Court Order to Apple to Unlock San Bernardino iPhone May Unlock Hackers

A judge’s order that Apple cooperate with federal authorities in the San Bernardino bombing investigation may have serious unintended consequences. There are no easy answers. Once more, a broad dialog is required.

Scales of Justice Previously I opined about how a dialog should occur between policy makers and the technical community over encryption. The debate has moved on. Now, the New York Times reports that federal magistrate judge Sheri Pym has ordered Apple to facilitate access to the iPhone of Syed Rizwan Farook, one of the San Bernardino bombers. The Electronic Frontier Foundation is joining Apple in fight against the order.

The San Bernardino fight raises both technical and policy questions.

Can Apple retrieve data off the phone?

Apparently not. According to the order, Apple is required to install an operating system that would allow FBI technicians to make as many password attempts as they can without the device delaying them or otherwise deleting any information. iPhones have the capability of deleting all personal information after a certain number of authentication failures.

You may ask: why doesn’t the judge just order Apple to create an operating system that doesn’t require a password? According to Apple, the password used to access the device is itself a key encrypting key (KEK) that is used to gain access to decrypt the key that itself then decrypts stored information. Thus, bypassing the password check doesn’t get you any of the data. Thus, the FBI needs the password.

What Apple can do is install a new operating system without the permission of the owner. There are good reasons for them to have this ability. For one, it is possible that a previous installation failed or that the copy of the operating system stored on a phone has been corrupted in some way. If technicians couldn’t install a new version, then the phone itself would become useless. This actually happened to me, personally, as it happens.

The FBI can’t build such a version of the operating system on their own. As is best practice, iPhones validate that all operating systems are properly digitally signed by Apple. Only Apple has the keys necessary to sign imagines.

With a new version of software on the iPhone 5c, FBI technicians would be able to effect a brute force attack, trying all passwords, until they found the right one. This won’t be effective on later model iPhones because their hardware slows down queries, as detailed in this blog.

Would such a capability amount to malware?

Kevin S. Bankston, director of New Americas Open Technology Institute has claimed that the court is asking Apple to create malware for the FBI to use on Mr. Farook’s device. There’s no single clean definition of malware, but a good test as to whether the O/S the FBI is asking for is in fact malware is this: if this special copy of the O/S leaked from the FBI, could “bad guys” (for some value of “bad guys”) also use the software against the “good guys” (for some value of “good guys”)? Apple has the ability to write into the O/S a check to determine the serial number of the device. It would not be possible for bad guys to modify that number without invalidating the signature the phone would check before loading. Thus, by this definition, the software would not amount to malware. But I wouldn’t call it goodware, either.

Is a back door capability desirable?

Unfortunately, here there are no easy answers, but trade-offs. On the one hand, one must agree that the FBI’s investigation is impeded by the lack of access to Mr. Farook’s iPhone, and as other articles show, this case is neither the first, nor will it be the last, of its kind. As a result, agents may not be able to trace leads to other possible co-conspirators. A Berkman Center study claims that law enforcement has sufficient access to metadata to determine those links, and there’s some reason to believe that. When someone sends an email, email servers between the sender and recipient keep a log that a message was sent from one person to another. A record of phone calls is kept by the phone company. But does Apple keep a record of FaceTime calls? Why would they if it meant a constant administrative burden, not to mention additional liability and embarrassment, when (not if) they suffer a breach? More to the point, having access to the content on the phone provides investigators clues as to what metadata to look for, based on what applications were installed and used on the phone.

If Apple had the capability to access Mr. Farook’s iPhone, the question would then turn to how it would be overseen. The rules about how companies handle customer data vary from one jurisdiction to another. In Europe, the Data Privacy Directive is quite explicit, for instance. The rules are looser in the United States. Many are worried that if U.S. authorities have access to data, so will other countries, such as China or Russia. Those worries are not unfounded: a technical capability knows nothing of politics. Businesses fear that if they accede to U.S. demands, they must also accede to others if they wish to sell products and services in those countries. This means that there’s billions of dollars at stake. Worse, other countries may demand more intrusive mechanisms. As bad as that is, and it’s very bad, there is worse.

The Scary Part

If governments start ordering Apple to insert or create malware, what other technology will also come under these rules? It is plain as day that any rules that apply to Apple iPhones would also apply to Android-based cell phones. But what about other devices, such as televisions? How about Refrigerators? Cars? Home security systems? Baby monitoring devices? Children’s Toys? And this is where it gets really scary. Apple has one of the most competent security organizations in the world. They probably understand device protection better than most government clandestine agencies. The same cannot be said for other device manufacturers. If governments require these other manufacturers to provide back door access to them, it would be tantamount to handing the keys to all our home to criminals.

To limit this sort of damage, there needs to be a broad consensus as to what sorts of devices governments should be able to access, under what circumstances that access should happen, and how that access will be overseen to avert abuse. This is not an easy conversation. That’s the conversation Apple CEO Tim Cook is seeking. I agree.

Bernie Sanders For President

Bernie Sanders will change the course of American politics. By making clear what his moral positions are, he will lead the country away from three decades of failed right wing policies, providing a clear Democratic vision.

Today I’m endorsing Senator Bernie Sanders for president of the United States.

Both candidates would make infinitely better leaders than any of the Republican choices. Both derive their positions from deep experience, both as executives and legislators. Both believe in a strong collaborative foreign policy as opposed to Republican isolationism. Former Secretary Clinton has amazing intellectual capacity. The many unfair attacks against her speak more about the character of those doing the attacking. She would make an excellent president.

However, we need someone who will not lead us from the supposed center, but who instead will effect a tectonic shift of the center, who will have no truck with those who would settle for status quo. For over thirty years, America has been misled by Republican leaders to believe that public investment in infrastructure and government oversight is somehow wrong. The poisoned water in Flint Michigan was no accident, but the result of neglect. That same neglect threatens our food supply and the very air we breath. Thirty years of neglect of our school systems have caused teachers to walk away from an honorable profession, dividing our country into two classes- those who can afford a decent education, and those who cannot. If we want to put an end to that, someone must lead us away from the oncoming climate disaster, and from rule by religion that the Christian Right has enjoyed for too long.

Mrs. Clinton would only hold the presidency, and lead from the current center. She seeks to build incrementally on President Obama’s policies. Mr. Sanders has an opportunity not only to capture the White House, but to establish a firm Democratic vision that will reform the party. In so doing he would take a wrecking ball, not to our infrastructure as the Republican leaders have, but to the failed Republican practice of allowing a good Fox News sound bite full of falsehoods dictate policy. America needs to begin to correct the damage that has been caused. That’s where the center needs to be, and that is where I believe Mr. Sanders will take us.

Poll: Sanders or Clinton?

Who would you rather have as the next president?

Like many other Democrats I am looking at the two main candidates, Senator Bernie Sanders and Former Secretary of State Hilary Clinton, and I am very close to making a decision on who to support. I am very interested in hearing what friends have to say about who they think wold make the better president.

Who would make the better president?

Senator Sanders (76%, 13 Votes)
Hilary Clinton (24%, 4 Votes)

Total Voters: 17

Loading ...

The poll is closed, but feel free to leave a comment.

U.N. renews IGF and World Summit for the Information Society

For those who haven’t been following the party, the United Nations has had an effort for the last decade called the World Summit on the Information Society (WSIS). This ongoing activity was up for renewal this year. While the Internet technology provides us so much, many we face many challenges. They include access to the technology, security, and human rights. WSIS addresses itself to these challenges. The UNGA decided to continue this effort for another 10 years. As part of this renewal process, the mandate of the Internet Governance Forum (IGF) was extended for another 10 years as well. At the same time, the UNGA is taking a conservative approach toward government involvement by not trying to supplant the enormous efforts of those who do the work today.

As a community, we could have done a lot worse. ISOC president Kathy Brown and her team, Ambassador Daniel Sepulveda, Marian Gordon, Chip Sharp, Chris Fair, Dominique Lazanski, Avri Doria, Bill Drake, Chris Buckridge, George Sadowsky Veni Markovski, Vint Cerf, Robert Pepper, and many others who were in the room are to be congratulated for their hard work, not only in the room, but beyond. I personally am very impressed with ISOC’s outreach effort in region, and how that has impacted these sorts of discussions.

Within the industry we need to recognize that women are the exception to the rule at the edge of the technology development cycle. I want much better for my daughter. Also, as we head toward over 50 billion devices being connected, the Internet of Things must be secured. The architecture needs lots more work to do that. Today many endpoint devices do not have well bound names, even. At the same time, the quality of code needs to improve, which is a particular challenge in many places. Human rights is another area on which we are only just scratching the surface. And yes, we must continue to struggle engage all stakeholders, including governments. The IGF itself really needs work. It needs funding, and we need to find a way to meet the challenge set by the UNGA in terms of identifying positive outcomes.

Yes, we all truly have a lot to do, and yet these challenges present many opportunities for innovation at many levels. I’m excited to be working in this space now.

