it's willing to put Chinese users' data where the Chinese government can easily access it. If it wants to be a champion for its customers, it needs to protect all of them, not just the ones it's currently convenient to protect. When you've got to explain why you're "locking out" US law enforcement but letting a foreign government walk in the front door, you're doing customer service wrong.

Filed Under: backdoors, cracks, encryption, graykey, iphone, law enforcement
Companies: apple, grayshift

Broad Alliance Calls For Australian Government To Listen To Experts' Warnings About Flaws In New Compelled Access Legislation

from the nah,-we're-ramming-it-through-anyway dept

The battle against encryption is being waged around the world by numerous governments, no matter how often experts explain, often quite slowly, that it's a really bad idea. As Techdirt reported back in August, Australia is mounting its own attack against privacy and security in the form of a compelled access law. The pushback there has just taken an interesting turn with the formation of a Alliance for a Safe and Secure Internet:

The Alliance is campaigning for the Government to slow down, stop ignoring the concerns of technology experts, and listen to its citizens when they raise legitimate concerns. For a piece of legislation that could have such far ranging impacts, a proper and transparent dialogue is needed, and care taken to ensure it does not have the unintended consequence of making all Australians less safe.

The Alliance for a Safe and Secure Internet represents an unusually wide range of interests. It includes Amnesty International and the well-known local group Digital Rights Watch, the Communications Alliance, the main industry body for Australian telecoms, and DIGI, which counts Facebook, Google, Twitter and Yahoo among its members. One disturbing development since we last wrote about the proposed law is the following:

The draft Bill was made public in mid-August and, following a three week consultation process, a large number of submissions from concerned citizens and organisation were received by the Department of Home Affairs. Only a week after the consultation closed the Bill was rushed into Parliament with only very minor amendments, meaning that almost all the expert recommendations for changes to the Bill were ignored by Government.

…

The Bill has now been referred to the Parliamentary Joint Committee on Intelligence and Security (PJCIS), where again processes have been truncated, setting the stage for it to be passed into law within months.

That's a clear indication that the Australian government intends to ram this law through the legislative process as quickly as possible, and that it has little intention of taking any notice of what the experts say on the matter -- yet again.

Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+

Filed Under: australia, backdoors, compelled access, encryption, security

French Cop Arrested For Selling Sensitive Law Enforcement Info On The Dark Web

from the all-the-best-jobs-are-the-inside-ones dept

The problem with giving law enforcement access to so many databases full of personal info and so many tech tools to fight crime is that, inevitably, these will be abused. This isn't a law enforcement problem, per se. It's a people problem. When the job demands the best people but still needs to maintain minimum staffing levels, things like this happen:

A French police officer has been charged and arrested last week for selling confidential data on the dark web in exchange for Bitcoin.

[...]

French authorities also say the officer advertised a service to track the location of mobile devices based on a supplied phone number. He advertised the system as a way to track spouses or members of competing criminal gangs. Investigators believe Haurus was using the French police resources designed with the intention to track criminals for this service.

He also advertised a service that told buyers if they were tracked by French police and what information officers had on them.

The discovery of the officer's misconduct came to light after French police shut down a dark web market. That there was a cop selling cop stuff to criminals on the dark web is inevitable. If it wasn't this investigation, any of the dozens of others happening around the world would have uncovered a law enforcement officer doing bad things. Two of the federal agents involved in the Silk Road investigation ended up being charged with money laundering and wire fraud after they stole Bitcoin and issued fake subpoenas to further their own criminal ends.

Again, it's a people problem -- one that's present anywhere people are given power and access not present in most jobs. The problem is government agencies, in particular, tend not to hold their own employees accountable and work hard to thwart their oversight. The more brazen examples of government malfeasance are enabled by the dozens of smaller infractions that go unpunished until they're the subject of a lawsuit or government investigation.

