News You Need to Know – Page 48

FBI Versus Apple Court Hearing Postponed

It appears that the Federal Bureau of Investigations (FBI) is finally following the advice of every major security expert and pursuing alternate means of acquire the data on Farook’s iPhone, which means the agency’s crusade against Apple is temporarily postponed:

A magistrate in Riverside, CA has canceled a hearing that was scheduled for Tuesday afternoon in the Apple v FBI case, at the FBI’s request late Monday. The hearing was part of Apple’s challenge to the FBI’s demand that the company create a new version of its iOS, which would include a backdoor to allow easier access to a locked iPhone involved in the FBI’s investigation into the 2015 San Bernardino shootings.

The FBI told the court that an “outside party” demonstrated a potential method for accessing the data on the phone, and asked for time to test this method and report back. This is good news. For now, the government is backing off its demand that Apple build a tool that will compromise the security of millions, contradicts Apple’s own beliefs, and is unsafe and unconstitutional.

This by no means marks the end of Crypto War II. The FBI very well could continue its legacy of incompetence and fail to acquire the data from the iPhone through whatever means its pursuing now. But this will buy us some time before a court rules that software developers are slave laborers whenever some judge issues a court order.

I’m going to do a bit of speculation here. My guess is that the FBI didn’t suddenly find somebody with a promising method of extracting data from the iPhone. After reading the briefs submitted by both Apple and the FBI it was obvious that the FBI either had incompetent lawyers or didn’t have a case. That being the case, I’m guessing the FBI decided to abandon its current strategy because it foresaw the court creating a precedence against it. It would be far better to abandon its current efforts and try again later, maybe against a company that is less competent than Apple, than to pursue what would almost certainly be a major defeat.

Regardless of the FBI’s reasoning, we can take a short breath and wait for the State’s next major attack against our rights.

Let Me Emphasize That Ad-Blockers Are Security Tools

Once again ad networks have been utilized to serve up malware:

According to a just-published post from Malwarebytes, a flurry of malvertising appeared over the weekend, almost out of the blue. It hit some of the biggest publishers in the business, including msn.com, nytimes.com, bbc.com, aol.com, my.xfinity.com, nfl.com, realtor.com, theweathernetwork.com, thehill.com, and newsweek.com. Affected networks included those owned by Google, AppNexis, AOL, and Rubicon. The attacks are flowing from two suspicious domains, including trackmytraffic[c],buz and talk915[.]pw.

The ads are also spreading on sites including answers.com, zerohedge.com, and infolinks.com, according to SpiderLabs. Legitimate mainstream sites receive the malware from domain names that are associated with compromised ad networks. The most widely seen domain name in the current campaign is brentsmedia[.]com. Whois records show it was owned by an online marketer until January 1, when the address expired. It was snapped up by its current owner on March 6, a day before the malicious ad onslaught started.

In this case the attacks appear to be originated from domains of ad networks that had been allowed to expire. After being allowed to expire the domains were snapped up by malware distributors. This allowed them to distribute malware to visitors of sites that still allowed ads from those expired domains.

Ad networks have become an appealing target for malware distributors. By compromising a single ad network a malware distributor can successfully target users across many websites. It offers a much better return on investment than compromising a single large website such as the New York Times and the BBC. Compromising ad networks is often easier than compromising large websites as well since operators of large websites often have skilled administrators on hand that keep things fairly locked down. The fact that advertising companies come and go with notable frequency also makes life difficult for site administrators. In this case the purchased domains likely were legitimate ad networks at one time and simply vanished without anybody noticing. Since nobody noticed they weren’t removed from any of the ad distribution networks and could therefore still serve up ads to legitimate sites.

This event, if nothing else, should serve as a reminder that ad blockers are security tools.

Illustrating Cryptographic Backdoors With Mechanical Backdoors

A lot of people don’t understand the concept of cryptographic backdoors. This isn’t surprising because cryptography and security are very complex fields of study. But it does lead to a great deal of misunderstanding, especially amongst those who tend to trust what government agents say.

I’ve been asked by quite a few people why Apple doesn’t comply with the demands of the Federal Bureau of Investigations (FBI). They’ve fallen for the FBI’s claims that the compromised firmware would only be used on that single iPhone and Apple would be allowed to maintain total control over the firmware at all times. However, as Jonathan Zdziarski explained, the burden of forensic methodology would require the firmware to exchange hands several times:

Once the tool is ready, it must be tested and validated by a third party. In this case, it would be NIST/NIJ (which is where my own tools were validated). NIST has a mobile forensics testing and validation process by which Apple would need to provide a copy of the tool (which would have to work on all of their test devices) for NIST to verify.

