Apple's Fight With the Feds

Pertinacious Tom

Importunate Member
62,855
2,003
Punta Gorda FL
China has back door men too

...

These so-called back doors enable the NSA and other agencies to scan large amounts of traffic without a warrant. Agency advocates say the practice has eased collection of vital intelligence in other countries, including interception of terrorist communications.

The agency developed new rules for such practices after the Snowden leaks in order to reduce the chances of exposure and compromise, three former intelligence officials told Reuters. But aides to Senator Ron Wyden, a leading Democrat on the Senate Intelligence Committee, say the NSA has stonewalled on providing even the gist of the new guidelines.

“Secret encryption back doors are a threat to national security and the safety of our families – it’s only a matter of time before foreign hackers or criminals exploit them in ways that undermine American national security,” Wyden told Reuters. “The government shouldn’t have any role in planting secret back doors in encryption technology used by Americans.”

...

In at least one instance, a foreign adversary was able to take advantage of a back door invented by U.S. intelligence, according to Juniper Networks Inc, which said in 2015 its equipment had been compromised. In a previously unreported statement to members of Congress in July seen by Reuters, Juniper said an unnamed national government had converted the mechanism first created by the NSA. The NSA told Wyden staffers in 2018 that there was a “lessons learned” report about the Juniper incident and others, according to Wyden spokesman Keith Chu.

“NSA now asserts that it cannot locate this document,” Chu told Reuters.

...

A special commission appointed by Obama said the government should never “subvert” or “weaken” tech products or compromise standards.

The White House did not publicly embrace that recommendation, instead beefing up review procedures for whether to use newly discovered software flaws for offensive cyber operations or get them fixed to improve defense, Daniel and others said.

The secret government contracts for special access remained outside of the formal review.

...

RSA accepted a $10 million contract to incorporate Dual EC into a widely used web security system, Reuters reported here in 2013. RSA said publicly that it would not have knowingly installed a back door, but its reputation was tarnished and the company was sold.

Juniper Networks got into hot water over Dual EC two years later. At the end of 2015, the maker of internet switches disclosed that it had detected malicious code in some firewall products. Researchers later determined that hackers had turned the firewalls into their own spy tool here by altering Juniper’s version of Dual EC.

Juniper said little about the incident. But the company acknowledged to security researcher Andy Isaacson in 2016 that it had installed Dual EC as part of a “customer requirement,” according to a previously undisclosed contemporaneous message seen by Reuters. Isaacson and other researchers believe that customer was a U.S. government agency, since only the U.S. is known to have insisted on Dual EC elsewhere.

Juniper has never identified the customer, and declined to comment for this story.

Likewise, the company never identified the hackers. But two people familiar with the case told Reuters that investigators concluded the Chinese government was behind it. They declined to detail the evidence they used.

The Chinese government has long denied involvement in hacking of any kind. ...
Losing the "lessons learned" is about the only way to move forward with the Awful Access bill.

 

Pertinacious Tom

Importunate Member
62,855
2,003
Punta Gorda FL
Someone Installed a SolarWinds Back Door
 

The U.S. Treasury and Commerce departments, along with untold numbers of government and corporate computer networks, have been breached in what may be an espionage attempt by the Russian government. (The Russians are, of course, denying responsibility.)

The avenue was reportedly a malicious software update pushed through SolarWinds Inc., an Austin-based network management company that counts both the federal government and hundreds of major U.S. companies among its clients. Essentially, the hackers slipped some malicious code into a software update; if you were on the infected networks that installed the update, this gave the hackers backdoor access to your data.

The infiltration apparently began in the spring but was not announced until this past weekend. SolarWinds reports that as many as 18,000 customers may have downloaded the infected update.

...

It's worthwhile to consider these developments in the light of law enforcement's efforts to weaken encryption protections. When officials insist that individuals should not have access to strong encryption unless the government can bypass those protections and access our data, they don't acknowledge that police won't be the only ones exploiting those back doors. Others with malicious intent, be they criminals or foreign governments (or both), will figure out how to get through too. It has happened before to our own very own government, as another country, possibly China, figured out how to access a cybersecurity bypass that had been installed for the National Security Agency.

