Tag Archives: terrorism

Economist Detained for Doing Math on an Airplane

Post Syndicated from Bruce Schneier original https://www.schneier.com/blog/archives/2016/05/economist_detai.html

An economics professor was detained when he was spotted doing math on an airplane:

On Thursday evening, a 40-year-old man ­– with dark, curly hair, olive skin and an exotic foreign accent –­ boarded a plane. It was a regional jet making a short, uneventful hop from Philadelphia to nearby Syracuse.

Or so dozens of unsuspecting passengers thought.

The curly-haired man tried to keep to himself, intently if inscrutably scribbling on a notepad he’d brought aboard. His seatmate, a blond-haired, 30-something woman sporting flip-flops and a red tote bag, looked him over. He was wearing navy Diesel jeans and a red Lacoste sweater — a look he would later describe as “simple elegance” — but something about him didn’t seem right to her.

She decided to try out some small talk.

Is Syracuse home? She asked.

No, he replied curtly.

He similarly deflected further questions. He appeared laser-focused ­– perhaps too laser-focused ­– on the task at hand, those strange scribblings.

Rebuffed, the woman began reading her book. Or pretending to read, anyway. Shortly after boarding had finished, she flagged down a flight attendant and handed that crew-member a note of her own.

This story ended better than some. Economics professor Guido Menzio (yes, he’s Italian) was taken off the plane, questioned, cleared, and allowed to board with the rest of his passengers two hours later.

This is a result of our stupid “see something, say something” culture. As I repeatedly say: “If you ask amateurs to act as front-line security personnel, you shouldn’t be surprised when you get amateur security.”

On the other hand, “Algebra, of course, does have Arabic origins plus math is used to make bombs.” Plus, this fine joke from 2003:

At Heathrow Airport today, an individual, later discovered to be a school teacher, was arrested trying to board a flight while in possession of a compass, a protractor, and a graphical calculator.

Authorities believe she is a member of the notorious al-Gebra movement. She is being charged with carrying weapons of math instruction.

AP story. Slashdot thread.

Seriously, though, I worry that this kind of thing will happen to me. I’m older, and I’m not very Semitic looking, but I am curt to my seatmates and intently focused on what I am doing — which sometimes involves looking at web pages about, and writing about, security and terrorism. I’m sure I’m vaguely suspicious.

EDITED TO ADD: Last month a student was removed from an airplane for speaking Arabic.

Bypassing Phone Security through Social Engineering

Post Syndicated from Bruce Schneier original https://www.schneier.com/blog/archives/2016/04/bypassing_phone.html

This works:

Khan was arrested in mid-July 2015. Undercover police officers posing as company managers arrived at his workplace and asked to check his driver and work records, according to the source. When they disputed where he was on a particular day, he got out his iPhone and showed them the record of his work.

The undercover officers asked to see his iPhone and Khan handed it over. After that, he was arrested. British police had 30 seconds to change the password settings to keep the phone open.

Reminds me about how the FBI arrested Ross William Ulbricht:

The agents had tailed him, waiting for the 29-year-old to open his computer and enter his passwords before swooping in.

That also works.

And, yes, I understand that none of this would have worked with the already dead Syed Farook and his iPhone.

Smart Essay on the Limitations of Anti-Terrorism Security

Post Syndicated from Bruce Schneier original https://www.schneier.com/blog/archives/2016/04/smart_essay_on_.html

This is good:

Threats constantly change, yet our political discourse suggests that our vulnerabilities are simply for lack of resources, commitment or competence. Sometimes, that is true. But mostly we are vulnerable because we choose to be; because we’ve accepted, at least implicitly, that some risk is tolerable. A state that could stop every suicide bomber wouldn’t be a free or, let’s face it, fun one.

We will simply never get to maximum defensive posture. Regardless of political affiliation, Americans wouldn’t tolerate the delay or intrusion of an urban mass-transit system that required bag checks and pat-downs. After the 2013 Boston Marathon bombing, many wondered how to make the race safe the next year. A heavier police presence helps, but the only truly safe way to host a marathon is to not have one at all. The risks we tolerate, then, are not necessarily bad bargains simply because an enemy can exploit them.

No matter what promises are made on the campaign trail, terrorism will never be vanquished. There is no ideology, no surveillance, no wall that will definitely stop some 24-year-old from becoming radicalized on the Web, gaining access to guns and shooting a soft target. When we don’t admit this to ourselves, we often swing between the extremes of putting our heads in the sand or losing them entirely.

I am reminded of my own 2006 “Refuse to be Terrorized” essay.

Smart Essay on the Limitations of Anti-Terrorism Security

Post Syndicated from Bruce Schneier original https://www.schneier.com/blog/archives/2016/04/smart_essay_on_.html

This is good:

Threats constantly change, yet our political discourse suggests that our vulnerabilities are simply for lack of resources, commitment or competence. Sometimes, that is true. But mostly we are vulnerable because we choose to be; because we’ve accepted, at least implicitly, that some risk is tolerable. A state that could stop every suicide bomber wouldn’t be a free or, let’s face it, fun one.

We will simply never get to maximum defensive posture. Regardless of political affiliation, Americans wouldn’t tolerate the delay or intrusion of an urban mass-transit system that required bag checks and pat-downs. After the 2013 Boston Marathon bombing, many wondered how to make the race safe the next year. A heavier police presence helps, but the only truly safe way to host a marathon is to not have one at all. The risks we tolerate, then, are not necessarily bad bargains simply because an enemy can exploit them.

No matter what promises are made on the campaign trail, terrorism will never be vanquished. There is no ideology, no surveillance, no wall that will definitely stop some 24-year-old from becoming radicalized on the Web, gaining access to guns and shooting a soft target. When we don’t admit this to ourselves, we often swing between the extremes of putting our heads in the sand or losing them entirely.

