The Privacy BlogPrivacy, Security, Cryptography, and Anonymity

TAG | fbi

IPhone with soldering iron

There is a lot of hand wringing about the announcement that the FBI, with outside help, has been able to break into Syed Farook’s iPhone. This is not at all the same situation we would have if Apple had agreed to create the FBI requested version of the operating system. The important difference is scalability.
With this announcement we now know that law enforcement can break into any iPhone (of that generation or earlier at least) given sufficient effort. That effort is the key. It appears that the phone hack requires disassembling the phone and desoldering at least one chip at a minimum. It might actually be more complicated and cumbersome.
This is absolutely not something that any government is going to do thousands of times, it can not be done quickly and would probably leave evidence of the activity. This is fine for investigations of high value cases, but is absolutely useless for mass surveillance.
Contrast that with what could happen if Apple had created the security bypass operating system. Once created it would certainly be compelled in many different cases. Governments around the world would all demand access to the tool. That tool would allow rapid software only compromise of the phones without physical modification. This kind of attack scales to large numbers much more easily. Fortunately it would still require physical access to the phone, but that could obtained in many ways both overt and covert. I suspect that the compromised OS could be delivered through a modified phone charger for example.
Doubtless many companies will be working to make their devices secure against this kind of physical attack as well as making the kind of FBI requested modification actually impossible. In the meantime, the effort required to compromise each phone ensures that only a very few phones belonging to very narrowly targeted individuals will be unlocked. I can live with that.

· · ·

Tape on mouth

Microsoft challenged an FBI National Security Letter, and won | ZDNet

Recently unsealed documents show that Microsoft was able to beat back a National Security Letter (NSL) from the FBI.

NSL are like subpoenas but go through a different, and secret, process that bypasses the courts. NSL also include a gag order forbidding the recipient from revealing the existence of the letter to anyone.

Microsoft fought the NSL in question because it violated their policy of notifying all enterprise customers when they receive any “legal order related to data”. The FBI withdrew it without any rulings on the legality or appropriateness of the NSL.

This may indicate a move towards some limitations of the gag order attached to NSLs, which would be very valuable for transparency in the whole process.

Lance Cottrell is the Founder and Chief Scientist of Anonymizer. Follow me on Facebook, Twitter, and Google+.

· ·

The New Scientist has an article on the FBI’s Next Generation Identification (NGI) program.

It started out as a project to replace the old fingerprint database, but will now include biometrics, DNA, voice prints, and facial recognition.

The idea is to database all the mugshots so people can be quickly identified after arrest, or possibly so surveillance video could be compared to the database to identify possible suspects.

Obviously lots of civil liberties issues here, but still a very long way from the paranoid hollywood inspired rantings about real time global surveillance with integrated biometrics.

· ·

The EFF has an excellent article on eight reasons why government regulation of cryptography is a bad idea.

The short answer is: the bad guys can easily get it and use it anyway, and it will make security for the rest of us much worse (not including the big brother surveillance  and constitutional issues).

· · · · · · ·