More to the point, this is exactly why no government agency -- not to mention the private companies involved -- should be allowed to utilize encryption backdoors, as the EFF's Director of Cybersecurity, Eva Galperin, pointed out on Twitter. It's not just about the hundreds of malicious hackers who will see an inviting, new attack vector. It's that no one -- public or private sector -- can be completely trusted to never expose or misuse these avenues of access. And since that's a fact of life, sometimes the best solution is to remove the temptation.

Filed Under: backdoors, dark web, encryption, france, police, police database

DOJ Loses Another Attempt To Obtain Encryption-Breaking Precedent In Federal Court

from the senior-DOJ-counsel-sitting-in-darkened-office-with-'Behind-Blue-Eyes'-on dept

The DOJ is now 0-for-2 in encryption-breaking cases. The DOJ tried to get a judge to turn an All Writs Order into a blank check for broken encryption in the San Bernardino shooting case. Apple pushed back. Hard. So hard the FBI finally turned to an outside vendor to crack the shooter's iPhone -- a vendor the FBI likely knew all along could provide this assistance. But the DOJ wanted the precedent more than it wanted the evidence it thought it would find on the phone. It bet it all on the Writ and lost.

Other opportunities have arisen, though. A case involving wiretapping MS-13 gang members resulted in the government seeking more compelled decryption, this time from Facebook. The FBI could intercept text messages sent through Messenger but was unable to eavesdrop on calls made through the application. Facebook claimed it didn't matter what the government wanted. It could not wiretap these calls for the government without significantly redesigning the program. The government thought making Messenger less secure for everyone was an acceptable solution, as long as it gave investigators access to calls involving suspected gang members.

The case has proceeded under seal, for the most part, so it's been difficult to determine exactly what solution the government was demanding, but it appears removal of encryption was the preferred solution, which would provide it with future wiretap access if needed. If this request was granted, the government could take its paperwork to other encrypted messaging programs to force them to weaken or destroy protections they offered to users.

The ruling in this case is still under seal, but Joseph Menn and Dan Levine of Reuters were able to obtain comments from insiders familiar with the case to determine the outcome.

U.S. investigators failed in a recent courtroom effort to force Facebook to wiretap voice calls over its Messenger app in a closely watched test case, according to two people briefed on the sealed ruling.

[...]

Arguments were heard in a sealed proceeding in a U.S. District Court in Fresno, California weeks before 16 suspected gang members were indicted there, but the judge ruled in Facebook’s favor, the sources said.

The DOJ was hoping to have Facebook held in contempt for failing to comply with the decryption order. It appears this isn't going to happen. The government may need to seek outside assistance to intercept Messenger calls. But that's a much more difficult prospect than breaking into an iPhone physically in the possession of the government and it would possibly involve vulnerabilities that might be patched out of existence by developers.

The government is presumably hunting down its next test case for encryption-breaking precedent. With the Supreme Court finding for the Fourth Amendment in two recent cellphone-related cases, the chance of obtaining favorable precedent continues to dwindle.

Filed Under: backdoors, doj, encryption, facebook messenger, fbi
Companies: facebook

ICE Leads The Nation In Encryption-Cracking Expenditures

from the [not-pictured:-the-Federal-Bureau-of-Sucking-At-Counting-Phones] dept

We don't hear much from anyone other than FBI officials about the "going dark" theory. The DOJ pitches in from time to time, but it's the FBI's baby. And it's an ugly baby. Earlier this year, the FBI admitted it couldn't count physical devices. The software it used to track uncrackable devices spat out inflated numbers, possibly tripling the number of phones the FBI claimed stood between it and justice. FBI officials like James Comey and Chris Wray said "7,800." The real number -- should it ever be delivered -- is expected to be less than 2,000.

The FBI also hasn't been honest about its efforts to crack these supposedly-uncrackable phones. Internal communications showed the agency slow-walked its search for a solution to the San Bernardino shooter's locked iPhone, hoping instead for a precedential federal court decision forcing device manufacturers to break encryption whenever presented with a warrant.