In this latest incident, the extent of which we still don't know, the hackers had to create their own back door. So even cybersecurity that hasn't been undermined by statute isn't going to be perfect protection. But weaker security certainly isn't the answer. These back doors are bad. Whenever any senator or FBI director or police chief demands the power to bypass encryption, he or she should be reminded of this potentially dangerous breach.

 

Pertinacious Tom

Importunate Member
62,855
2,003
Punta Gorda FL
In addition to running a department in which drug warriors run amok and there's a systemic effort to circumvent safeguards against doing so, Houston Police Chief Acevedo is a back door man.
 

...

Deep down in the Post story, the debate takes a comically absurdist twist. A former Houston police officer was among those charged with joining the violent mob at the Capitol. With the problem at his doorstep, Houston Police Chief Art Acevedo, who is also president of the Major Cities Chiefs Association, decided to blame…encryption:


Acevedo also said anonymous online platforms on the "dark web" are making such investigations impossible, even for departments with sufficient resources. He expects the move away from public platforms like Facebook and Twitter to grow rapidly in response to the FBI arrests of those who rioted at the Capitol.

This month, Acevedo was asked by the House Oversight and Reform Committee to explain what actions police chiefs are taking, and responded by asking for help. For years, law enforcement officials have asked for passage of a federal law that would require such platforms to have a "back door" that law enforcement can access if they have "a legitimate investigative need and a court order" to gain entry.

"Congress's failure to act has enabled industry giants to flaunt the law and operate with impunity," Acevedo wrote in response.



Destroying encryption—and yes, mandatory backdoors would utterly destroy encryption—has been a pet cause of the U.S. Department of Justice for years. The invocation of the "dark web" as a boogeyman has been a constant recently too. Usually those who have demanded encryption back doors have insisted that it was necessary to fight child trafficking and terrorism.

It feels a bit desperate to invoke encryption as a reason why police departments don't know they've got some dangerous officers, particularly when—let's be frank—these guys weren't being all that secretive. As the Brennan Center for Justice notes, "These officers' racist activities are often known within their departments, but only result in disciplinary action or termination if they trigger public scandals."

Meanwhile, Acevedo has inadvertently revealed that people are right to worry that law enforcement would abuse encryption backdoors. Police leaders have traditionally insisted that they need these to make sure tech platforms and communication tools comply with legal warrants. But Acevedo is talking about using backdoors to investigate potential or current police officers without any specific connection to criminal activity. This isn't crimefighting; it's domestic surveillance. This is precisely why backdoors are dangerous. Worse yet: The whole premise of these investigations is that there are abusive, authoritarian cops out there who can't be trusted. This is supposed to be a reason to give officers more access to people's communications?

...
The last paragraph there pretty well sums up why I'm still not, and never will be, a back door man.

 

SloopJonB

Super Anarchist
70,089
13,260
Great Wet North
Aw, c'mon guys.... pick me!

How long does it take to figure out no-one is listening or cares?

You've chosen to ignore content by Pedagogical Tom. Options
You've chosen to ignore content by Pedagogical Tom. Options
You've chosen to ignore content by Pedagogical Tom. Options
You've chosen to ignore content by Pedagogical Tom. Options
You've chosen to ignore content by Pedagogical Tom. Options
You've chosen to ignore content by Pedagogical Tom. Options
You've chosen to ignore content by Pedagogical Tom. Options
You've chosen to ignore content by Pedagogical Tom. Options
You've chosen to ignore content by Pedagogical Tom. Options
You've chosen to ignore content by Pedagogical Tom. Options
You've chosen to ignore content by Pedagogical Tom. Options
You've chosen to ignore content by Pedagogical Tom. Options
You've chosen to ignore content by Pedagogical Tom. Options
You've chosen to ignore content by Pedagogical Tom. Options
You've chosen to ignore content by Pedagogical Tom. Options
 
Last edited by a moderator:

Pertinacious Tom

Importunate Member
62,855
2,003
Punta Gorda FL
The Supreme Court is being asked to consider whether you must reveal your phone's passcode.

Andrews v Joisey

Issue: Whether the self-incrimination clause of the Fifth Amendment protects an individual from being compelled to recall and truthfully disclose a memorized passcode, when communicating the passcode may lead to the discovery of incriminating evidence to be used against him in a criminal prosecution.
The New Jersey Court had this to say about it:

This appeal presents an issue of first impression to our Court -- whether a court order requiring a criminal defendant to disclose the passcodes to his passcode-protected cellphones violates the Self-Incrimination Clause of the Fifth Amendment to the United States Constitution or New Jersey's common law or statutory protections against self-incrimination. We conclude that it does not and affirm the Appellate Division's judgment.
The Supremes may just leave it alone. They had a warrant. If they have a warrant for your safe and you refuse to open it, they might just break into it. Opening it isn't self-incrimination in a case like that. The feds wound up breaking into the iphone at issue in the beginning of this thread.

 

Fah Kiew Tu

Curmudgeon, First Rank
10,406
3,491
Tasmania, Australia
The Supreme Court is being asked to consider whether you must reveal your phone's passcode.

Andrews v Joisey

The New Jersey Court had this to say about it:

The Supremes may just leave it alone. They had a warrant. If they have a warrant for your safe and you refuse to open it, they might just break into it. Opening it isn't self-incrimination in a case like that. The feds wound up breaking into the iphone at issue in the beginning of this thread.
Step 1: Don't have incriminating shit on your phone. How hard is that?

Step 2: the phone providors have 2 pass codes. The one you use normally, and the one that deletes stuff.

Personally I stick with option 1.

FKT

 

Pertinacious Tom

Importunate Member
62,855
2,003
Punta Gorda FL
Step 1: Don't have incriminating shit on your phone. How hard is that?

Step 2: the phone providors have 2 pass codes. The one you use normally, and the one that deletes stuff.

Personally I stick with option 1.

FKT
Those are good steps for individuals, but how about steps for governments?

The person with incriminating shit on his phone in this case was a corrupt drug warrior cop.

Step 1 for governments: don't engage in a stupid drug war.

 

Pertinacious Tom

Importunate Member
62,855
2,003
Punta Gorda FL
Back Door Men Never Rest
 

You would think that the midst of yet another international scandal over governments spying on people who annoy them would be an inopportune time to call for curbs on tools that protect privacy, but that underestimates the compulsion that drives authoritarians. The world keeps offering evidence that encrypting communications is important, especially as a shield against the powers that be, but petty officials can't help but find such barriers frustrating to their eavesdropping impulses, even when they already have plenty of tools at their disposal for investigations legitimate and otherwise.

"As our two agencies work to protect citizens on both sides of the Atlantic, we have come to conclude that the single most problematic barrier to doing so stems from unregulated encryption," write Cyrus R. Vance, Jr., district attorney of New York County, and Catherine De Bolle, executive director of Europol, the law enforcement agency of the European Union. "To be clear, we both support strong encryption, just not unregulated encryption. No sector — in this case, the tech industry — should be allowed to dictate the rules of access to digital data for all of society, with limited regard to the wider impact those rules might have."

Despite the two officials engaging in popular tech-bashing, it's obvious that companies don't "dictate the rules of access to digital data for all of society." Through their actions and the tools they adopt, people communicating with one another have the greatest input into the security of their data. Vance and De Bolle would replace those multitudes of individual choices with one rule-maker: government. That letting government mandate some sort of access to private communications has a down side is apparent from the reactions of people who understand the technology and point out that you can't punch holes in privacy protections and be sure they'll only be used by good guys against bad guys.

"No matter what you call it, a backdoor is a backdoor," the Internet Society's Jeff Wilbur and Ryan Polk pointed out last year. "Any method that gives a third-party access to encrypted data creates a major vulnerability that weakens the security of law-abiding citizens and the Internet at large."

"Backdoors to encryption are like chinks in an otherwise impenetrable chain — once you've opened up a vulnerability, you cannot choose who can exploit it," agrees Adam Hadley of the UN-sponsored Tech Against Terrorism project in a letter written as a rebuttal to Vance and De Bolle.

Vance and De Bolle aren't specific in what they want in terms of regulation for encryption, but they demand access for government agencies—which means weakened privacy protections.

...



 

Pertinacious Tom

Importunate Member
62,855
2,003
Punta Gorda FL
We don't seem to have a thread for Facebook's fight with the Brits, but in the end back door men are all after the same thing.

Back door women too. Turns out Frances Haugen is one.

