Phones, privacy, and network security

April 23, 2016

Just last night at dinner I was wondering aloud what Apple (and Apple iPhone owners) thought of the FBI’s claims that someone had hacked the phone used by Farook & Malik in San Bernadino. It wasn’t a concern to me since I don’t own an iPhone, but if I did own one I’d be wondering whether (a) the FBI really had hacked the phone and, if so, (b) what that implied about security on my iPhone.

And speak of the Devil… today’s Wall Street Journal ran this article about a newer case. (It’s behind their paywall, of course).

Same stuff, different day.

Federal Prosecutors Drop Court Case to Force Apple to Unlock iPhone

WASHINGTON—The Justice Department on Friday night dropped a court case trying to force Apple Inc. to help authorities open a locked iPhone, adding new uncertainty to the government’s standoff with the technology company over encryption.

In a one-page letter filed with a Brooklyn federal court Friday night, the government said an individual had recently come forward to offer the passcode to the long-locked phone. The filing means that in both of the high-profile cases pitting the Justice Department against Apple, the government first said it couldn’t open the phone, only to suddenly announce it had found a way into the device as the case proceeded in court. […]

The case involves an iPhone 5s that was seized from suspect Jun Feng as part of a 2014 drug investigation in New York. Mr. Feng pleaded guilty last year, but both sides agreed the legal dispute surrounding the phone still needs to be resolved.

After he was arrested, Mr. Feng told agents that he didn’t remember the phone’s passcode, leading investigators eventually to seek Apple’s help. The Wall Street Journal reported last week that Mr. Feng only recently learned his phone had become an issue in a high-stakes legal fight between prosecutors and Apple. Mr. Feng, who has pleaded guilty and is due to be sentenced in the coming weeks, is the one who provided the passcode to investigators, according to people familiar with the matter. […]

Earlier this week, James Comey, the director of the Federal Bureau of Investigation, told a London security conference audience that the government paid more than $1 million for an unidentified third-party to help open the San Bernardino work phone of Syed Rizwan Farook.

Mr. Farook and his wife killed 14 people and wounded 22 in a Dec. 2 shooting rampage at a holiday gathering of county employees, before being killed later that day in a shootout with police.

Earlier this week I ran across this video on Darrell Issa’s Twitter feed.

It makes the point about security on network devices pretty well, I think. The question’s not as simple as people putting their privacy ahead of the common good (as the FBI and politicians would have it). It’s not just about Snapchat and Twitter. It’s about all the data on what have become our personal computers — the bank passwords, or the business data that you don’t want made public, or your Ashley Madison account maybe.

So that makes this an issue about introducing weaknesses in devices on an open network that already has its share of security risks. Anyone work for the OPM? Do you think the Feds should dictate security measures for everyone?

But getting back to what I was wondering about, I couldn’t find that there’d been any answer to that question. Here’s a three-week-old article in the Los Angeles Times.

Apple wants the FBI to reveal how it hacked the San Bernardino killer’s iPhone

Apple Inc. refused to give the FBI software the agency desperately wanted. Now Apple is the one that needs the FBI’s assistance.

The FBI announced Monday that it managed to unlock an iPhone 5c belonging to one of the San Bernardino shooters without the help of Apple. And the agency has shown no interest in telling Apple how it skirted the phone’s security features, leaving the tech giant guessing about a vulnerability that could compromise millions of devices.

“One way or another, Apple needs to figure out the details,” said Justin Olsson, product counsel at security software maker AVG Technologies. “The responsible thing for the government to do is privately disclose the vulnerability to Apple so they can continue hardening security on their devices.”

But that’s not how it’s playing out so far. The situation illuminates a process that usually takes place in secret: Governments regularly develop or purchase hacking techniques for law enforcement and counterterrorism efforts, and put them to use without telling affected companies.

I’d be very surprised if Mr. Olsson’s suggestion that the government disclose its method to Apple ever happens.

Update 4/26/16

Well, that easy prediction was quickly confirmed. Here’s more news from today’s Wall Street Journal (and behind its paywall, naturally). My emphasis below.

FBI Plans to Keep Apple iPhone-Hacking Method Secret

The FBI is preparing to send a formal notification to the White House in the coming days saying that while the agency bought a hacking tool from a third party to unlock the San Bernardino shooter’s iPhone, officials aren’t familiar with the underlying code that runs it.

The Federal Bureau of Investigation doesn’t plan to tell Apple Inc. how it cracked a San Bernardino, Calif., terrorist’s phone, said people familiar with the matter, leaving the company in the dark on a security vulnerability on some iPhone models.

The FBI knows how to use the phone-hacking tool it bought to open the iPhone 5c but doesn’t specifically knows how it works, allowing the tool to avoid a White House review, the people said, The FBI plans to notify the White House of this conclusion in the coming days, they added.

Any decision to not share details of the vulnerability with Apple is likely to anger privacy advocates who contend the FBI’s approach to encryption weakens data security for many smartphone and computer owners in order to preserve options for federal investigators to open locked devices. […]

And if you believe the FBI’s claim that it "doesn’t specifically know how it works" then please call me about the bridge I have for sale.

While it’s a Federal crime for us to lie to Federal law enforcement agents, it’s not a crime (of any sort) for them to lie to us.

Update 5/19/16

Here’s probably the most persuasive response to the government’s demands for backdoors in phone security. If a government has access, it will be abuse that access sooner or later.

Apple vs the FBI, a Dispute as Seen From the Cuban Prism

14ymedio, Generation Y, Yoani Sanchez, Washington, 5 March 2016 — When they returned his mobile phone all his contacts had been erased and the card with the photos was gone. Stories like this are repeated among activists who have been detained, over whom an iron vigilance is maintained with the complicity of the Telecommunications Company (ETECSA), the technology arm of repression in Cuba. An entity that should take note of the rebuff Apple has dealt the FBI in the United States, by refusing to access its clients’ data.

For decades, Cuban society has become accustomed to the government’s failing to respect individuals’ private spaces. The state has the power to delve into personal correspondence, to display medical records in front of the cameras, to air private messages on television, and to broadcast phone conversations between critics of the system. In such a framework, intimacy doesn’t exist, one’s personal space has been invaded by power.

People see as “normal” that the phones are tapped and that in the homes of opponents hidden microphones capture even the smallest sigh. It has become common practice for ETECSA to cut off dissidents’ phone service during certain national events or visits from foreign leaders, and to block the reception of messages whose contents upset them. This Orwellian situation has gone on for so long, that few take note any more of the illegality involved and the violation of citizens’ rights it entails.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: