The Encryption Debate Should End Right Now – BRIAN BARRETT 06.30.17 07:00 AM


Amin Yusifov/Getty Images

When law enforcement argues it needs a “backdoor” into encryption services, the counterargument has typically been that it would be impossible to limit such access to one person or organization. If you leave a key under the doormat, a seminal 2015 paper argues, a burglar eventually finds it. And now recent events suggest an even simpler rebuttal: Why entrust a key to someone who gets robbed frequently?

This aptly describe US intelligence services of late. In March, WikiLeaks released nearly 9,000 documents exposing the CIA’s hacking arsenal. More so-called Vault 7 secrets trickled out as recently as this week. And then there’s the mysterious group or individual known as the Shadow Brokers, which began sharing purported NSA secrets last fall. April 14 marked its biggest drop yet, a suite of hacking tools that target Windows PCs and servers to devastating effect.

The fallout from the Shadow Brokers has proven more concrete than that of Vault 7; one of its leaked exploits, EternalBlue, facilitated last month’s WannaCry ransomware meltdown. A few weeks later, EternalBlue and two other pilfered NSA tools helped advance the spread of Petya, a ransomware outbreak that looks more and more like an act of cyberwar against Ukraine.

Petya would have caused damage absent EternalBlue, and the Vault 7 dump hasn’t yet resulted in a high-profile hack. But that all of this has fallen into public hands shifts the nature of the encryption debate from hypothetical concern that someone could reverse-engineer a backdoor, to acute awareness that someone could just steal it. In fact, it should end any debate all together.

“The government asking for backdoor access to our assets is ridiculous,” says Jake Williams, founder of Rendition Infosec, “if they can’t first secure their own classified hacking tools.”

If you think about the encryption debate at all, it’s likely in the context of the 2016 showdown between the FBI and Apple. The former wanted access to San Bernardino shooter Syed Rizwan Farook’s locked iPhone; the latter argued that writing special code to break its own security measures would set a dangerous precedent.

That case ended in something like a draw. The FBI paid an outside company to break into the iPhone, quitting the court case before either side got a definitive ruling.

Article continues:

This App Wants to Be Your Encrypted, Self-Destructing Slack – Andy Greenberg 12.06.16


Security News This Week: Google Ups the Ante on Web Encryption – LILY HAY NEWMAN AND ANDY GREENBERG 09.11.16. 7:48 PM


As the presidential campaign charges ahead, the saga of Hillary Clinton’s use of a private email server continues. Fresh criticism emerged this week that Clinton must have been hiding terrible things because one of her aides smashed two of her personal Blackberrys with a hammer. But from a data security perspective, that’s not a bad thing; in fact some experts say the discarded devices should have been destroyed more thoroughly. Meanwhile, House Oversight Committee leader Elijah Cummings released a 2009 email sent by former Secretary of State Colin Powell to Clinton in which he describes in detail all the ways he himself skirted State Department technology requirements.

This week we grappled with the question of why Baltimore has become a bastion of surveillance tech. Over in the private sector, the Google-owned tech incubator Jigsaw is developing a program to try to identify ISIS recruits and deter them from joining the organization. And an op-ed contributor says it’s time to acknowledge that whoever wins the presidency will need to set new policy for autonomous weapons systems and their scope of use in warfare when the old Department of Defense Directive expires in 2017.

But wait, there’s more: Each Saturday we round up the news stories that we didn’t break or cover in depth but still deserve your attention. As always, click on the headlines to read the full story in each link posted. And stay safe out there.

Article continues:

New Tricks Make ISIS, Once Easily Tracked, a Sophisticated Opponent – By SAM SCHECHNER and BENOIT FAUCON Sept. 11, 2016 12:58 p.m. ET


A mix of encrypted chat apps, face-to-face meetings, written notes and misdirection leaves few electronic clues for Western intelligence agencies

Rescue workers ferry a wounded woman from the Bataclan concert hall after the Paris attacks last November.

Rescue workers ferry a wounded woman from the Bataclan concert hall after the Paris attacks last November. Photo: Thibault Camus/Associated Press

Weeks before Islamic State militant Abdelhamid Abaaoud led the Nov. 13 terror attacks in Paris, French authorities thought he was holed up in northern Syria. Western Intelligence agencies pursuing Abaaoud had tracked him there using cell-phone location data and other electronic footprints.

The Paris attacks, which killed 130 people, showed how badly they were fooled. Abaaoud had slipped past the dragnet and entered the city unnoticed.