I am reminded of my own 2006 “Refuse to be Terrorized” essay.

ISIS Encryption Opsec

Post Syndicated from Bruce Schneier original https://www.schneier.com/blog/archives/2016/03/isis_encryption.html

Tidbits from the New York Times:

The final phase of Mr. Hame’s training took place at an Internet cafe in Raqqa, where an Islamic State computer specialist handed him a USB key. It contained CCleaner, a program used to erase a user’s online history on a given computer, as well as TrueCrypt, an encryption program that was widely available at the time and that experts say has not yet been cracked.

[…]

More than a year and a half earlier, the would-be Cannes bomber, Ibrahim Boudina, had tried to erase the previous three days of his search history, according to details in his court record, but the police were still able to recover it. They found that Mr. Boudina had been researching how to connect to the Internet via a secure tunnel and how to change his I.P. address.

Though he may have been aware of the risk of discovery, perhaps he was not worried enough.

Mr. Boudina had been sloppy enough to keep using his Facebook account, and his voluminous chat history allowed French officials to determine his allegiance to the Islamic State. Wiretaps of his friends and relatives, later detailed in French court records obtained by The Times and confirmed by security officials, further outlined his plot, which officials believe was going to target the annual carnival on the French Riviera.

Mr. Hame, in contrast, was given strict instructions on how to communicate. After he used TrueCrypt, he was to upload the encrypted message folder onto a Turkish commercial data storage site, from where it would be downloaded by his handler in Syria. He was told not to send it by email, most likely to avoid generating the metadata that records details like the point of origin and destination, even if the content of the missive is illegible. Mr. Hame described the website as “basically a dead inbox.”

The ISIS technician told Mr. Hame one more thing: As soon as he made it back to Europe, he needed to buy a second USB key, and transfer the encryption program to it. USB keys are encoded with serial numbers, so the process was not unlike a robber switching getaway cars.

“He told me to copy what was on the key and then throw it away,” Mr. Hame explained. “That’s what I did when I reached Prague.”

Mr. Abaaoud was also fixated on cellphone security. He jotted down the number of a Turkish phone that he said would be left in a building in Syria, but close enough to the border to catch the Turkish cell network, according to Mr. Hame’s account. Mr. Abaaoud apparently figured investigators would be more likely to track calls from Europe to Syrian phone numbers, and might overlook calls to a Turkish one.

Next to the number, Mr. Abaaoud scribbled “Dad.”

This seems like exactly the sort of opsec I would set up for an insurgent group.

EDITED TO ADD: Mistakes in the article. For example:

And now I’ve read one of the original French documents and confirmed my suspicion that the NYTimes article got details wrong.

The original French uses the word “boîte”, which matches the TrueCrypt term “container”. The original French didn’t use the words “fichier” (file), “dossier” (folder), or “répertoire” (directory). This makes so much more sense, and gives us more confidence we know what they were doing.

The original French uses the term “site de partage”, meaning a “sharing site”, which makes more sense than a “storage” site.

The document I saw says the slip of paper had login details for the file sharing site, not a TrueCrypt password. Thus, when the NYTimes article says “TrueCrypt login credentials”, we should correct it to “file sharing site login credentials”, not “TrueCrypt passphrase”.

MOST importantly, according the subject, the login details didn’t even work. It appears he never actually used this method — he was just taught how to use it. He no longer remembers the site’s name, other than it might have the word “share” in its name. We see this a lot: ISIS talks a lot about encryption, but the evidence of them actually using it is scant.

ISIS Encryption Opsec

Post Syndicated from Bruce Schneier original https://www.schneier.com/blog/archives/2016/03/isis_encryption.html

Tidbits from the New York Times:

The final phase of Mr. Hame’s training took place at an Internet cafe in Raqqa, where an Islamic State computer specialist handed him a USB key. It contained CCleaner, a program used to erase a user’s online history on a given computer, as well as TrueCrypt, an encryption program that was widely available at the time and that experts say has not yet been cracked.

[…]

More than a year and a half earlier, the would-be Cannes bomber, Ibrahim Boudina, had tried to erase the previous three days of his search history, according to details in his court record, but the police were still able to recover it. They found that Mr. Boudina had been researching how to connect to the Internet via a secure tunnel and how to change his I.P. address.

Though he may have been aware of the risk of discovery, perhaps he was not worried enough.

Mr. Boudina had been sloppy enough to keep using his Facebook account, and his voluminous chat history allowed French officials to determine his allegiance to the Islamic State. Wiretaps of his friends and relatives, later detailed in French court records obtained by The Times and confirmed by security officials, further outlined his plot, which officials believe was going to target the annual carnival on the French Riviera.

Mr. Hame, in contrast, was given strict instructions on how to communicate. After he used TrueCrypt, he was to upload the encrypted message folder onto a Turkish commercial data storage site, from where it would be downloaded by his handler in Syria. He was told not to send it by email, most likely to avoid generating the metadata that records details like the point of origin and destination, even if the content of the missive is illegible. Mr. Hame described the website as “basically a dead inbox.”

The ISIS technician told Mr. Hame one more thing: As soon as he made it back to Europe, he needed to buy a second USB key, and transfer the encryption program to it. USB keys are encoded with serial numbers, so the process was not unlike a robber switching getaway cars.

“He told me to copy what was on the key and then throw it away,” Mr. Hame explained. “That’s what I did when I reached Prague.”

Mr. Abaaoud was also fixated on cellphone security. He jotted down the number of a Turkish phone that he said would be left in a building in Syria, but close enough to the border to catch the Turkish cell network, according to Mr. Hame’s account. Mr. Abaaoud apparently figured investigators would be more likely to track calls from Europe to Syrian phone numbers, and might overlook calls to a Turkish one.

Next to the number, Mr. Abaaoud scribbled “Dad.”