The FBI appears to have ignored multiple vendors offering solutions for its overstated "going dark" problem. At this point, it's public knowledge that at least two vendors have the ability to crack any iPhone. Israel's Cellebrite -- the company presumed to have broken into the San Bernardino phone for the FBI -- is one of them. The other is GrayShift, which sells a device called GrayKey, which allows law enforcement to bypass built-in protections to engage in brute force password cracking.

We don't know how often the FBI avails itself of these services. A pile of locked phones numbering in the thousands (but which thousands?!) suggests it is allowing the serviceable (vendor services) to be the enemy of the perfect (favorable court rulings and/or legislation).

Other federal agencies aren't waiting around for the next horrifying terrorist attack to nudge Congress towards mandating encryption backdoors. They're spending tax dollars now to take advantage of vulnerabilities that may be patched out of existence in the near future, if they haven't been addressed already. Thomas Brewster of Forbes has spent some time sifting through government records to see who's buying and how much they're spending. The FBI isn't on the list. The DEA is. But the Daddy Warbucks of federal law enforcement agencies is none other than the one voted Most In Need Of Immediate Abolishment.

According to government contract records on FPDS.gov, ICE acquired the services of GrayShift earlier this month. And it’s spent more than any other government department on GrayShift tech, with a single order of $384,000. Other branches of the Trump government, from the Drug Enforcement Administration to the Food and Drug Administration, have splashed between $15,000 and $30,000 on different models of the GrayKey, which requires physical access to an Apple device before it can break through the passcode.

ICE wants everything on the menu. In addition to spending big on cellphone-cracking devices, the agency has also thrown money at forensic tools from Cellebrite, social media tracking software, "intercept software" from a Nebraska-based vendor, and "computer support equipment" from foreign companies (one of them Russian) known for their ability to extract data from encrypted messaging services.

It would seem the agency involved in investigating the widest variety of crimes would be joining ICE in its encryption-breaking spending spree. But there's no trace of FBI expenditures to be found in these records. It may be the FBI has exempted itself from reporting this information under the theory that naming dollar amounts and/or vendors would allow wily criminals to escape its grasp. If so, it seems unlikely this refusal has a legal basis. The DEA and ICE have both allowed these records to be published and both agencies routinely engage in investigations that theoretically could be compromised by making spending data public. (The key is "theoretically." In reality, it's unlikely publishing contract data has any noticeable effect on criminal behavior.)

Moving past the FBI, there's reason to be concerned ICE is making purchases like these. Given its main concern is the speedy removal of undocumented immigrants, this tech seems to be more of a "want" than a "need." Most of the cases ICE deals with don't need to involve cracked phones and forensic searches. But because it has the tools on hand, it will make sure it gets our money's worth.

Filed Under: backdoors, encryption, ice, phones

Five Eyes Surveillance Agencies Say Encryption Is Good, Except When It Keeps Them From Looking At Stuff

from the shorter-Five-Eyes:-we-like-encryption-that-doesn't-work dept

The Five Eyes nations -- UK, US, Australia, Canada, and New Zealand -- still think there's a way to create encryption backdoors (that they studiously avoid calling backdoors) that will let the good people in and the bad people out.

The backlash against government calls for backdoors has made these demands a bit more subdued in most Five Eyes countries. The UK government really doesn't seem to care and uses every terrorist attack as another reason to prevent law-abiding citizens from using secure encryption for their communications. Others members have taken a more measured approach, talking around the subject while legislative inroads continue unabated.

In the US, the periodic "going dark" discussions have taken on a (no pun intended) darkly comical tone as FBI and DOJ officials continue to claim harder nerding with solve the "problem" it has misrepresented for years.

The countries may be taking different approaches to undermining encryption, but they're all still looking to do this in the future if they can just find a way to sell it to the public without the actual nerds speaking up and ruining all their plans. The Register notes the Five Eyes surveillance partnership has delivered another ultimatum (that it won't call an ultimatum) about encrypted communications following a meeting in Australia. But it is taking care to couch its wants and desires in pretty words about the safety and security of the general public.

In an official communiqué on the confab, they claim that their inability to lawfully access encrypted content risks undermining democratic justice systems – and issue a veiled warning to industry.

