The Encryption Debate Should End Right Now – BRIAN BARRETT 06.30.17 07:00 AM


Amin Yusifov/Getty Images

When law enforcement argues it needs a “backdoor” into encryption services, the counterargument has typically been that it would be impossible to limit such access to one person or organization. If you leave a key under the doormat, a seminal 2015 paper argues, a burglar eventually finds it. And now recent events suggest an even simpler rebuttal: Why entrust a key to someone who gets robbed frequently?

This aptly describe US intelligence services of late. In March, WikiLeaks released nearly 9,000 documents exposing the CIA’s hacking arsenal. More so-called Vault 7 secrets trickled out as recently as this week. And then there’s the mysterious group or individual known as the Shadow Brokers, which began sharing purported NSA secrets last fall. April 14 marked its biggest drop yet, a suite of hacking tools that target Windows PCs and servers to devastating effect.

The fallout from the Shadow Brokers has proven more concrete than that of Vault 7; one of its leaked exploits, EternalBlue, facilitated last month’s WannaCry ransomware meltdown. A few weeks later, EternalBlue and two other pilfered NSA tools helped advance the spread of Petya, a ransomware outbreak that looks more and more like an act of cyberwar against Ukraine.

Petya would have caused damage absent EternalBlue, and the Vault 7 dump hasn’t yet resulted in a high-profile hack. But that all of this has fallen into public hands shifts the nature of the encryption debate from hypothetical concern that someone could reverse-engineer a backdoor, to acute awareness that someone could just steal it. In fact, it should end any debate all together.

“The government asking for backdoor access to our assets is ridiculous,” says Jake Williams, founder of Rendition Infosec, “if they can’t first secure their own classified hacking tools.”

If you think about the encryption debate at all, it’s likely in the context of the 2016 showdown between the FBI and Apple. The former wanted access to San Bernardino shooter Syed Rizwan Farook’s locked iPhone; the latter argued that writing special code to break its own security measures would set a dangerous precedent.

That case ended in something like a draw. The FBI paid an outside company to break into the iPhone, quitting the court case before either side got a definitive ruling.

Article continues:

This App Wants to Be Your Encrypted, Self-Destructing Slack – Andy Greenberg 12.06.16


Security News This Week: Google Ups the Ante on Web Encryption – LILY HAY NEWMAN AND ANDY GREENBERG 09.11.16. 7:48 PM


As the presidential campaign charges ahead, the saga of Hillary Clinton’s use of a private email server continues. Fresh criticism emerged this week that Clinton must have been hiding terrible things because one of her aides smashed two of her personal Blackberrys with a hammer. But from a data security perspective, that’s not a bad thing; in fact some experts say the discarded devices should have been destroyed more thoroughly. Meanwhile, House Oversight Committee leader Elijah Cummings released a 2009 email sent by former Secretary of State Colin Powell to Clinton in which he describes in detail all the ways he himself skirted State Department technology requirements.

This week we grappled with the question of why Baltimore has become a bastion of surveillance tech. Over in the private sector, the Google-owned tech incubator Jigsaw is developing a program to try to identify ISIS recruits and deter them from joining the organization. And an op-ed contributor says it’s time to acknowledge that whoever wins the presidency will need to set new policy for autonomous weapons systems and their scope of use in warfare when the old Department of Defense Directive expires in 2017.

But wait, there’s more: Each Saturday we round up the news stories that we didn’t break or cover in depth but still deserve your attention. As always, click on the headlines to read the full story in each link posted. And stay safe out there.

Article continues:

New Tricks Make ISIS, Once Easily Tracked, a Sophisticated Opponent – By SAM SCHECHNER and BENOIT FAUCON Sept. 11, 2016 12:58 p.m. ET


A mix of encrypted chat apps, face-to-face meetings, written notes and misdirection leaves few electronic clues for Western intelligence agencies

Rescue workers ferry a wounded woman from the Bataclan concert hall after the Paris attacks last November.

Rescue workers ferry a wounded woman from the Bataclan concert hall after the Paris attacks last November. Photo: Thibault Camus/Associated Press

Weeks before Islamic State militant Abdelhamid Abaaoud led the Nov. 13 terror attacks in Paris, French authorities thought he was holed up in northern Syria. Western Intelligence agencies pursuing Abaaoud had tracked him there using cell-phone location data and other electronic footprints.

The Paris attacks, which killed 130 people, showed how badly they were fooled. Abaaoud had slipped past the dragnet and entered the city unnoticed.

Drawing from a growing bag of tricks, Islamic State accomplices located in Syria likely used phones and WhatsApp accounts belonging to Abaaoud and other attackers to mask the group’s travel to Europe, said a Western security official: “We relied too much on technology. And we lost track.”