[…]

If evidence from a device ever leads to a case in a court room, the defense attorney will (and should) request a copy of the tool to have independent third party verification performed, at which point the software will need to be made to work on another set of test devices. Apple will need to work with defense experts to instruct them on how to use the tool to provide predictable and consistent results.

If Apple creates what the FBI is demanding the firmware would almost certainly end up in the hands of NIST, the defense attorney, and another third party hired by the defense attorney to verify the firmware. As Benjamin Franklin said, “Three can keep a secret, if two of them are dead.” With the firmware exchanging so many hands it will almost certainly end up leaked to the public.

After pointing this out a common followup question is, “So what? How much damage could this firmware cause?” To illustrate this I will use an example from the physical world.

The Transportation Security Administration (TSA) worked with several lock manufacturers to create TSA recognized locks. These are special locks that TSA agents can bypass using master keys. To many this doesn’t sound bad. After all, the TSA tightly guards these master keys, right? Although I’m not familiar with the TSA’s internal policies regarding the management of their master keys I do know the key patterns were leaked to the Internet and 3D printer models were created shortly thereafter. And those models produce keys that work.

The keys were leaked, likely unintentionally, by a TSA agent posting a photograph of them online. With that single leak every TSA recognized lock was rendered entirely useless. Now anybody can obtain the keys to open any TSA recognized lock.

It only takes one person to leak a master key, either intentionally or unintentionally, to render every lock that key unlocks entirely useless. Leaking a compromised version of iOS could happen in many ways. The defendant’s attorney, who may not be well versed in proper security practices, could accidentally transfer the firmware to a third party in an unsecured manner. If that transfer is being monitored the person monitoring it would have a copy of the firmware. An employee of NIST could accidentally insert a USB drive with the firmware on it into an infected computer and unknowingly provide it to a malicious actor. Somebody working for the defendant’s third party verifier could intentionally leak a copy of the firmware. There are so many ways the firmware could make its way to the Internet that the question isn’t really a matter of if, but when.

Once the firmware is leaked to the Internet it would be available to anybody. While Apple could design the firmware to check the identity of the phone to guard against it working on any phone besides the one the FBI wants unlocked, it could be possible to spoof those identifies to make any iPhone 5C look like the one the FBI wants unlocked. It’s also possible that a method to disable a fully updated iPhone 5C’s signature verification will be found. If that happens a modified version of the compromised firmware, which would contain an invalid signature, that doesn’t check the phone’s identifiers could be installed.

The bottom line is that the mere existence of a compromised firmware, a master key if you will, puts every iPhone 5C at risk just as the existence of TSA master keys put everything secured with a TSA recognized lock at risk.

Facebook Trolling The United Kingdom

In general I find Facebook to be one of the creepiest surveillance corporations. But in this case I’m willing to give the company a pass. Facebook has announced that it is giving each of its United Kingdom (UK) employees a $1.1 million bonus in order to avoid paying taxes:

Facebook is to award bonuses of £280 million ($396 million) to its U.K.-based staff over the next three years in a bid to offset the amount of tax it has to pay to the U.K. Treasury.

Each employee will receive an average of £775,000 ($1.1 million), which Facebook will list as a taxable expense.

This raises an interesting question. Who will win between the statists demanding Facebook to pay more taxes or the statists demanding Facebook pay its employees more. Since the same people are often demanding both this is probably causing some severe headaches.

But that’s not all! In addition to this trolling Facebook also threw in an additional complimentary troll:

The new tax blow is all the more frustrating for the British government after data emerged recently to show that the Treasury pays more to Facebook for advertising placement than it receives in taxes from the Silicon Valley giant.

Why is the UK Treasury paying Facebook for advertising? What does a State have to advertise? It makes its services compulsory for everybody. Either way, it’s nice to see Facebook draining some wealth away from the State. While Facebook’s employees will likely have to pay income taxes on their substantial bonus the amount the UK will receive will likely be far less than if Facebook paid what was being demanded of it directly. It also sends a terrific message.

The Power Of Juries

People often talk about the supposed system of checks and balances that exists within the various levels of government in the United States. Their claim is that the judiciary keeps the legislature in check and vice versa. In reality the system of checks and balances more accurate mimics a circlejerk. If a check and balance system exists in this country it is the jury. Unfortunately too many people have fallen for the bullshit that juries must rule on the letter of the law but sometimes a jury will still recognize its power, which stems from the fact jurors cannot be punished regardless of what their ruling is, and rule against a government goon on a power trip:

Last week a West Virginia woman who stood between her dog and a state trooper intent on killing him was acquitted of obstructing an officer by a jury in Wood County. It took jurors just half an hour to acquit 23-year-old Tiffanie Hupp after they watched the video of the incident that Hupp’s husband, Ryan, shot with his cellphone.

Trooper Seth Cook came to the Hupps’ house on May 9, 2015, in response to a dispute between a neighbor and Ryan’s stepfather. There Cook encountered Buddy, a Labrador-husky mix who was chained outside the house. The dog, whom Hupp describes as “a big baby,” ran toward Cook, barking, and Cook backed up. Even though the dog had reached the end of his chain and Cook was not in any danger, he drew his pistol. “I immediately thought, ‘I don’t want him to get shot,'” Hupp, who was in the yard with her 3-year-old son, told the Charleston Gazette-Mail. The video shows her stepping in front of Cook, at which point he grabs her, throws her to the ground, picks her up, leans her against his cruiser, and handcuffs her.

Stepping in front of a homicidal cop when he’s about to get his murder fix by blasting a dog was a brave move on Tiffanie’s part. Part of me is actually surprised she got through the encounter without being shot herself.

I’m glad to see the jury acquitted her since she did nothing wrong and, in fact, saved an innocent dog’s life. It’s too bad that this officer will likely face no repercussions though. Officer Cook is obviously a dangerous man and should not be trusted with any amount of authority. He should be fired immediately less he kills a dog or kidnaps another person who was only guilty of saving an innocent life.

Amazon Reverses Decision On Disabling Device Encryption

As an update to last weeks’s story about Amazon disabling device encryption in Fire OS 5, the company has since reversed its decision:

Amazon will restore optional full disk encryption to Fire OS 5 in a software update “coming this spring,” according to a statement released by the company on Friday evening.

This is a good announcement but I wouldn’t buy a Fire OS device until the firmware update reenabling device encryption has been rolled out. You never know when Amazon will decide to declare backsies.

As an aside, did you notice how quickly Amazon changed its mind? If this would have been a government decision we would be sitting through years of court cases, congressional hearings, congressional votes, and other such bureaucratic nonsense. But in the market it took less than a week for customer outrage to get things changing. The market gets shit done.

If At First You Don’t Succeed, Lower Your Expectations

Rant time. The education system in this country is fucking terrible. A lot of people blame the teachers but it’s not their fault. They are, after all, victims of the education system themselves who were taught by previous victims of the education system. The blame goes to the policy makers who believe the solution to every embarrassing statistic is to dumb down the curriculum:

In his new book The Math Myth: And Other STEM Delusions, political scientist Andrew Hacker proposes replacing algebra II and calculus in the high school and college curriculum with a practical course in statistics for citizenship (more on that later). Only mathematicians and some engineers actually use advanced math in their day-to-day work, Hacker argues—even the doctors, accountants, and coders of the future shouldn’t have to master abstract math that they’ll never need.

You see? Math is hard so we should dumb it down. In a rather ironic twist, Hacker proposes replacing algebra II and calculus with statistics and statistics is part of what’s fueling the deterioration of the education system. Statistics itself isn’t bad but when it’s placed in the hands of policy makers it because a weapon of mass destruction. Hacker, probably unknowingly, makes this point perfectly:

Unlike most professors who publicly opine about the education system, Hacker, though an eminent scholar, teaches at a low-prestige institution, Queens College, part of the City University of New York system. Most CUNY students come from low-income families, and a 2009 faculty report found that 57 percent fail the system’s required algebra course. A subsequent study showed that when students were allowed to take a statistics class instead, only 44 percent failed.

His argument is based on statistics surrounding student failure rates. An intelligent person would look at such statistics and try to investigate the causes (there are likely numerous interacting causes involved here). But Hacker, like most policy makers, isn’t an intelligent person. He looks at the statistic and decides the only option is to make the hard classes easier. The problem with his attitude is that it can only lead to one outcome in the end: Idiocracy.

I’m not going to lie, math kicked my ass in school and college. Young me would have loved to hear that algebra II was being replaced by something far easier. But old me understands the value of higher level math. While I don’t use it in my daily life it taught me logic (as in reasoning, not as in a word to throw around when I’m losing an Internet argument and have nothing to resort to other than telling the other person they’re not logical), which I do use every day. And that’s the point. Many subjects themselves aren’t obviously useful in our day to day lives. But they do teach us how to learn, which is tremendously useful. Without understanding how to learn we’re relegated to memorizing information so we can regurgitate it later. In fact that’s the state of education in this country in a nutshell: memorize information so you can regurgitate it on a standardized test.