This seems like exactly the sort of opsec I would set up for an insurgent group.

EDITED TO ADD: Mistakes in the article. For example:

And now I’ve read one of the original French documents and confirmed my suspicion that the NYTimes article got details wrong.

The original French uses the word “boîte”, which matches the TrueCrypt term “container”. The original French didn’t use the words “fichier” (file), “dossier” (folder), or “répertoire” (directory). This makes so much more sense, and gives us more confidence we know what they were doing.

The original French uses the term “site de partage”, meaning a “sharing site”, which makes more sense than a “storage” site.

The document I saw says the slip of paper had login details for the file sharing site, not a TrueCrypt password. Thus, when the NYTimes article says “TrueCrypt login credentials”, we should correct it to “file sharing site login credentials”, not “TrueCrypt passphrase”.

MOST importantly, according the subject, the login details didn’t even work. It appears he never actually used this method — he was just taught how to use it. He no longer remembers the site’s name, other than it might have the word “share” in its name. We see this a lot: ISIS talks a lot about encryption, but the evidence of them actually using it is scant.

Comments on the FBI success in hacking Farook’s iPhone

Post Syndicated from Robert Graham original http://blog.erratasec.com/2016/03/comments-on-fbi-success-in-hacking.html

Left-wing groups like the ACLU and the EFF have put out “official” responses to the news the FBI cracked Farook’s phone without help from the Apple. I thought I’d give a response from a libertarian/technologist angle.First, thank you FBI for diligently trying to protect us from terrorism. No matter how much I oppose you on the “crypto backdoors” policy question, and the constitutional questions brought up in this court case, I still expect you to keep trying to protect us.Likewise, thank you FBI for continuing to be open to alternative means to crack the phone. I suppose you could’ve wrangled things to ignore people coming forward with new information, in order to pursue the precedent, in the longer term policy battle. I disagree with the many people in my Twitter timeline who believe this was some sort of FBI plot — I believe it’s probably just what the FBI says it is: they first had no other solution, then they did.Though, I do wonder if the FBI’s lawyers told them they would likely lose the appeal, thus setting a bad precedent, thus incentivizing the FBI to start looking for an alternative to get out of the case. Whether or not this is actually what happened, I do worry that government has all the power to pursue cases in such a way. It’s like playing poker against an opponent who, when they fold, gets all their chips back.One precedent has been set, though: what it means to “exhaust all other options” therefore justifying the All Writs Act. From one perspective, the FBI was right that no old/existing technique existed to crack the phone. But their demand that only Apple could create a new technique was false. Somebody else obviously could create a new technique. I know a lot of people in the forensics, jailbreak, and 0day communities. They all confirm that the FBI never approached them to see if they could create a new technique. Instead, somebody created a new technique and approached the FBI on their own.The next time the FBI attempts to conscript labor under the All Writs Act, I expect the judge to demand the FBI prove they haven’t tried to hire other engineers. In other words, the judge should ask “Did you contact VUPEN (an 0day firm) or @i0n1c (a jailbreaker) to see if they could create a solution for you?”.Activists like the EFF are now demanding that the FBI make their technique public. This is nonsense. Whoever created the technique obviously wants to keep it secret so that Apple doesn’t patch it in the next iOS release. It’s probable that they gave the FBI Terms and Conditions such that they’d only provide a technique if it were kept secret. The only exception is if this were a forensics company like Cellebrite, which would then want to advertise the capability, to maximize revenue in the short period before Apple closes the hole. The point is, it’s the coder’s rights that are important here. It’s the coder who came up with the jailbreak/0day that gets to decide what to do with it.Is the person/company who approached the FBI with the solution a hero or demon? On one hand, they’ve maintained the status quo, where Apple can continue to try to secure their phones, even against the FBI. On the other hand, they’ve forestalled the courts ruling in our favor, which many would have preferred. I don’t know the answer. Personally, had it been me, I’d’ve offered the exploit/jailbreak to the FBI, but at an exorbitant price they couldn’t afford, because I just don’t like the FBI.Note: I doubt the technique was the NAND mirroring one many have described, or the well known “decapping” procedure that has a 30% of irretrievably destroying the data. Instead, I think it was an 0day or jailbreak. Those two communities are pretty large, and this is well within their abilities.Also note: This is just my best guess, as somebody who does a lot of reverse engineering, coding, and hacking. I have little experience with iPhone in general. I write this blog because people keep asking me, not because I feel this is what everyone else should believe. The only thing I really stand behind here is “coder’s rights”, which is what the ACLU and EFF oppose.The FBI needs to disclose this vulnerability to Apple. Right now. It’s irresponsible and dangerous not to.— Amie Stepanovich (@astepanovich) March 29, 2016DOJ: We’re not giving the iOS 0-day to Apple.Apple: We will continue to help law enforcement in other cases.Way to play hard ball, Apple.— Christopher Soghoian (@csoghoian) March 29, 2016

Comments on the FBI success in hacking Farook’s iPhone

Post Syndicated from Robert Graham original http://blog.erratasec.com/2016/03/comments-on-fbi-success-in-hacking.html