The group is careful to avoid previous criticisms about their desire for backdoors and so-called magic thinking – saying that they have "no interest or intention to weaken encryption mechanisms" – and emphasise the importance of privacy laws.

But the thrust of a separate framework for their plans, the Statement of Principles on Access to Evidence and Encryption, will do little to persuade anyone that the agencies have changed their opinions.

"Privacy laws must prevent arbitrary or unlawful interference, but privacy is not absolute," the document stated.

And there it is. The only thing Five Eyes considers "absolute" is its supposed "right" to access contents of devices and communications. First, the confab talks about "mutual" cooperation, as though the tech industry is being unnecessarily resistant to undermining protections it provides to users. Five Eyes may not have the strength of conviction to actually demand encryption backdoors, but the wording here indicates what it wants is pretty much just a backdoor.

Providers of information and communications technology and services - carriers, device manufacturers or over-the-top service providers -– are subject to the law, which can include requirements to assist authorities to lawfully access data, including the content of communications. Safe and secure communities benefit citizens and the companies that operate within them.

This means key escrow or having encryption removed during transit so service providers can access contents of communications. Nothing about either plan makes users safer or less accessible to malicious parties not associated with the Five Eyes partnership.

The next section's headline makes it clear who's going to be answering to who:

Rule of law and due process are paramount

In other words, if you've got a warrant, I guess you're gonna come in I'll let you in. This appeal to authority says providers must subject themselves to pestering governments, even if it means harming their entire userbase just so the government can go after a few users. The nod to due process really means nothing, what with indefinite gag orders accompanying demands for communications and data, and an ongoing refusal by government agencies to discuss surveillance means and methods in open court. As long as parallel construction is still a thing, due process will never be given the respect it deserves.

So, Five Eyes may be trying to make it sound like the countries agree encryption is a valuable protection for its collective citizens, but what it really wants is the protection to be weakened to the point law enforcement -- and anyone else not governed by the rule of law -- can access it at will. No one's saying "backdoor," but they're all thinking it very loudly.

Filed Under: backdoors, encryption, five eyes, surveillance

Australian Gov't Floats New Batch Of Compelled Access Legislation With An Eye On Encryption

from the hello-darkness-my-old-friend dept

The Australian government is looking to revamp its compelled access laws to fight encryption and other assorted technological advances apparently only capable of being used for evil. It's getting pretty damn dark Down Under, according to the Department of Home Affairs' announcement of the pending legislation.

Encryption conceals the content of communications and data held on devices, as well as the identity of users. Secure, encrypted communications are increasingly being used by terrorist groups and organised criminals to avoid detection and disruption. The problem is widespread, for example:

• Encryption impacts at least nine out of every ten of ASIO’s priority cases.

• Over 90 per cent of data being lawfully intercepted by the AFP now use some form of encryption.

• Effectively all communications among terrorists and organised crime groups are expected to be encrypted by 2020.

An example of harmful encryption is provided for readers at home, so they can weigh their own security and privacy against an anecdote about a registered sex offender who may or may not have escaped prosecution (the outcome of the case isn't provided) by using encrypted messaging apps. And it includes an inadvertently helpful lesson about the stupidity of targeting encryption with legislation, even if the DHA likely doesn't realize it.

The suspect was arrested and his mobile phone was seized but despite legislative requirements he refused to provide his passcode.

There's the limitation of lawmaking. Lawbreakers break laws and they're not going to stop just because you've told them not to with a government mandate. Legislation [PDF] like this does little more than make life more difficult for service providers and device makers while undermining the privacy and security of millions of law-abiding citizens.

The explanation sheet [PDF] notes the government is not seeking to mandate encryption backdoors. That being said, it would like providers of encrypted services/devices to leave the door cracked open so the government can step inside whenever it feels the need to look around.

The type of assistance that may be requested or required under the above powers include (amongst other things):

• Removing a form of electronic protection applied by the provider, if the provider has an existing capability to remove this protection.