Drawing from a growing bag of tricks, Islamic State accomplices located in Syria likely used phones and WhatsApp accounts belonging to Abaaoud and other attackers to mask the group’s travel to Europe, said a Western security official: “We relied too much on technology. And we lost track.”

Terror attacks in Europe, which have killed more than 200 people in the past 20 months, reflect new operational discipline and technical savvy by the Islamic State terrorists who carried them out, security officials said.

Ways ISIS Keeps its Secrets: Misdirection

The strategy of giving cellphones identified with an individual to accomplices who act as decoys, hiding a terrorist’s true location.

Christopher Kaeser/The Wall Street Journal

The extremist group’s communications, once commonly conducted on phones and social media accounts easily tracked by authorities, have evolved into a mix of encrypted chat-app messages over WhatsApp and Telegram, face-to-face meetings, written notes, stretches of silence and misdirection.

These techniques helped protect attackers from Western intelligence agencies by leaving few electronic clues in a sea of intercepted data.

Article continues:

Encryption: FBI building fresh case for access to electronic devices – Wednesday 31 August 2016 00.03 EDT


James Comey, the agency’s director, says it is gathering information in preparation for ‘adult conversation’ on balancing privacy with need to fight crime

The FBI sparked a dispute with Apple by calling for backdoor access to the iPhone of the San Bernardino shooter.

The FBI sparked a dispute with Apple by calling for backdoor access to the iPhone of the San Bernardino shooter. | Photograph: UPI / Barcroft Media

Widespread encryption built into smartphones was “making more and more of the room that we are charged to investigate dark”, Comey said at a cybersecurity symposium.

The FBI sought a court order to force Apple to help it hack into an iPhone used by one of the San Bernardino, California shooters, a demand Apple said would dramatically weaken security of its products.

The FBI ultimately got into the phone with the help of a third party, concluding the court case but leaving unresolved the underpinning legal questions.

Comey made clear on Tuesday that he expected dialogue to continue.

“The conversation we’ve been trying to have about this has dipped below public consciousness now, and that’s fine,” Comey said at a symposium organised by Symantec, a technology company. “Because what we want to do is collect information this year so that next year we can have an adult conversation in this country.”

Article continues:

Security News This Week: Facebook’s Most Adorable Bug Bounty Yet – BRIAN BARRETT 05.07.16. 7:00 AM


GETTY IMAGES

This week in security, Craig Wright finally proved beyond any doubt that he is, in fact, elusive Bitcoin creator Satoshi Nakamoto. Just kidding! Fun joke. In fact, Wright tried to prove it, got yelled at, said he’d really double extra prove it, then opted for seclusion instead. Case… not closed.

Elsewhere, we rounded up a the key politicians who are shaping the encryption debate, and the laws that stem from it. Let’s hope they have better ideas there than federal courts did with Rule 41, which among other things dramatically broadens law enforcement’s powers to hack computers outside of their jurisdiction.

Otherwise, we weren’t all that surprised to learn that major smart home vulnerabilities exist; in this case, Samsung “smart” devices let hackers unlock doors remotely, which is… not good. But we were pleasantly surprised at some of the excellent password tips experts shared with us for World Password Day.

And there was more: Each Saturday we round up the news stories that we didn’t break or cover in depth at WIRED, but which deserve your attention nonetheless. As always, click on the headlines to read the full story in each link posted. And stay safe out there.

Article continues:

US authorities drop another iPhone fight after being given passcode – Danny Yadron in San Francisco Saturday 23 April 2016 00.30 EDT


 Until 2013, it was commonplace for Apple to help the government extract data from locked iPhones. Photograph: Mike Segar/Reuters

Until 2013, it was commonplace for Apple to help the government extract data from locked iPhones. Photograph: Mike Segar/Reuters

The US government dropped a court case that could have forced Apple to unlock one of its iPhones, the second time it has done so in as many months.

The US Justice Department on Friday night told a federal judge in New York that someone had given investigators the passcode to an iPhone linked to a local drug investigation.

The reversal comes after the government abandoned a high-profile case to force Apple to help it hack into a phone used by San Bernardino gunman Syed Farook. In that instance, the Federal Bureau of Investigation announced less than 24 hours before its court date that it no longer needed Apple’s help because it had purchased a hacking tool to break into the phone.

Taken together, the legal maneuverings illustrate the challenge Washington faces as it pressures the technology industry to build wire-tap-friendly products. Authorities seek to show that they are missing out on key evidence because of strong encryption and new privacy features.

But as the two cases demonstrate, there are a lot of ways to gather information.

Article continues: