Ok…something other than political stupidity in the news today…but there is just a slight political tie in.
You’ve probably seen news reports about the President blaming the FBI for lying about him…while that may or may not be true…there is truth behind a statement that the FBI lies when it behooves their interest.
To wit…today’s stupidity is about privacy…or the lack of privacy…in your electronic devices.
As you probably recall from the terrorist incident out in San Bernardino…the couple that killed their co-workers had a couple of iPhones which the FBI was unable to crack…their words…and they demanded that Apple provide them access to the phone contents.
Brief technical aside here…Apple does not have access to the data that is stored solely on an iPhone…by the design of their hardware and software that information is private to the device owner and is fully encrypted and protected against just trying random passwords until you guess the right one. They do have access to some data that was uploaded to the iPhone associated iCloud account. While it is likely technically possible that Apple could…if provided the physical phone that was seized by law enforcement…crack the encryption on the phone it would require developing a special version of the iOS software that the phone runs be developed to include the back door that would be used to gain access to the phone.
Now there’s been a long standing battle between Apple and phone makers on one hand and the government on the other hand about encryption…essentially the government has stated numerous times in court that critical evidence from iPhones was unavailable to the government and demands that Apple and other phone makers be forced by law to include a back door into their operating systems for “law enforcement use when authorized by a warrant”. Apple and other phone maker’s stance is that the 4th amendment protects you from unlawful search and seizure, that numerous court decisions have made it perfectly to plead the 5th and not divulge information that is in your head, that smart phones are an extension of the “information in your head” and are thereby constitutionally protected against disclosure without your consent. Apple has further stated that a back door to law enforcement essentially provides an open security hole for law enforcement usage…but that that security vulnerability would be quickly figured out by hackers and utilized for nefarious deeds. Indeed…much like the pro/con gun debate…if Apple were to develop a way to open phones but require that they be submitted to Apple and only the resulting information gained be provided back to law enforcement…well that would be good enough for the first case but the FBI would quickly demand that the FBI be able to extract the information themselves, and then the state police and then the NYC police and eventually constable Billy-Bob down at the county sheriff office would have the ability…and it would quickly find it’s way into criminal hands.
The trouble is…Apple is 100% correct…a vulnerability for law enforcement is a vulnerability accessible to everyone…you can either have encryption or you can not have encryption but much like pregnancy there isn’t any such thing as a little bit.
So anyway…FBI lies. Back during the San Bernardino incident…the FBI stated in court several times that it was “impossible”…again, their words from their legal filings…to access the iPhones of the terrorists unless Apple was forced to create the back door the FBI wanted. Unfortunately…this statement is a lie…and it was a lie when the FBI made it.
All computers hardware and software have vulnerabilities…that’s just a fact of life. While we would like them to be perfect…it jus’ ain’t so. At the same time that the FBI was making their “impossible” claim in court…they were negotiating with an Israeli security company to open the phone for them…and sometime after the FBI lost their court case they paid something close to $1 million bucks to said security company to crack the phone for them.
Fast forward to this week. You may remember back in December 19 a Saudi pilot who was training at Pensacola Naval Air Station went on a terrorist rampage shooting people on the base and was killed. On investigation…the FBI recovered several iPhones belonging to the shooter…and again issued a subpoena to Apple who provided every bit of information that Apple had…but as in the San Bernardino case they declined to put a back door into the iPhone software to allow access. On the day the iPhones were recovered…they were identified and the FBI already knew of methods to get into them…and likely had already purchased the GrayKey device used to crack them. Nonetheless…the FBI again…and again with the support of the US Attorney General…demanded that Apple be forced via legislation to provide a back door “for legitimate law enforcement use”. Again…another straw man…the FBI and DoJ knew that Apple had provided the information they had and that the FBI could crack the phone without Apple’s help…but in the “never let a good crisis go to waste” mentality most politicians have they will try and try again to get encryption essentially banned.
So this week…the FBI announced that they had definitively linked the shooter in Pensacola with muslim terrorist organizations…and again stated that Apple provided “no help”…again their words even though Apple provided all the information in Apple’s possession and offered technical help but would not built the back door the FBI was demanding despite the FBI’s ownership of one of the GrayKey devices.
What actually protects the iPhone encryption is that by design it prevents anyone not knowing the password from just trying passwords until they guess right…it does this by lengthening the time between attempts for each failed password and irrevocably wiping the encryption key after 10 failed attempts…and without the encryption key you’re just not going to crack the encryption as the key is long enough to make the brute force technique (the only one that will work if you don’t know the key) take thousands of centuries to find the correct password. All good criminals and terrorists know this…because Apple (and Google who writes the Android software used by essentially all other smart phones whose names don’t start with a lower case i)…tells folks they should set it that way. I don’t know if auto erasure is selected by default on installation but it should be in my opinion.
So…with this GrayKey device…it essentially bypasses the 10 bad attempts and it gets erased limitation in the software. I have no idea how it does this…the company that makes it is very secretive about their technology and they only sell to law enforcement agencies but these things have ways of making their way into unauthorized hands.
What the GrayKey doesn’t do is crack the phone…it simply allows the cops to keep trying passwords until they guess right. If one uses the default 4 digit number passcode…it apparently takes from December until May to try passwords and get into the phone…all of Neil’s devices have much longer passcodes and he’s tried but so far failed to convince Connie that she should make hers longer as well.
So…again this week the FBI lied when they stated that Apple had provided “no help”…they provided plenty of help but just didn’t provide the FBI a probably unconstitutional tool.
Think about your smart phone…it’s got your bank account data on it if you log into there passwords, maybe scantily clad pictures of your wife/significant other and all sorts of other stuff the government has no right to. If that stuff were in your head…they can’t force it out of you and Apple’s position (along with most other tech companies) is that your smart phone or device is an extension of your head and you’re entitled to privacy. In any event…even if you aren’t a criminal you have a right to your private information. Yeah…the government can get a subpoena for it…but they have to go through proper channels in order to do so…do we really believe that they would always go through those channels? Me…I think that they would do what they thought was right…and assuming a case where a terrorist had planted a bomb that would go off in 2 hours they would do whatever it took to get information to save lives and worry about the rightness or court admissibility of that information later. While in the bomb in 2 hours case I might be convinced that the good of the many outweighs the good of the few and agree with that assessment…where does one draw the line? We’ve got a strong feeling about the Constitution ‘round these parts…and I’m certainly not willing to substitute the wants or justification of a single law enforcement person over the thoughts of the founding fathers.
Apple and tech companies are rightly opposed to putting in these sorts of back doors…because they will get discovered by bad people just like the many other hardware and software vulnerabilities that inadvertently exist are discovered…there is entire industry out there of people who search for these vulnerabilities…some of whom do the right thing and responsibly notify Apple or whoever so they can get patched and others who sell them to the highest bidder for real money…for instance a zero day root vulnerability of iOS, Android, macOS, or Windows can fetch the discovered upwards of a million bucks from these people…who then turn around and sell them to law enforcement as well as criminals or countries who want to use them for their own purposes. A great example…you probably heard about the Stuxnet virus that was used to disable the centrifuges the Iranians were using to enrich their uranium to weapons grade stuff back in the 2017-2018 time frame. That virus was almost assuredly written by some 3 letter named agency or a contractor who they paid to write it…and was introduced into the centrifuges through a previously unknown vulnerability and the centrifuges quit working…I suspect they simply had their speed increased until they destroyed themselves but have no real idea exactly what the outcome was.
In summary…in both of the high profile cases the FBI and DoJ tried to use the “terrorist” threat to weaken encryption…and they’re still trying today…they would be very happy if Congress were to essentially outlaw encryption by requiring the vendors to put in a government mandated back door. And in the long run…that simply won’t work because the bad guys will find ways around it. The simplest thing for them to do…and likely what any halfway professional terrorist would do if this back door was mandated…would just be to use offline encryption and then only put the encrypted stuff into the phone. Sure…it would make their communications a little more difficult…but encryption is just math and trying to outlaw it would be like passing a law to prevent the sun from coming up in the east…jus’ ain’t gonna work.
So mebbe the President ain’t all wrong when he says the FBI doesn’t always tell the truth…
On to interesting stuff found on the net.
This is getting serious.
The power of the human brain.