Left-wing groups like the ACLU and the EFF have put out “official” responses to the news the FBI cracked Farook’s phone without help from the Apple. I thought I’d give a response from a libertarian/technologist angle.First, thank you FBI for diligently trying to protect us from terrorism. No matter how much I oppose you on the “crypto backdoors” policy question, and the constitutional questions brought up in this court case, I still expect you to keep trying to protect us.Likewise, thank you FBI for continuing to be open to alternative means to crack the phone. I suppose you could’ve wrangled things to ignore people coming forward with new information, in order to pursue the precedent, in the longer term policy battle. I disagree with the many people in my Twitter timeline who believe this was some sort of FBI plot — I believe it’s probably just what the FBI says it is: they first had no other solution, then they did.Though, I do wonder if the FBI’s lawyers told them they would likely lose the appeal, thus setting a bad precedent, thus incentivizing the FBI to start looking for an alternative to get out of the case. Whether or not this is actually what happened, I do worry that government has all the power to pursue cases in such a way. It’s like playing poker against an opponent who, when they fold, gets all their chips back.One precedent has been set, though: what it means to “exhaust all other options” therefore justifying the All Writs Act. From one perspective, the FBI was right that no old/existing technique existed to crack the phone. But their demand that only Apple could create a new technique was false. Somebody else obviously could create a new technique. I know a lot of people in the forensics, jailbreak, and 0day communities. They all confirm that the FBI never approached them to see if they could create a new technique. Instead, somebody created a new technique and approached the FBI on their own.The next time the FBI attempts to conscript labor under the All Writs Act, I expect the judge to demand the FBI prove they haven’t tried to hire other engineers. In other words, the judge should ask “Did you contact VUPEN (an 0day firm) or @i0n1c (a jailbreaker) to see if they could create a solution for you?”.Activists like the EFF are now demanding that the FBI make their technique public. This is nonsense. Whoever created the technique obviously wants to keep it secret so that Apple doesn’t patch it in the next iOS release. It’s probable that they gave the FBI Terms and Conditions such that they’d only provide a technique if it were kept secret. The only exception is if this were a forensics company like Cellebrite, which would then want to advertise the capability, to maximize revenue in the short period before Apple closes the hole. The point is, it’s the coder’s rights that are important here. It’s the coder who came up with the jailbreak/0day that gets to decide what to do with it.Is the person/company who approached the FBI with the solution a hero or demon? On one hand, they’ve maintained the status quo, where Apple can continue to try to secure their phones, even against the FBI. On the other hand, they’ve forestalled the courts ruling in our favor, which many would have preferred. I don’t know the answer. Personally, had it been me, I’d’ve offered the exploit/jailbreak to the FBI, but at an exorbitant price they couldn’t afford, because I just don’t like the FBI.Note: I doubt the technique was the NAND mirroring one many have described, or the well known “decapping” procedure that has a 30% of irretrievably destroying the data. Instead, I think it was an 0day or jailbreak. Those two communities are pretty large, and this is well within their abilities.Also note: This is just my best guess, as somebody who does a lot of reverse engineering, coding, and hacking. I have little experience with iPhone in general. I write this blog because people keep asking me, not because I feel this is what everyone else should believe. The only thing I really stand behind here is “coder’s rights”, which is what the ACLU and EFF oppose.The FBI needs to disclose this vulnerability to Apple. Right now. It’s irresponsible and dangerous not to.— Amie Stepanovich (@astepanovich) March 29, 2016DOJ: We’re not giving the iOS 0-day to Apple.Apple: We will continue to help law enforcement in other cases.Way to play hard ball, Apple.— Christopher Soghoian (@csoghoian) March 29, 2016

Some notes on Apple decryption San Bernadino phone

Post Syndicated from Robert Graham original http://blog.erratasec.com/2016/02/some-notes-on-apple-decryption-san.html

Today, a judge ordered Apple to help the FBI decrypt the San Bernadino shooter’s iPhone 5C. Specifically:disable the auto-erase that happens after 10 bad guessesenable submitting passcodes at a high speed electronically rather than forcing a human to type them one-by-onelikely accomplish this through a software update (which would run out of RAM, rather than updating the operating system)The text of the court order almost exactly matches that of the “IOS Security Guide“. In other words, while it may look fairly technical, actually the entirety of the technical stuff they are asking is described in one short document.The problem the FBI is trying to solve is that when guessing passcodes is slow. The user has two options. One option is that every bad guess causes the wait between guesses to get longer and longer, slowing down guessing, forcing an hour between guesses. The other option is to have the phone erase itself after 10 bad guesses. Ether way, it makes guessing the passcode impractical. The FBI is demanding the Apple update the software of the phone to prevent either of these things from happening. This software would run in RAM, rather than updating the operating-system software already stored on the device.The phone is an iPhone 5C, first released in September 2013, so is quite old. This increases the chance that Apple may indeed be able to hack the phone as the court order suggests, depending upon the software version. Unlike the 5S, the 5C doesn’t have the hardware enclave, but I seem to remember it has something related.On newer phones like the iPhone 6, with Apple’s “Enclave”, such an update of the firmware would be impossible. Updating the firmware to do what the FBI wants would also erase the crypto keys, or at least first require unlocking. If such a trick would work on the newer phones, then Apple has been lying about them. [UPDATE: There seems to be some disagreement here. I remember something to this effect when Apple announced the iPhone 5C, but I can’t find any reference to backup my claims. It may be that the current 5C has a similar vulnerability to a firmware update].On older phones, such as the iPhone 5C, there is no enclave, so plausible the FBI’s strategy of updating iOS might work. But the problem exists on how to get the iOS update onto the phone — which may need a passcode.The first hurdle is to get the iPhone to trust the computer doing the update, which can only be done with an unlocked phone. That means the FBI won’t be able to get the phone to trust their own computers. However, the iPhone has probably been connected to a laptop or desktop owned by the terrorists, so such an update can happen from those computers.The second hurdle is that the phone asks for a passcode during an update. I updated my old iPhone 5 to verify this. Right between the update steps, it asked for the passcode. I’m not sure who asked for it. Was it the older iOS version, preventing an update? Or was it the new iOS version, asking to verify the new update. In the first case, it’s not something Apple can change, but in the second case, it’s something Apple can fix to comply with the FBI’s request.I was using iTunes. Apparently, there are other tools out there (used for repair shops and factories) that are more efficient, and which may be able to bypass a security check.Depending on the version of the existing iOS version on the phone, there may be other opportunities for the FBI. Back in 2014, there was some controversy about a developer feature that could be used to ‘backdoor’ the iPhone, assuming it had already been set to trust a computer.Lastly, the older iOS 8 defaulted to 4 digit passcodes, and merely a long delay (but not erasure) between attempts. There’s a good chance this is how the phone was configured. Which means that an intern with the phone will eventually be able to decrypt it.The upshot is this. It’s an older phone. If the iOS version is old, and especially if it’s been configured to “trust” a laptop/desktop, then there is a good chance Apple or the FBI could decrypt it. If the software is reasonably up-to-date, my understanding of how iPhone’s work, it’s impossible at the moment for Apple to decrypt the device, especially as suggested by the court order.In any case, I assume that Apple will challenge the “All Writs Act” that the FBI is using to compel Apple to comply.FAQ:Q: Isn’t helping the fight against terrorism the right thing to do? These terrorists killed a lot of innocent people!A: Certainly. But the question isn’t whether Apple should help in this particular case, but whether Apple can be compelled to help in all cases, even when the government is abusing it’s power. And by an large, the government is abusing the powers it demanded in order to fight “terrorism”.Q: Is it possible for Apple to do this?A: If the phone were a 5S or later, then the answer is probably “no”. Apple claims this, and techies agree. But the phone was a 5C. That model, and older, it may be possible. There are still hurdles, such as getting the phone to trust a firmware update without having the passcode.Q: Does the law allow the FBI to do this? What law?A: The “All Writs Act of 1789”, 28 U.S.C. § 1651. This is highly controversial, with many claiming that this law is nowhere near enough to compel Apple to write new code.Q: I heard its a trick to force Apple to create a backdoor.A: No, that’s an invalid assertion. For one thing, the court order explicitly wants Apple to limit the special software for only this phone, so it wouldn’t be something the FBI could use on other phones. Nor is that FBI asking for this feature to be placed on any customer owned phone, but only this one phone in their possession.Q: Doesn’t the “enclave” features stop this?A: Not for the older iPhone 5C.Q: Once Apple supplies the backdoored software, how long will it take them to crack the decryption?A: It’s 80 milliseconds per guess, which is a hardware limit. We can therefore do the math:4 digit PIN – 13.3 minutes6 digit PIN – 22.2 hours6 letter password – 300+ yearsQ: Do we know if the ‘erase’ feature (after 10 failed guesses) was enabled?A: It was a phone given by the employer, which claims erase was enabled by default.Q: What iOS version is the phone?A: According to the FBI, it’s iOS 9.Q: Is the FBI asking for Apple to create a custom operating-system?A: No. They are asking for Apple to write code that would run out of RAM, without changing anything on the drive.Q: How is this different from the 70 other times the FBI has asked Apple to unlock a phone?A: Because those times took a few minutes of effort on Apple’s part. This is asking Apple to spend 2000 hours on creating a new technology that could potentially be used to unlock all older phones. In other words, it’s conscripting a man-year’s worth of labor.Links:The FBI motion asking for this court order.Apple’s letter to customers in response to this.Dan Guido’s take on this event (he knows more about this than I do).Jonathan Zdziarski’s take on this on this event (he knows more about this than I do).Specifically, the court suggests that this be done with a firmware update, but with a unique ID specific to this particular phone, so that the FBI can’t just then load that firmware on any phone. The otherwise awesome Mike Masnick suggests the court is ordering Apple to “create a backdoor” instead of just “decrypt”. I disagree with that logic, it really is just about decrypting this one phone.

Some notes on Apple decryption San Bernadino phone

Post Syndicated from Robert Graham original http://blog.erratasec.com/2016/02/some-notes-on-apple-decryption-san.html

Today, a judge ordered Apple to help the FBI decrypt the San Bernadino shooter’s iPhone 5C. Specifically:disable the auto-erase that happens after 10 bad guessesenable submitting passcodes at a high speed electronically rather than forcing a human to type them one-by-onelikely accomplish this through a software update (which would run out of RAM, rather than updating the operating system)The text of the court order almost exactly matches that of the “IOS Security Guide“. In other words, while it may look fairly technical, actually the entirety of the technical stuff they are asking is described in one short document.The problem the FBI is trying to solve is that when guessing passcodes is slow. The user has two options. One option is that every bad guess causes the wait between guesses to get longer and longer, slowing down guessing, forcing an hour between guesses. The other option is to have the phone erase itself after 10 bad guesses. Ether way, it makes guessing the passcode impractical. The FBI is demanding the Apple update the software of the phone to prevent either of these things from happening. This software would run in RAM, rather than updating the operating-system software already stored on the device.The phone is an iPhone 5C, first released in September 2013, so is quite old. This increases the chance that Apple may indeed be able to hack the phone as the court order suggests, depending upon the software version. Unlike the 5S, the 5C doesn’t have the hardware enclave, but I seem to remember it has something related.On newer phones like the iPhone 6, with Apple’s “Enclave”, such an update of the firmware would be impossible. Updating the firmware to do what the FBI wants would also erase the crypto keys, or at least first require unlocking. If such a trick would work on the newer phones, then Apple has been lying about them. [UPDATE: There seems to be some disagreement here. I remember something to this effect when Apple announced the iPhone 5C, but I can’t find any reference to backup my claims. It may be that the current 5C has a similar vulnerability to a firmware update].On older phones, such as the iPhone 5C, there is no enclave, so plausible the FBI’s strategy of updating iOS might work. But the problem exists on how to get the iOS update onto the phone — which may need a passcode.The first hurdle is to get the iPhone to trust the computer doing the update, which can only be done with an unlocked phone. That means the FBI won’t be able to get the phone to trust their own computers. However, the iPhone has probably been connected to a laptop or desktop owned by the terrorists, so such an update can happen from those computers.The second hurdle is that the phone asks for a passcode during an update. I updated my old iPhone 5 to verify this. Right between the update steps, it asked for the passcode. I’m not sure who asked for it. Was it the older iOS version, preventing an update? Or was it the new iOS version, asking to verify the new update. In the first case, it’s not something Apple can change, but in the second case, it’s something Apple can fix to comply with the FBI’s request.I was using iTunes. Apparently, there are other tools out there (used for repair shops and factories) that are more efficient, and which may be able to bypass a security check.Depending on the version of the existing iOS version on the phone, there may be other opportunities for the FBI. Back in 2014, there was some controversy about a developer feature that could be used to ‘backdoor’ the iPhone, assuming it had already been set to trust a computer.Lastly, the older iOS 8 defaulted to 4 digit passcodes, and merely a long delay (but not erasure) between attempts. There’s a good chance this is how the phone was configured. Which means that an intern with the phone will eventually be able to decrypt it.The upshot is this. It’s an older phone. If the iOS version is old, and especially if it’s been configured to “trust” a laptop/desktop, then there is a good chance Apple or the FBI could decrypt it. If the software is reasonably up-to-date, my understanding of how iPhone’s work, it’s impossible at the moment for Apple to decrypt the device, especially as suggested by the court order.In any case, I assume that Apple will challenge the “All Writs Act” that the FBI is using to compel Apple to comply.FAQ:Q: Isn’t helping the fight against terrorism the right thing to do? These terrorists killed a lot of innocent people!A: Certainly. But the question isn’t whether Apple should help in this particular case, but whether Apple can be compelled to help in all cases, even when the government is abusing it’s power. And by an large, the government is abusing the powers it demanded in order to fight “terrorism”.Q: Is it possible for Apple to do this?A: If the phone were a 5S or later, then the answer is probably “no”. Apple claims this, and techies agree. But the phone was a 5C. That model, and older, it may be possible. There are still hurdles, such as getting the phone to trust a firmware update without having the passcode.Q: Does the law allow the FBI to do this? What law?A: The “All Writs Act of 1789”, 28 U.S.C. § 1651. This is highly controversial, with many claiming that this law is nowhere near enough to compel Apple to write new code.Q: I heard its a trick to force Apple to create a backdoor.A: No, that’s an invalid assertion. For one thing, the court order explicitly wants Apple to limit the special software for only this phone, so it wouldn’t be something the FBI could use on other phones. Nor is that FBI asking for this feature to be placed on any customer owned phone, but only this one phone in their possession.Q: Doesn’t the “enclave” features stop this?A: Not for the older iPhone 5C.Q: Once Apple supplies the backdoored software, how long will it take them to crack the decryption?A: It’s 80 milliseconds per guess, which is a hardware limit. We can therefore do the math:4 digit PIN – 13.3 minutes6 digit PIN – 22.2 hours6 letter password – 300+ yearsQ: Do we know if the ‘erase’ feature (after 10 failed guesses) was enabled?A: It was a phone given by the employer, which claims erase was enabled by default.Q: What iOS version is the phone?A: According to the FBI, it’s iOS 9.Q: Is the FBI asking for Apple to create a custom operating-system?A: No. They are asking for Apple to write code that would run out of RAM, without changing anything on the drive.Q: How is this different from the 70 other times the FBI has asked Apple to unlock a phone?A: Because those times took a few minutes of effort on Apple’s part. This is asking Apple to spend 2000 hours on creating a new technology that could potentially be used to unlock all older phones. In other words, it’s conscripting a man-year’s worth of labor.Links:The FBI motion asking for this court order.Apple’s letter to customers in response to this.Dan Guido’s take on this event (he knows more about this than I do).Jonathan Zdziarski’s take on this on this event (he knows more about this than I do).Specifically, the court suggests that this be done with a firmware update, but with a unique ID specific to this particular phone, so that the FBI can’t just then load that firmware on any phone. The otherwise awesome Mike Masnick suggests the court is ordering Apple to “create a backdoor” instead of just “decrypt”. I disagree with that logic, it really is just about decrypting this one phone.

Poland vs the United States: civil liberties

Post Syndicated from Michal Zalewski original http://lcamtuf.blogspot.com/2015/06/poland-vs-united-states-civil-liberties.html

This is the sixth article in a short series about Poland, Europe, and the United States. To explore the entire series, start here.

I opened my comparison of Poland and the US with the topic of firearm ownership. I decided to take this route in part because of how alien the US gun culture may appear to outsiders – and because of how polarizing and interesting the subject is. But in today’s entry, I wanted to take a step back and have a look at the other, more traditional civil liberties that will be more familiar to folks on the other side of the pond.

Before we dive in, it is probably important to note that the national ethos of the United States is very expressly built on the tradition of radical individualism and free enterprise – as championed by thinkers such as Milton Friedman, Friedrich Hayek, or Adam Smith. Of course, many words can be written about the disconnect between this romanticized vision and complex realities of entrepreneurship or social mobility in the face of multi-generational poverty – but the perception still counts: in much of Europe, the government is seen less as a guarantor of civil liberties, and more as a provider of basic needs. The inverse is more true in the US; the armed forces and small businesses enjoy the two top spots in institutional trustworthiness surveys; federal legislators come dead last. This sentiment shapes many of the ongoing political debates – not just around individual freedoms, but also as related to public healthcare or the regulation of commerce. The virtues of self-sufficiency and laissez-faire capitalism seem far more self-evident to the citizens of the US than they are in the EU.

With that in mind, it’s worthwhile to start the comparison with the freedom of speech. A cherished tradition in the western world, this liberty is nevertheless subordinate to a number of collectivist social engineering goals across the whole old continent; for example, strong prohibitions exist on the promotion of Nazi ideology or symbolism, or on the mere practice of denying the Holocaust. The freedom of speech is also broadly trumped by the right to privacy, including the hotly-debated right to be forgotten on the Internet. Other, more exotic restrictions implemented in several places in Europe include the prohibition against disrespecting the religious beliefs of others or insulting any acting head of state; in Poland, people have been prosecuted for hurling childish insults at the Pope or at the outgoing Polish president. Of course, the enforcement is patently selective: in today’s political climate, no one will be charged for calling Mr. Putin a thug.

The US takes a more absolutist view of the First Amendment, with many hate groups enjoying far-reaching impunity enshrined in the judicial standards put forward not by politicians, but by the unusually powerful US Supreme Court. The notion of “speech” is also interpreted very broadly, extending to many forms of artistic, religious, and political expression; in particular, the European niqab and burka bans would be patently illegal in the United States and aren’t even the subject of serious debate. The concept of homeschooling, banned or heavily regulated in some parts of Europe, is seen by some through the same constitutional prism: it is your right to teach your children about Young Earth creationism, and the right trumps any concerns over the purported social costs. Last but not least, there is the controversial Citizens United decision, holding that some forms of financial support provided to political causes can be equated with constitutionally protected speech; again, the ruling came not from the easily influenced politicians, but from the Supreme Court.

As an aside, despite the use of freedom-of-speech restrictions as a tool for rooting out anti-Semitism and hate speech in Europe, the contemporary US may be providing a less fertile ground for racism and xenophobia than at least some parts of the EU. The country still struggles with its dark past and the murky reality of racial discrimination – but despite the stereotypes, the incidence of at least some types of casual racism in today’s America seems lower than in much of Europe. The pattern is also evident in political discourse; many of the openly xenophobic opinions or legislative proposals put forward by European populist politicians would face broad condemnation in the US. Some authors argue that the old continent is facing a profound new wave of Islamophobia and
hatred toward Jews; in countries such as Greece and Hungary, more than 60% of population seems to be holding such views. In Poland, more than 40% say that Jews hold too much influence in business – a surreal claim, given that that there are just several thousand Jews living in the country of 38 million. My own memories from growing up in that country are that of schoolkids almost universally using “you Jew!” as a mortal insult. The defacement of Jewish graves and monuments, or anti-Semitic graffiti, posters, and sports chants are far more common than they should be. It’s difficult to understand if restrictions on free speech suppress the sentiments or make them worse, but at the very least, the success of the policies is not clear-cut.

Other civil liberties revered in the United States, and perhaps less so in Europe, put limits on the ability of the government to intrude into private lives through unwarranted searches and seizures. Of course, the stereotypical view of the US is that of a dystopian surveillance state, epitomized by the recent focus on warrantless surveillance or secret FISA courts. But having worked for a telecommunications company in Poland, my own sentiment is that in Europe, surveillance tends to be done with more impunity, far less legal oversight, and without clear delination between law enforcement and intelligence work. The intelligence community in particular is often engaged in domestic investigations against businesses, politicians, and journalists – and all across Europe, “pre-crime” policing ideas are taking hold.

In many European countries, citizens are not afforded powerful tools such as FOIA requests, do not benefit from a tradition of protected investigative journalism and whistleblowing, and can’t work with influential organizations such as the American Civil Liberties Union; there is also no history of scandals nearly as dramatic and transformative as Watergate. In the States, I feel that all this helped to create an imperfect but precious balance between the needs of the government and the rights of the people – and instill higher ethical standards in the law enforcement and intelligence community; it is telling that the revelations from Snowden, while exposing phenomenal and somewhat frightening surveillance capabilities of the NSA, have not surfaced any evidence of politically-motivated investigations or other blatant impropriety in how the capabilities are being used by the agency. The individualist spirit probably helps here, too: quite a few states and municipalities go as far as banning traffic enforcement cameras because of how they rob suspects of the ability to face the accuser in court.

When it comes to some other civil traditions that are sacrosanct in Europe, the United States needs to face justified criticism. The harsh and overcrowded penal system treats some offenders unfairly; it is a product of populist sentiments influenced by the crime waves of the twentieth century and fueled by the dysfunctional War on Drugs. While Polish prisons may not be much better, some of the ideas implemented elsewhere in Europe seem to make a clear difference. They are difficult to adopt in the States chiefly because they do not fit the folksy “tough on crime” image that many American politicians take pride in.

In the same vein, police brutality, disproportionately faced by the poor and the minorities, is another black mark for individual rights. The death penalty, albeit infrequent and reserved for most heinous crimes, stands on shaky moral grounds – even if it faces steady public support. The indefinite detention and torture of terrorism suspects, with the knowledge and complicity of many other European states, deserves nothing but scorn. Civil forfeiture is a bizarre concept that seems to violate the spirit of the Fourth Amendment by applying unreasonably relaxed standards for certain types of seizures – although in all likelihood, its days are coming to an end.

As usual, the picture is complex and it’s hard to declare the superiority of any single approach to individual liberties. Europe and the United States have much in common, but also differ in very interesting ways.

For the next article in the series, click here.

Poland vs the United States: civil liberties

Post Syndicated from Michal Zalewski original http://lcamtuf.blogspot.com/2015/06/poland-vs-united-states-civil-liberties.html

This is the sixth article in a short series about Poland, Europe, and the United States. To explore the entire series, start here.

I opened my comparison of Poland and the US with the topic of firearm ownership. I decided to take this route in part because of how alien the US gun culture may appear to outsiders – and because of how polarizing and interesting the subject is. But in today’s entry, I wanted to take a step back and have a look at the other, more traditional civil liberties that will be more familiar to folks on the other side of the pond.