Another Day, Another Attack Against Cryptography Made Possible By Government Meddling

This week another vulnerability was discovered in the OpenSSL library. The vulnerability, given the idiotic marketing name Decrypting RSA with Obsolete and Weakened eNcryption (DROWN), allows an attacker to discover a server’s TLS session keys if it has SSLv2 enabled. Like FREAK and Logjam before it, DROWN was made possible by government meddling in cryptography:

For the third time in less than a year, security researchers have found a method to attack encrypted Web communications, a direct result of weaknesses that were mandated two decades ago by the U.S. government.

These new attacks show the dangers of deliberately weakening security protocols by introducing backdoors or other access mechanisms like those that law enforcement agencies and the intelligence community are calling for today.

[…]

Dubbed DROWN, this attack can be used to decrypt TLS connections between a user and a server if that server supports the old SSL version 2 protocol or shares its private key with another server that does. The attack is possible because of a fundamental weakness in the SSLv2 protocol that also relates to export-grade cryptography.

The U.S. government deliberately weakened three kinds of cryptographic primitives in the 1990s — RSA encryption, Diffie-Hellman key exchange, and symmetric ciphers — and all three have put the security of the Internet at risk decades later, the researchers who developed DROWN said on a website that explains the attack.

We’d all be safer if the government didn’t meddle in mathematical affairs.

This exploit also shows the dangers of supporting legacy protocols. While there may exist users that have software so old it doesn’t support TLS or even SSLv3, supporting them creates a hazard to every other user. There’s a point where you have to tell that user of ancient software to either upgrade to modern software or stop using the service. From a business standpoint, potentially losing one customer due to not having legacy support is far better than losing a lot of customers due to their trust in your company being lost because of a major security compromise.

Amazon Disabled Device Encryption In Fire OS 5

While Apple and, to a lesser extent, Google are working to improve the security on their devices Amazon has decided on a different strategy:

While Apple continues to resist a court order requiring it to help the FBI access a terrorist’s phone, another major tech company just took a strange and unexpected step away from encryption.

Amazon has removed device encryption from the operating system that powers its Kindle e-reader, Fire Phone, Fire Tablet, and Fire TV devices.

The change, which took effect in Fire OS 5, affects millions of users.

Traditionally firmware updates deliver (or at least attempt to) security enhancements. I’m not sure why Amazon chose to move away from that tradition but it should cause users of Fire OS devices concern. By delivering a firmware update that removes a major security feature Amazon has violated the trust of its users.

Unless Amazon fixes this I would recommend avoiding Fire OS based devices. Fortunately other phone and table manufacturers exist and are willing to provide you devices that offer good security features.

FBI Asks Apple, “What If We Do What We’re Planning To Do?”

On Tuesday there was a congressional hearing regarding encryption. I didn’t watch it because I had better shit to do. But I’ve been reading through some of the highlights and the hearing was like most hearings. A handful of competent individuals were brought in to testify in front of a group of clueless idiots who are somehow allowed to pass policies. What was especially funny to me was a comment made by the director of the Federal Bureau of Investigations (FBI), James Comey (which should really be spelled James Commie):

When Florida Congressman Ted Deutch asked Comey if the potential repercussions of such a back door falling into the wrongs hands were of valid concern, Comey responded by posing a hypothetical situation in which Apple’s own engineers were kidnapped.

“Slippery slope arguments are always attractive, but I suppose you could say, ‘Well, Apple’s engineers have this in their head, what if they’re kidnapped and forced to write software?'” Comey said before the committee. “That’s where the judge has to sort this out, between good lawyers on both sides making all reasonable arguments.”

Comey likely made the comment to highlight how Apple is capable of creating a back door to break the iPhone’s encryption, a fact the company has admitted.

Comey should have said, “Well, Apple’s engineers have this in their head, what will happen when my agency kidnaps them and forces them to write the backdoor?” Because that’s exactly what his agency is trying to accomplish in the San Bernardino case. The FBI wants the court to order Apple to write a custom version of iOS that would bypass several security features and brute force the encryption key. If the court does issue such an order and Apple doesn’t obey some federal goons will kidnap members of Apple (likely Tim Cook). Of course, the FBI couches its criminal activities in euphemisms such as “arrest” to make them appear legitimate.

But what would happen? As it turns out, not much. Kidnapping one of Apple’s engineers wouldn’t give access to the company’s software signing key. Without that key any software the engineer was forced to write wouldn’t load onto an iOS device.