Whistleblower Absurdly Attacks Facebook's Privacy-Protecting Encryption Efforts
 

...

Haugen has come forward with internal Facebook documents she believes show a lack of concern with the safety and welfare of platform's users. One might think, then, that Haugen would be happy to see Facebook implementing end-to-end encryption on its private messaging. End-to-end encryption helps protect users from predatory hackers and corrupt governments by making it much harder for them to secretly access your data.

But Haugen, apparently, has fallen for the idea that it's important for the "right" people to have access to encrypted information. She attempts to paint Facebook's privacy feature as a way for the social media giant to avoid responsibility. Strangely, the example she gave suggested that Facebook needs to have looser encryption in order to somehow protect Uyghurs in China from government attempts to implant spyware onto their phones.

...

Further down, Muffett notes what should be obvious to somebody with Haugen's knowledge: that damaging encryption would make Uighurs more vulnerable to surveillance. He says her ill-considered criticisms of encryption are "playing squarely into the hands of despots, censors, and corrupt politicians—those who want to break the Internet into parochial 'splinternets' that foist local mores onto a global audience."

Muffett also reasonably asks on Twitter, "Should Facebook be responsible for protecting #EU citizens from state-sponsored malware deployed by [Government Communications Headquarters—the United Kingdom's intelligence agency]?" Weakening encryption would make it easier for Western governments to introduce malware to users' systems. This isn't just the province of China and Russia. If Facebook has a responsibility to protect users from China's surveillance, wouldn't the same be true of England's or America's surveillance too?

 

Pertinacious Tom

Importunate Member
62,855
2,003
Punta Gorda FL
And uncooperative citizens who like good encryption, it seems.

China's Lockdown Protests Show Why You Shouldn't Let Government Weaken Encryption

...
The Wall Street Journal reports that protesters are using encrypted apps like Telegram to organize, start group chats, and communicate about possible sites to organize and avoid the police. And Chinese police, in turn, are using whatever tools they have to try to track the protesters through social media and their phones.

...

The BBC also noted how police in China are attempting to track which people are attending protests and searching people's phones to see what sort of apps they're using. Unsurprisingly, apps that provide encryption are banned in China. They're also, of course, devoted to trying to track down the individual identities of anybody posting on these platforms.

...

When British officials brought this up last fall, I noted that this won't actually purge anonymity from the internet but instead will create a black market for it. What we see now in China, where citizens are getting their hands on prohibited encrypted apps regardless of the bans, is a real-world example. Government can't actually stop people who are insistent on privately or anonymously communicating through online tools from doing so. Their attempts to do so are more likely to harm everyday people attempting to live their lives freely than to actually net them criminals.

I'm glad I have the luxury of concluding that real anonymity is more trouble than it's worth.
 

Pertinacious Tom

Importunate Member
62,855
2,003
Punta Gorda FL
Apple Disappoints Back Door Men

Defying the snoops at the FBI, Apple has announced it is implementing end-to-end encryption options for the data people store on iCloud, making it all the more difficult for hackers, criminals, and the aforementioned government agency to access your info without your knowledge or permission.


Apple made the announcement Wednesday evening, and it should be treated as a big deal by anybody who values data security. Apple had been planning to offer users the ability to encrypt their backed-up iCloud data years ago, but it reportedly dropped the plan in 2018 after the FBI objected.


Apple currently offers end-to-end encryption on its iMessage services so that messages can't be intercepted or read by third parties (including government authorities). But most data stored on iCloud are not encrypted, leaving them available to be accessed by law enforcement with subpoenas or warrants. It also leaves those data susceptible to hacking, which has led to cases like this one from June, where a California man was convicted and sentenced to nine years in federal prison for breaking into thousands of iCloud accounts, stealing private photos and videos of nude women, and sharing them on the internet.

...

Glad to see Apple looking after data privacy at least to some extent.

WTF is up with California man? Hacks into thousands of accounts, finds private porn, and his thought is that other people really need to see this porn.

And that's probably the thought that got him caught.

I think Florida man would have thought up the idea of selling the stolen porn, not just sharing it. Which is worse, of course, but at least understandable. I don't get the need to share porn.
 

BeSafe

Super Anarchist
8,115
1,353
Florida man wants to be titillated.

California man wants to be revered.

Different end goals.
 




Top