Before we dive in, it is probably important to note that the national ethos of the United States is very expressly built on the tradition of radical individualism and free enterprise – as championed by thinkers such as Milton Friedman, Friedrich Hayek, or Adam Smith. Of course, many words can be written about the disconnect between this romanticized vision and complex realities of entrepreneurship or social mobility in the face of multi-generational poverty – but the perception still counts: in much of Europe, the government is seen less as a guarantor of civil liberties, and more as a provider of basic needs. The inverse is more true in the US; the armed forces and small businesses enjoy the two top spots in institutional trustworthiness surveys; federal legislators come dead last. This sentiment shapes many of the ongoing political debates – not just around individual freedoms, but also as related to public healthcare or the regulation of commerce. The virtues of self-sufficiency and laissez-faire capitalism seem far more self-evident to the citizens of the US than they are in the EU.

With that in mind, it’s worthwhile to start the comparison with the freedom of speech. A cherished tradition in the western world, this liberty is nevertheless subordinate to a number of collectivist social engineering goals across the whole old continent; for example, strong prohibitions exist on the promotion of Nazi ideology or symbolism, or on the mere practice of denying the Holocaust. The freedom of speech is also broadly trumped by the right to privacy, including the hotly-debated right to be forgotten on the Internet. Other, more exotic restrictions implemented in several places in Europe include the prohibition against disrespecting the religious beliefs of others or insulting any acting head of state; in Poland, people have been prosecuted for hurling childish insults at the Pope or at the outgoing Polish president. Of course, the enforcement is patently selective: in today’s political climate, no one will be charged for calling Mr. Putin a thug.

The US takes a more absolutist view of the First Amendment, with many hate groups enjoying far-reaching impunity enshrined in the judicial standards put forward not by politicians, but by the unusually powerful US Supreme Court. The notion of “speech” is also interpreted very broadly, extending to many forms of artistic, religious, and political expression; in particular, the European niqab and burka bans would be patently illegal in the United States and aren’t even the subject of serious debate. The concept of homeschooling, banned or heavily regulated in some parts of Europe, is seen by some through the same constitutional prism: it is your right to teach your children about Young Earth creationism, and the right trumps any concerns over the purported social costs. Last but not least, there is the controversial Citizens United decision, holding that some forms of financial support provided to political causes can be equated with constitutionally protected speech; again, the ruling came not from the easily influenced politicians, but from the Supreme Court.

As an aside, despite the use of freedom-of-speech restrictions as a tool for rooting out anti-Semitism and hate speech in Europe, the contemporary US may be providing a less fertile ground for racism and xenophobia than at least some parts of the EU. The country still struggles with its dark past and the murky reality of racial discrimination – but despite the stereotypes, the incidence of at least some types of casual racism in today’s America seems lower than in much of Europe. The pattern is also evident in political discourse; many of the openly xenophobic opinions or legislative proposals put forward by European populist politicians would face broad condemnation in the US. Some authors argue that the old continent is facing a profound new wave of Islamophobia and
hatred toward Jews; in countries such as Greece and Hungary, more than 60% of population seems to be holding such views. In Poland, more than 40% say that Jews hold too much influence in business – a surreal claim, given that that there are just several thousand Jews living in the country of 38 million. My own memories from growing up in that country are that of schoolkids almost universally using “you Jew!” as a mortal insult. The defacement of Jewish graves and monuments, or anti-Semitic graffiti, posters, and sports chants are far more common than they should be. It’s difficult to understand if restrictions on free speech suppress the sentiments or make them worse, but at the very least, the success of the policies is not clear-cut.

Other civil liberties revered in the United States, and perhaps less so in Europe, put limits on the ability of the government to intrude into private lives through unwarranted searches and seizures. Of course, the stereotypical view of the US is that of a dystopian surveillance state, epitomized by the recent focus on warrantless surveillance or secret FISA courts. But having worked for a telecommunications company in Poland, my own sentiment is that in Europe, surveillance tends to be done with more impunity, far less legal oversight, and without clear delination between law enforcement and intelligence work. The intelligence community in particular is often engaged in domestic investigations against businesses, politicians, and journalists – and all across Europe, “pre-crime” policing ideas are taking hold.

In many European countries, citizens are not afforded powerful tools such as FOIA requests, do not benefit from a tradition of protected investigative journalism and whistleblowing, and can’t work with influential organizations such as the American Civil Liberties Union; there is also no history of scandals nearly as dramatic and transformative as Watergate. In the States, I feel that all this helped to create an imperfect but precious balance between the needs of the government and the rights of the people – and instill higher ethical standards in the law enforcement and intelligence community; it is telling that the revelations from Snowden, while exposing phenomenal and somewhat frightening surveillance capabilities of the NSA, have not surfaced any evidence of politically-motivated investigations or other blatant impropriety in how the capabilities are being used by the agency. The individualist spirit probably helps here, too: quite a few states and municipalities go as far as banning traffic enforcement cameras because of how they rob suspects of the ability to face the accuser in court.

When it comes to some other civil traditions that are sacrosanct in Europe, the United States needs to face justified criticism. The harsh and overcrowded penal system treats some offenders unfairly; it is a product of populist sentiments influenced by the crime waves of the twentieth century and fueled by the dysfunctional War on Drugs. While Polish prisons may not be much better, some of the ideas implemented elsewhere in Europe seem to make a clear difference. They are difficult to adopt in the States chiefly because they do not fit the folksy “tough on crime” image that many American politicians take pride in.

In the same vein, police brutality, disproportionately faced by the poor and the minorities, is another black mark for individual rights. The death penalty, albeit infrequent and reserved for most heinous crimes, stands on shaky moral grounds – even if it faces steady public support. The indefinite detention and torture of terrorism suspects, with the knowledge and complicity of many other European states, deserves nothing but scorn. Civil forfeiture is a bizarre concept that seems to violate the spirit of the Fourth Amendment by applying unreasonably relaxed standards for certain types of seizures – although in all likelihood, its days are coming to an end.

As usual, the picture is complex and it’s hard to declare the superiority of any single approach to individual liberties. Europe and the United States have much in common, but also differ in very interesting ways.

For the next article in the series, click here.