Terror attacks in Europe, which have killed more than 200 people in the past 20 months, reflect new operational discipline and technical savvy by the Islamic State terrorists who carried them out, security officials said.

Ways ISIS Keeps its Secrets: Misdirection

The strategy of giving cellphones identified with an individual to accomplices who act as decoys, hiding a terrorist’s true location.

Christopher Kaeser/The Wall Street Journal

The extremist group’s communications, once commonly conducted on phones and social media accounts easily tracked by authorities, have evolved into a mix of encrypted chat-app messages over WhatsApp and Telegram, face-to-face meetings, written notes, stretches of silence and misdirection.

These techniques helped protect attackers from Western intelligence agencies by leaving few electronic clues in a sea of intercepted data.

Article continues:

Encryption: FBI building fresh case for access to electronic devices – Wednesday 31 August 2016 00.03 EDT


James Comey, the agency’s director, says it is gathering information in preparation for ‘adult conversation’ on balancing privacy with need to fight crime

The FBI sparked a dispute with Apple by calling for backdoor access to the iPhone of the San Bernardino shooter.

The FBI sparked a dispute with Apple by calling for backdoor access to the iPhone of the San Bernardino shooter. | Photograph: UPI / Barcroft Media

Widespread encryption built into smartphones was “making more and more of the room that we are charged to investigate dark”, Comey said at a cybersecurity symposium.

The FBI sought a court order to force Apple to help it hack into an iPhone used by one of the San Bernardino, California shooters, a demand Apple said would dramatically weaken security of its products.

The FBI ultimately got into the phone with the help of a third party, concluding the court case but leaving unresolved the underpinning legal questions.

Comey made clear on Tuesday that he expected dialogue to continue.

“The conversation we’ve been trying to have about this has dipped below public consciousness now, and that’s fine,” Comey said at a symposium organised by Symantec, a technology company. “Because what we want to do is collect information this year so that next year we can have an adult conversation in this country.”

Article continues:

Security News This Week: Facebook’s Most Adorable Bug Bounty Yet – BRIAN BARRETT 05.07.16. 7:00 AM


GETTY IMAGES

This week in security, Craig Wright finally proved beyond any doubt that he is, in fact, elusive Bitcoin creator Satoshi Nakamoto. Just kidding! Fun joke. In fact, Wright tried to prove it, got yelled at, said he’d really double extra prove it, then opted for seclusion instead. Case… not closed.

Elsewhere, we rounded up a the key politicians who are shaping the encryption debate, and the laws that stem from it. Let’s hope they have better ideas there than federal courts did with Rule 41, which among other things dramatically broadens law enforcement’s powers to hack computers outside of their jurisdiction.

Otherwise, we weren’t all that surprised to learn that major smart home vulnerabilities exist; in this case, Samsung “smart” devices let hackers unlock doors remotely, which is… not good. But we were pleasantly surprised at some of the excellent password tips experts shared with us for World Password Day.

And there was more: Each Saturday we round up the news stories that we didn’t break or cover in depth at WIRED, but which deserve your attention nonetheless. As always, click on the headlines to read the full story in each link posted. And stay safe out there.

Article continues:

US authorities drop another iPhone fight after being given passcode – Danny Yadron in San Francisco Saturday 23 April 2016 00.30 EDT


 Until 2013, it was commonplace for Apple to help the government extract data from locked iPhones. Photograph: Mike Segar/Reuters

Until 2013, it was commonplace for Apple to help the government extract data from locked iPhones. Photograph: Mike Segar/Reuters

The US government dropped a court case that could have forced Apple to unlock one of its iPhones, the second time it has done so in as many months.

The US Justice Department on Friday night told a federal judge in New York that someone had given investigators the passcode to an iPhone linked to a local drug investigation.

The reversal comes after the government abandoned a high-profile case to force Apple to help it hack into a phone used by San Bernardino gunman Syed Farook. In that instance, the Federal Bureau of Investigation announced less than 24 hours before its court date that it no longer needed Apple’s help because it had purchased a hacking tool to break into the phone.

Taken together, the legal maneuverings illustrate the challenge Washington faces as it pressures the technology industry to build wire-tap-friendly products. Authorities seek to show that they are missing out on key evidence because of strong encryption and new privacy features.

But as the two cases demonstrate, there are a lot of ways to gather information.

Article continues:

Apple Asks Judge To Reject Justice Department Order in New York Case – By DEVLIN BARRETT Updated April 15, 2016 6:00 p.m. ET


The court filing casts doubt on FBI claims and is the latest salvo over encryption

An Apple logo is seen at the Apple store. Apple Inc. filed court papers Friday asking a judge to turn down an effort by the Justice Department to force the company to help unlock an iPhone in a New York drug case.

An Apple logo is seen at the Apple store. Apple Inc. filed court papers Friday asking a judge to turn down an effort by the Justice Department to force the company to help unlock an iPhone in a New York drug case. Photo: Michaela Rehle/Reuters — By Devlin Barrett Updated April 15, 2016 6:00 p.m. ET

Apple Inc. on Friday asked a federal judge to reject the Justice Department’s effort to make it help unlock an iPhone tied to a New York drug case—the latest legal volley in a continuing battle over encryption and privacy.

For months, the world’s largest technology firm has been locked in a high-stakes battle with the Justice Department over whether the government can continue to force Apple employees to help investigators open locked iPhones.

That disagreement escalated sharply in February when the Federal Bureau of Investigation took Apple to court, seeking an order to force it to help open the locked work phone of Syed Rizwan Farook, who along with his wife killed 14 people and injured 22 others in San Bernardino, Calif., last year.

The government dropped that case last month after a third party showed them a new method of cracking open the phone. The FBI has said the technique only works on a narrow slice of iPhones and can’t be used on many others, including the one currently at issue in New York.

In that case, federal prosecutors in Brooklyn are seeking a court order compelling Apple to help them extract data from an iPhone taken from a drug suspect who has since pleaded guilty. Magistrate Judge James Orenstein ruled in February that the government didn’t have legal authority to compel Apple to help agents extract data from phones. The government is asking a higher judge to review that finding, which is why Apple filed its response to prosecutors on Friday.

Article continues:

FBI Opens San Bernardino Shooter’s iPhone; U.S. Drops Demand on Apple – By DEVLIN BARRETT and DAISUKE WAKABAYASHI Updated March 28, 2016 10:20 p.m. ET


Move delays a high-stakes showdown between Washington, Silicon Valley

The Justice Department had sought Apple’s help to gain access to a phone used by one of the shooters in the San Bernardino, Calif., terror attack.

The Justice Department had sought Apple’s help to gain access to a phone used by one of the shooters in the San Bernardino, Calif., terror attack. –PHOTO: MARK LENNIHAN/ASSOCIATED PRESS

WASHINGTON—The government said Monday it had cracked a terrorist’s iPhone without Apple Inc. ’s help and is seeking to drop its legal case to force the tech giant to unlock the device.

The move was announced in court papers filed Monday in a dispute over a phone seized in the investigation of a Dec. 2 terror attack in San Bernardino, Calif. The filing signals a temporary reprieve from a high-stakes fight between Washington and Silicon Valley over privacy and security in the digital age. For now, the Federal Bureau of Investigation is focused on reviewing the information contained on the phone, which was unlocked with help from a third party the government has refused to identify.

The filing doesn’t indicate what method the FBI used to access the data on the phone, nor does it say what, if any, evidence related to the attack was found on it. A government official said the method to unlock the phone wasn’t developed by a government agency, but by a private entity. Officials declined to say whether the same method could be used to open other versions of the iPhone using other operating systems.

Article continues:

Apple Lambasts the FBI for Not Asking the NSA to Help Hack That iPhone – KIM ZETTER. 03.15.16. 8:40 PM


In the showdown between Apple and the Justice Department over an iPhone used by one of the San Bernardino shooting suspects, one question has loomed large. Why hasn’t the FBI sought assistance from the National Security Agency—which employs some of the nation’s top hackers—to crack into the iPhone? Apple has touched on that question lightly in other briefs filed in the case, but today it focused on it more extensively in its latest brief submitted to the court.

“The government does not deny that there may be other agencies in the government that could assist it in unlocking the phone and accessing its data; rather, it claims, without support, that it has no obligation to consult other agencies,” Apple wrote, noting that FBI Director James Comey danced around the question of NSA assistance when asked about it during a recent congressional hearing.

And if the FBI can’t on its own break into iPhones without NSA help, it should invest in developing that capability, Apple says, instead of seeking unconstitutional ways to force tech companies to assist it.

“Defining the scope of the All Writs Act as inversely proportional to the capabilities of the FBI removes any incentive for it to innovate and develop more robust forensic capabilities,” Apple wrote. The company quotes Susan Landau, a professor of cybersecurity policy at Worcester Polytechnic Institute, who has said that “[r]ather than asking industry to weaken protections, law enforcement must instead develop a capability for conducting sophisticated investigations themselves.”

Article continues: