Archive | IT security

UK: The Lauri Love case

It is a general principle in democracies under the rule of law that a person suspected of a crime should not be forced to incriminate himself. And the European Convention of Human Rights clearly stipulates the presumption of innocence.

Having that in mind, the Lauri Love case in the UK is troublesome.

Love is being accused of hacking U.S. government computer systems a few years back. He is now fighting extradition to the U.S. — and the British authorities when it comes to the contents of his computers.

The Intercept:

Following Love’s arrest in 2013, the National Crime Agency, or NCA, seized computers and hard drives in his possession. He was then served with an order under Section 49 of the U.K’s controversial Regulation of Investigatory Powers Act, which demanded that he hand over his passwords to open encrypted files stored on the devices.

Years have passed since then — and when Love decided to sue to have his computers and hard drives back, authorities renewed their efforts to access them under Section 49. There will be a court hearing April 12.

“I don’t have any alternative but to refuse to comply,” he told The Intercept. “The NCA are trying to establish a precedent so that an executive body — i.e., the police — can take away your computers and if they are unable to comprehend certain portions of data held on them, then you lose the right to retain them. It’s a presumption of guilt for random data.” (…)

(So I guess you better not have any files with white noise on your hard drive.)

This is not just about Mr. Love. The case can set a dangerous president.

Naomi Colvin, a campaigner for transparency advocacy group the Courage Foundation, told The Intercept that she believed the case could have “huge implications for journalists, activists, and others who need to guard confidential information” — potentially setting a precedent that could make it easier in the future for British police and security agencies to gain access to, or to seize and retain, encrypted material.

In the end, it all boils down to one simple question: Should the government have the right to force you to decrypt encrypted information?

Apart from Ms. Colvins arguments (above), we must consider what would happen if governments are allowed to force you to incriminate yourself. It would shatter presumption of innocence. It could throw court cases into deadlock over evidence that do not exist or cannot be accessed. It would give the prosecution an unfair advantage — especially over innocent individuals, who could be detained until they give up and “confess”.

Equally important, in my mind, is that your personal information is closely connected to your person. It is of less importance if this information is stored in your mind or on an encrypted hard drive. The information you possess is a part of who you are and your life. As long as people are regarded as self-owning individuals (and not the property of the government) everyone should have the right to respect for their own person. (And for private and family life, home, and correspondence.)

But I’m not too hopeful. The Intercept:

Court documents show that the agency requested — and a judge approved — that witness statements and skeleton arguments should not be disclosed “to the press, the public, or any third party save with the leave of the court until after the final hearing, and then only in relation to such matters as are referred to in open court or as permitted or directed by the court.”

/ HAX

Read the full story in The Intercept: British authorities demand encryption keys in case with “huge implications” »

4

Apple vs. the FBI — who won?

From the Associated Press Washington desk:

The FBI said Monday it successfully used a mysterious technique without Apple Inc.’s help to hack into the iPhone used by a gunman in a mass shooting in California, effectively ending a pitched court battle between the Obama administration and one of the world’s leading technology companies.

The government asked a federal judge to vacate a disputed order forcing Apple to help the FBI break into the iPhone, saying it was no longer necessary. The court filing in U.S. District Court for the Central District of California provided no details about how the FBI did it or who showed it how.

Justice Department cracks iPhone; withdraws legal action »

But is this really a mystery? I wrote about this some three weeks ago. That was when the ACLU demonstrated that breaking locked iPhones is almost common knowledge in the tech community:

One of the FBI’s Major Claims in the iPhone Case Is Fraudulent »

Never the less many questions remain unanswered. And the FBI is not about to open up. Ars Technica:

Apple likely can’t force FBI to disclose how it got data from seized iPhone »

Here, it is important to understand what this really has been all about:

[The FBI] is not as interested in solving the problem as they are in getting a legal precedent, [Richard] Clarke said. “Every expert I know believes the NSA could crack this phone. They want the precedent that government could compel a device manufacturer to let the government in.”

The Register: Former US anti-terror chief tears into FBI over iPhone unlocking case — They’d just send it to the NSA if they really wanted access, says Clarke »

Now, what about Apple? Have all of this bruised the iPhones reputation when it comes to security?

Well, it shouldn’t. As mentioned, there already are known ways to break into a locked iPhone.

But facts is not the same as the public perception. The general notion is that this is something entirely new.

And, as a matter of fact, the authorities can open up a locked iPhone. Apple do have a very real public relations problem on its’ hands.

Inevitably, Apple will have to beef up the iPhones security shortly. That may, in turn, lead to new conflicts with the FBI & Co.

/ HAX

0

The real issue with the San Bernardino shooters iPhone

The trench war over the San Bernardino shooters iPhone continues. The FBI demands that Apple should create a special OS to circumvent the “auto erase” function that, if activated, would make the phones contents unavailable after ten failed attempts to unlock it. And Apple is fighting the request.

However, it turns out that all of this might be unnecessary. There are other ways to access the content, as demonstrated by the ACLU.

It is unlikely that FBI didn’t know about this possibility — as it is a commonly used technique in the industry.

ACLU:s Technology Fellow Daniel Kahn Gillmor explains…

“All the FBI needs to do to avoid any irreversible auto erase is simple to copy that flash memory (which includes the Effaceable Storage) before it tries 10 passcode attempts. It can then re-try indefinitely, because it can restore the NAND flash memory from its backup copy.”

So, what is going on here?

“If this generally useful security feature is actually no threat to the FBI, why is it painting it in such a scary light that some commentators have even called it a “doomsday mechanism”? The FBI wants us to think that this case is about a single phone, used by a terrorist. But it’s a power grab: law enforcement has dozens of other cases where they would love to be able to compel software and hardware providers to build, provide, and vouch for deliberately weakened code. The FBI wants to weaken the ecosystem we all depend on for maintenance of our all-too-vulnerable devices. If they win, future software updates will present users with a troubling dilemma. When we’re asked to install a software update, we won’t know whether it was compelled by a government agency (foreign or domestic), or whether it truly represents the best engineering our chosen platform has to offer.”

Of course, it might just be about government incompetence. But never the less, the result would be the same: A judicial trojan horse for weakening device security all over the line.

Having seen what US government agencies have been up to — it is more likely than not that this is all about Big Brother deceptiveness.

• ACLU: One of the FBI’s Major Claims in the iPhone Case Is Fraudulent »
• Security Affairs: Snowden accuses the FBI of lying about his ability to unlock the iphone of the San Bernardino terrorist. “that’s horse sh*t.” he said. »

/ HAX

0

Time for activists and Silicon Valley to join forces against government

The infotech war has begun, for real.

First we had the fight over illegal file sharing, creating a divide between Big Entertainment backed up by Big Government and a large portion of the general public. (Young people in particular.) Parallel we have had the fights between Big Telecom and activists campaigning for a free and open internet. And the struggle between Big Intelligence and civil rights / privacy advocates.

Then came Edward Snowden, providing actual proof of what our governments are up to. This created an even bigger splash, still causing ripples.

And with the San Bernardino iPhone backdoor/unlock case between the FBI and Apple the tech sector will have to choose between loyalty to its’ customers or abiding by overreaching anti-terrorism and anti-privacy legislation. That ought to be easy enough. The money is with staying loyal to customers and their right to privacy. But it’s not. Not even Silicon Valley might be able to stand up against the state monopoly on violence.

The stakes are sky high. The San Bernardino case is not just about that single case or even just about privacy. It’s about secure encryption – imperative for safe communications, online banking, medical records, confidential information, trade secrets and public affairs. Apple cannot back down on this one.

This might be what finally will unite all sorts of activists and the Valley. I rather hope so. Alone, it’s very difficult to stand up against the government (and related special interests). But if the Internet generation, net activists, civil rights defenders and tech companies stand together — we might stand a chance.

Unjust laws will stay unjust if no one stands up and fight them. Civil rights will be eroded if no one stands up to defend them. There are no limits to what governments will try to justify under the pretext of security — that, by the way, is an illusion.

The government will always try to “balance fundamental rights and security”, time and time again until there are no fundamental rights left.

Now is the time for activists (who know how to actually change politics) to team up with Silicon Valley (where the money needed to make campaigning effective is).

We can win this one — and at the same time establish a red line that governments will have to recognize.

But it will be dirty. It’s all about power and control.

/ HAX

Related: Apple’s FBI battle is just the beginning of a reality check for the tech sector »

0

Crypto wars, the simple truth

“To put it bluntly: the call to provide law enforcement (or, anyone) exceptional access to communications and content poses a grave threat to the future of the Internet. It is simply not possible to give the good guys the access they want without letting the bad guys in. There’s nothing new or novel in this statement. Experts have been saying the same thing for 20 years. While the message is old, with the integration of Internet technologies into nearly all aspects of life, the stakes are higher than they’ve ever been.”

Meredith Whittaker and Ben Laurie: Wanting It Bad Enough Won’t Make It Work: Why Adding Backdoors and Weakening Encryption Threatens the Internet »

0

The real danger with state spy trojans

A state trojan is when a government authority places a secret, hidden spy program on your computer, smartphone, tablet or server. It can be used to monitor everything you do. No matter if you use encryption or safe messaging apps. What you see, the police and intelligence authorities will see. Every keystroke can be tracked, often in real time. All your files can be accessed. All your communications can be scrutinized.

And, in the words of the founder of state intelligence, Cardinal Richelieu… “If you give me six lines written by the hand of the most honest of men, I will find something in them which will hang him.”

Many countries are already using state spy trojans for surveillance. And others are to follow suit. At the moment countries like Spain and Sweden are trying to rush legislation trough.

State trojans are usually not used for mass surveillance. (But they can be.) At least not in most countries — where some sort or court order or other judicial process under the rule of law will apply before the trojan is being launched. So, the main problem in most cases is not about people’s right to privacy in general. This is targeted surveillance. But of course, it can be misused and/or used too generously.

The real problem is that state (and other) spy trojans will make our computers and entire IT systems vulnerable. In turn, this can be used by criminals, by foreign governments and by others interested in you, your communications and your data.

And what will happen when governments are using the same sort of tools as criminals? In the words of Amelia Andersdotter and Christer Spörndly… “The logical, and very disturbing, consequence is that there will be no incitement to identify and stop security vulnerabilities.” There are no security glitches only accessible for the government. If you leave a door open, it is open for everyone.

And to build these spy trojans, governments will have to use some sort of known security vulnerabilities. Or even worse, they might buy spyware from external developers — who also have other customers…

State spy trojans are a nightmare. They will make us all less safe.

/ HAX

2