• Providing technical information like the design specifications of a device or the characteristics of a service.

• Installing, maintaining, testing or using software or equipment given to a provider by an agency.

• Formatting information obtained under a warrant.

• Facilitating access to devices or services.

• Helping agencies test or develop their own systems and capabilities.

• Notifying agencies of major changes to their systems, productions or services that are relevant to the effective execution of a warrant or authorisation.

• Modifying or substituting a target service.

• Concealing the fact that agencies have undertaken a covert operation.

The law can't retroactively force companies to produce crackable devices and messaging systems. But the first bullet point could see the Australian government demanding they do so in the future if they want to provide goods and services to the Australian public. Fortunately, the bill includes a clause making future demands along these lines impossible for the time being.

The Bill expressly prohibits technical assistance notices or technical capability notices from requiring a provider to build or implement a systemic weakness or systemic vulnerability into a form of electronic protection. This includes systemic weaknesses that would render methods of authentication or encryption less effective. The Australian Government has no interest in undermining systems that protect the fundamental security of communications. The new powers will have no effect to the extent that requirements would reasonably make electronic services, devices or software vulnerable to interference by malicious actors. Importantly, a technical capability notice cannot require a provider to build a capability to remove electronic protection and puts beyond doubt that these notices cannot require the construction of decryption capabilities.

Without further discussion by the legislature, it's tough to tell whether creating an escrow system would be considered a "system weakness" or make "encryption less effective." I mean, it obviously is and does, but does the DHA see it that way? And will this clause survive the final markup? Compelling decryption using "existing" methods seems especially useless if most services and devices cannot currently be decrypted by providers. The government is better off seeking outside help from contractors who do nothing else but find ways to crack or bypass encryption, rather than dropping language into the law that suggests backdoors the government won't call "backdoors" will be mandated in the future.

It also gives the government a considerable expansion of power, allowing it to peruse private companies' design specs and a heads up if any redesigns are in the works. It also forces companies to be compliant partners in government surveillance by mandating their assistance in man-in-the-middle attacks ("modifying or substituting a target service") and ordering them to withhold information from affected customers.

There is a public comment period, which is a nice touch. There also appears to be some respect for the good encryption does, rather than simply viewing it as an escape route for criminals and terrorists. But there's also a good deal of power expansion tied to rickety wording that suggests backdoors might be mandated if the government can talk itself into viewing proposals as something other than backdoors. And there's no guarantee this vague promise will make the final cut.

Filed Under: australia, backdoors, encryption, going dark, law enforcement, surveillance

Bill Says US Tech Companies Must Let The Feds Know When Foreign Companies Poke Around In Their Source Code

from the I-went-to-the-Trade-War-and-all-I-got-was-this-lousy-reporting-requirement dept

American tech companies don't want to give up their cut of a $20 billion Russian software/hardware market, so they've been allowing purchasers to examine devices and vet source code before shelling out for new products. This isn't exactly ideal for American companies, but Russia is as concerned as anyone else products might be shipping with adversaries' backdoors pre-installed. American companies don't necessarily like having entities linked to Russia's government vetting source code, but the market is too big to be ignored.

Russia has every right to suspect government backdoors may be unlisted features. Checking products and source code before purchase just makes sense, what with leaked documents showing the NSA intercepts foreign-bound hardware to install backdoors and other leaks exposing a fair bit of the agency's exploit collection. But now that Russia appears to have engaged in cyberwarfare efforts during the 2016 election, legislators are demanding US companies let the US government know who's been poking around in their products.

The U.S. Congress is sending President Donald Trump legislation that would force technology companies to disclose if they allowed countries like China and Russia to examine the inner workings of software sold to the U.S. military.

To help ease its passage, the law isn't being allowed to stand up by itself. It's attached to a Pentagon spending bill, which has helped it avoid any scrutiny or heated arguments. Not that a bill like this wouldn't be popular at this time. It doesn't forbid companies sell to Russia and China. It only asks the government be informed if these purchasers do anything than grab boxed product off the shelves. China and Russia likely aren't going to be happy with this new development. If these customers in these lucrative markets decide they're no longer interested in buying American because their vetting will be made public, American companies may only have America to sell to.

What makes it an even harder pill to swallow is the reporting requirements, which could result in tech companies' secrets being publicly outed.

The legislation also creates a database, searchable by other government agencies, of which software was examined by foreign states that the Pentagon considers a cyber security risk.

It makes the database available to public records requests, an unusual step for a system likely to include proprietary company secrets.

The Business Software Alliance notes that the law is pretty much a ban, even if there's no ban on sales. The reporting requirements won't affect sales to American purchasers, just certain foreign countries. The path of least resistance would be pulling out of foreign markets targeted by this bill.

And, of course, there's a chance retaliatory legislation will be enacted in other countries in response. Some equivalent process may already be in place in countries where governments have more of a hand in every business transaction (not just the import/export business). But where nothing similar is in place, it may well be soon. This could result in US companies informing foreign governments about the US government's demands for source code and device access. The US government already does this -- repeatedly -- with court orders obtained from federal courts, including the NSA's home turf, the FISA court.

This may also force the US government to do a bit more due diligence before buying foreign goods. Incredibly, the US military does not currently engage in pre-vetting when purchasing from from foreign companies, meaning it could be importing artisanal backdoors created by, or for, foreign governments.

What this looks like is a bit more wintry air blowing across international relations, bringing us closer to a full-blown cyber Cold War. Markets are going to become increasingly siloed as world powers demand other governments open up their cloaks and present their daggers for inspection. Meanwhile, the world's exploit/malware dealers will continue to rake in the cash, cutting both governments and tech companies out of the loop.

Filed Under: backdoors, breaches, china, cybersecurity, russia, security, source code, transparency

FBI Boss Chris Wray: We Put A Man On The Moon So Why Not Encryption Backdoors?

from the yeah-ok-then dept

Despite the FBI finally admitting it had greatly exaggerated the number of encrypted devices it can't get into, FBI Director Chris Wray keeps pushing the "going dark" theory to whoever will listen. This time it was NBC's Lester Holt. In an interview during the Aspen Security Forum, Wray again hinted he was moving towards an anti-encryption legislative mandate if some sort of (impossible) "compromise" couldn't be reached with tech companies. (Transcription via Eric Geller.)

I think there should be [room for compromise]. I don't want to characterize private conversations we're having with people in the industry. We're not there yet for sure. And if we can't get there, there may be other remedies, like legislation, that would have to come to bear.

The "compromise" Wray wants is simple: if law enforcement has a warrant, it gets access. The solution isn't. To weaken or backdoor encryption to serve law enforcement's needs makes everyone -- not just criminal suspects -- less safe. If a hole can be used by good guys, it can be used by bad guys. And even the best guys can't prevent their tech tools from making their way into the public domain. Just ask the NSA and CIA. In the case of the NSA, leaked exploits resulted in worldwide ransomware attacks.

Wray pitches an impossibility by portraying it as a lack of effort by the tech industry. The tech industry -- the one with all the "brightest minds" -- have been consistent in their stance. A hole for one is a hole for all. There's no such thing as securely-compromised encryption. Wray's response has also been consistent: they're just not thinking hard enough. The only "compromise" pitched by members of the tech sector is basically re-skinned key escrow -- the thing that went out of fashion with the death of the Clipper Chip.

Wray's pitch now includes an appeal to the modern wonders of the world, as if these examples change the equation at all:

We're a country that has unbelievable innovation. We put a man on the moon. We have the power of flight. We have autonomous vehicles… [T]he idea that we can't solve this problem as a society -- I just don't buy it.

First off, bringing the space program into this is ridiculous. All it does is demonstrate the government has access to some of the best minds, but Wray expects the private sector to provide, maintain, and bear the expense of a law enforcement-friendly encryption "solution." (And if it fails to deliver, Wray's more than willing to ask the government to force the private sector to play ball.)

