Are you confused by the FBI vs Apple dispute regarding Syed Farook’s iPhone? I am.
In an excellent article published today, Cnet neatly summarized the delicate position in which Apple finds itself, following the issuance of a court order that compels Apple to help authorities unlock the iPhone 5c that was used by Islamic terrorist and mass murderer Syed Farook.
The nugget that surprises me is that the FBI appears to be preparing a brute force attack on this iPhone’s 256-bit AES encryption. This is a daunting task. To brute-force attack encrypted data that’s encrypted with AES-256, you need to try each of 2256 or 116,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000, 000,000,000,000,000,000 possibilities. That’s more than the number of atoms in the universe.
If Farook chose a strong passphrase, it could require thousands of years for most computers to decrypt his data. It appears that the FBI has serious horsepower to throw at this task.
Obviously, when your phone’s GPS receiver is on, your location within 30 feet or so is usually available.
There’s another way that remotes, your cellular service provider, 9-1-1 call centers [also known as Public Safety Answering Points (PSAPs)], and law enforcement can determine your phone’s location, even when your GPS is off, or even if your plain-Jane flip-phone has no GPS receiver. It’s called Uplink-Time Difference of Arrival U-TDOA). Here’s a brief simplified video description. Each cell tower has an antenna array with three or four 90 or 120 degree (when viewed from above) antenna sectors. Each tower knows, by comparing your phone’s received signal strength in each sector, which sector your phone is in. By measuring the propagation time for a “ping” to travel between the tower, your phone, and back again, it also knows the range to your phone. In a populated area your phone is likely to be talking with more than one tower, so all that’s needed is to know the bearing and range to your phone relative to two or more towers, and your location can be estimated within maybe a 100 foot radius. (You will be at the intersection of the two or more arcs.)
Even with only one tower talking to your phone, it knows that you are located somewhere along that 90 or 120 degree arc within the sector with the strongest signal. U-TDOA is used in Enhanced 9-1-1 Phase II systems so that first responders may be dispatched to wherever your cell phone is located when you place a 911 call for emergency assistance.
The only way to stop this is to remove the battery from your phone. (Oops. Sorry, iPhone users.) Switching it off won’t stop the communication. Switching it to Airplane Mode will prolly stop it, but there are no guarantees.
The latest celebrities’ accounts breaches underline these truths:
The “cloud” is an innocent-sounding word for what is in fact a computer that’s owned by someone else.
Security questions — used to reset an account’s forgotten password — are mere guessable passwords. Paris Hilton’s account was compromised because her security question was “What’s your pet’s name?”; her dog’s name is easily found by searching the web.
Use two-factor authentication when available
Use a unique password on each account
Use a password management program. I like Keepass.
I’m guessing that access was gained via Apple iCloud password reset procedures. It’s been done before.
While watching a Youtube video clip about the recovery of a stolen bicycle, I learned about Burner, a smartphone app that allows a smartphone user to temporarily mask his or her phone number with an alias phone number. It’s available for iPhones, but not yet for Android phones. (originally published on 31 December 2012. 9 July 2014: Burner is now available for Android phones, as well as IOS.)
Theft recovery seems like a perfect use for telephone anonymity. The victim, who’s a Portland, Oregon resident, responded to a Seattle Craigslist for sale ad for what seemed to be his stolen bike. He used Burner to make his phone calls appear to originate in Seattle.
We’ve asked the companies in our Who Has Your Back Program what they are doing to bolster encryption in light of the NSA’s unlawful surveillance of your communications. As of now, eight companies—Dropbox, Facebook, Google, Microsoft, Sonic.net, SpiderOak, Twitter,and Yahoo—are implementing five out of five of our best practices for encryption.
On Tuesday night, PBS broadcast a powerful Frontline two hour long piece about the NSA’s snooping into citizens’ electronic communications. They subtitled it “How the government came to spy on millions of Americans”. The second part will air next Tuesday. Watch it.
Edward Snowden spoke on Monday at South By Southwest via live Internet video. Presumably he was in Russia. His true location was obscured by a chain of seven proxies, which caused the audio quality to suffer from multiple echos. The best audio/video recording that I’ve found is this YouTube video. Mr. Snowden participated in a panel discussion of Internet privacy, security, and infringement of U.S. Constitutional rights.
The panel pointed out that not only is the NSA trampling on our right to freedom from unreasonable search and seizure, but so are commercial entities such as Google and Facebook. Seizing everything from everybody is clearly a violation of the Fourth Amendment.
The panel agreed that end-to-end encryption is the only way to ensure privacy.