Second, putting a man on the moon was the side effect of a Cold War cock-measuring contest with the USSR. While the nation has derived many benefits over the years from the space program, the "man on the moon" mission was a way of expressing superiority and implying that our weaponry was similarly advanced. The US government showed the world how powerful it was. I don't think that's the analogy you want to make when discussing personal device encryption.

And third, the whole "putting a man on the moon" analogy was solidly mocked on John Oliver's program two years ago when he quoted cryptography expert Matt Blaze accurately saying, "When I hear 'if we can put a man on the moon, we can do this' I'm hearing an analogy almost saying "if we can put a man on the moon, surely we can put a man on the sun.'" Not every issue is the equivalent of putting a man on the moon.

While the others listed are private sector achievements, they're simply not good comparisons. Encryption methods continue to advance in complexity and ease-of-use. This is innovation, even if it's innovation Chris Wray doesn't like. Each of the innovations listed solved problems and created markets. In this case the problem is device security. Encryption solves it. Who wants secure devices? Everyone who buys one.

The rise of smartphones has seen users replace their houses with handheld devices as the primary storage for a life's-worth of documents, along with access to a great deal of financial and personal info. Device makers want to ensure a stolen phone doesn't mean a stolen life. Wray (and others) don't want to do anything more than obtain warrants to scrape the digital innards of devices they seize. In other words, when the FBI encounters a locked safe in someone's house, Wray would believe it's the manufacturer's fault for the safe failing to unlock immediately in the presence of a search warrant.

Still, Wray believes society as a whole would be better off with weaker encryption because sometimes terrorists and criminals use encryption.

Because to the extent that the bad guys have shifted more and more to living their whole lives through encrypted devices and encrypted messaging platforms, that if we don't find a way to access that information with lawful process, we're in a bad place as a country.

Default encryption has been around for a few years now and there's no evidence we're less safe as a nation. Very few prosecutions have been dead-ended because investigators couldn't get into a phone. The problem is presented as swiftly-growing and inevitable, but there's been nothing delivered as evidence of these claims. The FBI has continually pointed to its growing pile of locked devices as Exhibit A in the War on Encryption, but has never presented anything at all to give these claims of diminishing public safety any credence. All we know for sure at this point is the FBI can't count. It used a wrong number (~7,800) to push the narrative and still expects us to believe it after it admitted this count was nearly four times higher than the actual number of devices in its possession.

Wray needs to stop complaining about the tech sector until his own agency can demonstrate its ability to approach the issue with facts, verified numbers, and intellectual honesty.

Filed Under: backdoors, chris wray, encryption, fbi, going dark, man on the moon

Obtained Documents Show The DEA Sold Compromised Phones To Suspected Drug Dealers

from the Blackberry-once-again-at-the-center-of-government-subterfuge dept

Human Rights Watch -- which delivered info on law enforcement's "parallel construction" habit earlier this year -- is back with a bombshell. Court documents obtained by the group show the DEA sold compromised devices to drug dealers during an investigation into a Mexico-to-Canada trafficking operation.

Human Rights Watch has identified two forms of this technique that the Drug Enforcement Administration (DEA) has used or, evidence suggests, has contemplated using. One involved the undercover sale of BlackBerry devices whose individual encryption keys the DEA possessed, enabling the agency to decode messages sent and received by suspects. The second, as described in a previously unreported internal email belonging to the surveillance software company Hacking Team, may have entailed installing monitoring software on a significant number of phones before attempting to put them into suspects’ hands.

The DEA broke ranks (at least publicly) with Italy's exploit/malware vendor Hacking Team after it was (ironically) hacked and its internal communications fed to Wikileaks. That the DEA would purchase exploits and hacking tools wasn't surprising. Neither was the fact that these tools had never been discussed in a courtroom setting. (See above re: parallel construction.) What was more disappointing than surprising was that a US government entity would choose to do business with a company caught selling hacking tools to UN-blacklisted countries.