When will intelligence chief James Clapper be indicted for lying under oath while testifying to Congress?
I listened to an October 10 Cato Institute Event during which Congressman Jim Sensenbrenner (R-Wis.), who authored the original Patriot Act, declared that ‘There has been a failure of oversight’. He’s authoring the “USA Freedom Act”, which (finally!) reins in the NSA, FBI, and other agencies who’ve violated the Fourth Amendment.
I can say that if Congress knew what the NSA had in mind in the future immediately after 9/11, the Patriot Act never would have passed, and I never would have supported it. We have to have a balance of security and civil liberties. What the NSA has done, with the concurrence of both the Bush and Obama administrations, is completely forgotten about the guarantees of civil liberties that those of us who helped write the Patriot Act in 2001 and the reauthorization in 2005 and 2006 had written the law to prevent from happening.
Here’s a good Guardian article on Sensenbrenner, the Patriot Act, and the “USA Freedom Act”.
Sensenbrenner’s awakening is fine, but he’s closing the barn door after the horses have fled. Non-American governments and companies are moving their data and services off of servers that are surveilled by US agencies and/or controlled by US courts. I don’t blame them. The NSA’s over-reach is killing the whole “cloud” idea — who in his right mind would move his data off of his own computers to servers that you know are being read by the US federal government?
Congress slept rather than oversee the NSA and FBI and now it’s waking up to its responsibilities. It’s too late, boys. The world is moving in a different direction and the US with its arrogant and naïve agencies isn’t aboard that train. You had your chance and you blew it.
Meanwhile, back in the trenches
Three movements are underway by computer security techies:
Internet tech organizations are moving the Internet out from under US oversight
Improvement of Internet security, eliminating any third parties in authentication protocols
Creation of a secure Internet ver 2.0. It may or may not be built upon the existing TCP/IP foundation.
ICANN, The World Wide Web Consortium, IETF, and other organizations are unhappy with NSA’s spying on users of the Internet. They plan to move the functions of ICANN (Internet Corporation for Assigned Names and Numbers) out from under US oversight.
One unintended consequence of the NSA and FBI’s lying, spying, and violation of citizens’ Fourth Amendment rights is that whatever governance the U.S. had over the Internet will be lost. It’s likely that China, Russia, Iran, et al will rush into the breach. This is not good news for an open Internet.
This is another story whose conclusion is that our federal government — in this case the FBI — has done its best to prevent American citizens from having any privacy. Rather than defend the Constitution and its Bill Of Rights that these guys swore they’d protect, they try to find ways to nullify it.
Do you find this depressing? Read on.
When presented with a demand to (1) turn over Lavabit’s security certificate to the feds and (2) allow them to tap Lavabit’s pipe to and from the Internet, Mr. Levison was free to say “No”. He had to shut down his service, but he could tell the feds to take a hike.
Larger corporations with publicly traded shares (this includes banks) don’t have that freedom. We can assume that AT&T, Verizon, Google, Facebook, Apple, et al, when presented with similar government demands, have caved. Their shareholders would demand it. (We KNOW that AT&T caved.) Therefore, that cozy closed hasp padlock symbol in your browser’s address bar means nothing when visiting a US-based company’s website. The federal government can see everything.
The NSA strikes again. Steve Gibson, in his Security Now podcast, yesterday revealed that RSA’s respected and popular BSAFE encryption library contains a serious weakness. Its default random number generator (RNG) isn’t especially random and was tweaked years ago by the NSA to provide them with a back door. RSA is the leading security software firm. Its products are used by most of the major software publishers — Microsoft, Apple, Google, et al. Programmers who use BSAFE may choose to use other (stronger) RNGs, but BSAFE’s default RNG is definitely weak, thanks to NSA’s tinkering.
Secure encryption requires that a unique large random number be used for each encryption. If the number is predictable, the encrypted data can be cracked. Providing truly random large numbers isn’t easy, since computers are if nothing else, deterministic machines. They produce pseudo-random numbers. Typically they seed the RNG with a small random number such as the interval between mouse clicks.
Observers fear that NSA’s actions such as this harm US software suppliers’ credibility. When a backdoor exists, not only is it available to its creator, but uninvited visitors may hammer on it, as well.
Colin Berkshire says No. Much of his argument assumes that the NSA has compromised root-level security certificates. In July he wrote a pessimistic article titled Does SSL equate to privacy?. An excerpt:
If you are concerned about keeping communications private from commercial eavesdroppers, then 256 bit security is relatively effective. . . but, if you want to have privacy from government the story is entirely different. You have no privacy whatsoever.