The big news here is the compromised phones. The DEA held encryption keys for phones sold to drug dealers in order to intercept communications like texts and email. The affidavit [PDF] obtained by Human Rights Watch raises cart/horse questions about the legality of the interceptions. While wiretap warrants were obtained (and quite easily -- these were routed through Southern California's particularly DEA-friendly courtrooms), the narrative in the sworn statements doesn't state clearly whether these warrants were obtained before the interceptions began. In fact, one statement made in the affidavit seems to indicate the interceptions from the compromised phones were used to buttress claims in warrant requests. From the affidavit:

[O]n April 10, 2011, [suspect John] Krokos in Mexico contacted SA Burkdoll and asked for another EBD [encrypted Blackberry device]. The next day, on April 11, 2011, SA Burkdoll, in an undercover capacity, provided [suspect Ismael] Tomatani with a new EBD for $1,000 in the parking lot of a Home Depot store in West Hills, California. Two days later, Tomatani began communicating with [suspect Eduardo] Olivares over the EBD. A variety of relatively plain drug communications were intercepted over Tomatani's EBD as he communicated with Olivares on the new EBD.

[...]

I am aware that, on May 16, 2011, signed an order for the wiretap interception of both the EBD and cellular telephone being used by Olivares.

The wiretap order to intercept communications came nearly a month after the interception began. And that warrant targeted only the communications originating from Olivares' devices. Nothing in the affidavit narrative says anything about obtaining wiretap warrants for the EBDs supplied to Tomatani and Krokos.

There's also nothing in the paperwork suggesting the plan to sell suspects compromised devices was ever run past a judge. Considering the sole purpose of these devices was to facilitate the interception of communications, you'd think judicial approval would have been sought to ensure the collected evidence would survive a suppression motion. (There's also discussion of the DEA repeatedly using "slap on" GPS tracking devices to track suspects' movement without seeking warrants first. Of course, some of this happened before the Supreme Court (sort of) ruled law enforcement should seek warrants before placing tracking devices on vehicles, but the practice appears to have continued past the 2012 ruling.)

Another, longer affidavit [PDF] from SA Burkdoll (the agent that sold the drug dealers the compromised phones) suggests the agency had been seeking wiretap warrants for a number of devices and landlines since 2010, which would be prior to the sale described in the other affidavit.

Even if the wiretap warrants preceeded the interceptions, the delivery of compromised phones to criminal suspects is still a questionable tactic. For one, nothing suggests this plan had been run by anyone outside of the DEA to vet the tactic for legality or constitutionality.

Second, this isn't the sort of thing you want investigative agencies to do regularly. There are all sort of side effects and the omnipresent mission creep problem to be considered.

The US government’s policies for secretly distributing devices it has compromised by obtaining encryption keys or installing surveillance tools largely remain unknown. Documents the Federal Bureau of Investigation (FBI) disclosed in 2011 mention seeking a warrant explicitly for a “two-step” process of installing a spying mechanism on a US computer and then carrying out surveillance, but it is unclear whether the DEA has adopted similar standard procedures for the measures it has used or considered.

Under international human rights law, all surveillance methods that interfere with privacy should be authorized by clear, publicly available laws; be subject to approval by a court or other independent body for specific purposes such as protecting public safety or national security; and be proportionate to those aims. Undermining the security of devices to conduct surveillance could have long-term repercussions for privacy, including for people other than the original intended surveillance targets, making it all the more important for the Justice Department to disclose its policies regarding these tactics.

This isn't to say the government should never engage in these tactics. Sometimes it's necessary. But subterfuge involving compromised devices and muddy wiretap warrant timelines isn't the way to do it.The agency has shown it's more than willing to launder its tainted evidence -- both to hide its true origin from defendants and to hide its methods from the rest of the world. The agency's past actions indicate respect for people's rights (along with their personal property/lives) is pretty low on its list of priorities. So, if further revelations show a lack of candor -- either in court or to its oversight -- it won't surprise anyone.

Filed Under: backdoors, dea, drug dealers, encryption, phones
Companies: hacking team