Closing the Cultural Chasm on Crypto

Mercutio I like to say that engineers make lousy politicians and politicians make lousy engineers. When we each try to do the other one’s job, it’s time to admit that we have a problem.

Even before the Paris attacks, the British Prime Minister David Cameron was already reacting to Apple and Google refusing to hold in escrow encryption keys necessary to decrypt data on their devices. In the wake of those attacks, the UK, the FBI and CIA directors have increased the drum beating. At the same time, some members of the technical community have come to conclude that the sun shines out of the posterior of Edward Snowden, and that all government requirements are illegitimate. This came to a remarkable climax in July when Snowden appeared at an unofficial event at the Internet Engineering Task Force (IETF) meeting in Prague.

A lot of the current heat being generated is over the notion of key escrow, where someone holds encryption keys such that private communications can be accessed under some circumstances, such as life or death situations or when a crime has been committed.

Now is the perfect time for both sides to take a deep breath, and to take stock of the current situation.

1. We cannot say whether any sort of encryption rules would have prevented the Paris attacks.

There are conflicting reports about whether or not the terrorists used encryption. What might have been is impossible to know, especially when we do not intimately know the decision makers, at least some of whom are now dead. We do know that Osama bin Laden refused to use a cell phone long before any of the Snowden revelations were made. He knew that he was being watched, and he knew that he had a technical disadvantage as compared to the U.S. eyes in the sky. It is a sure bet that even if these attackers didn’t use encryption, some attackers in the future will.

On the other hand, we also know that people tend to not secure their communications, even when the ability to do so is freely available. As a case and point, even though it has been perfectly possible to encrypt voice and email communications for decades, both continue to this day, and have been instrumental in unraveling the Petrobras scandal that rattled the Brazilian government.

2. Encryption is hard.

We’ve been trying to get encryption right for many decades, and still the best we can say is that we have confidence that for a time, the best encryption approaches are likely to be secure from casual attacks, and that is only when those approaches are flawlessly implemented. A corollary to this point is that almost all software and hardware programs have vulnerabilities. The probability of discovery of a vulnerability in any deployed encryption system approaches 100% over time. Knowing this, one test policy makers can apply regarding key escrow is whether they themselves would be comfortable with the inevitability that their most private personal communications being made public, or whether they would be comfortable knowing that some of their peers at some point in the future will be blackmailed to keep their communications private.

To make matters worse, once a technology is deployed, it may be out there for a very long time. Windows 95 is still out there, lurking in the corners of the network. It’s important to recognize that any risk that legislation introduces may well outlast the policy makers who wrote the rules. Because we are dealing with the core of Internet security, a “go slow and get it right” approach will be critical.

3. There are different forms of encryption, and some are easier to “back door” than others.

When we speak of encryption let us talk of two different forms: encryption of data in flight, such as when a web server sends you information or when you and your friends communicate on Skype, and encryption of data at rest, such as the files you save on your disk, or the information stored in your smart phone or tablet. Many enterprises implement key escrow mechanisms today for data at rest.

Escrowing keys of data in flight introduces substantial risks. Each communication uses session keys that exist for very short periods of time, perhaps seconds, and then are forgotten or destroyed. Unlike data at rest, escrowing of keys for encryption of data in flight has not been done at scale, and has barely been done at all. To retain such keys or any means to regenerate them would risk allowing anyone – bad or good – to reconstruct communications.

4. Engineers and scientists are both advisers and citizens. Policy makers represent the People.

It has been perfectly possible for Russia and the United States to destroy the world several times over, and yet to date policy makers have stopped that from happening. Because something is possible doesn’t necessarily mean it is something we do. Even for data at rest, any time a private key is required anywhere in the system it becomes a focal point for attack. But new functionality often introduces fragility. The question of whether it is worth fragility is inherently political and not technical.

The technical community that consists of scientists and engineers serve a dual role when it comes to deciding on the use of technology for a given purpose. First, they can advise policy makers as to the limits and tradeoffs of various technology. Members of the technical community are also citizens who have political views, just like other citizens. It’s important for that they make clear which voice they are speaking with.

Screen Shot 2015-11-19 at 2.47.37 PM RFC 1984 famously makes the point that there is an inherent challenge with key escrow, that if one country mandates it, then other countries can also mandate it; and that there will be conflicts as to who should hold the keys and when they should be released. Those questions are important, and they are inherently political as well. To the left is a Venn diagram of just a handful of countries- the United States, Iran, China, and France. Imagine what that diagram would look like with 192 countries.

Professor Lawrence Lessig famously wrote that code (as in computer code) is law. While it is true in a natural sense that those who develop the tools we use can limit their use by their design, it is also the case that, to the extent possible, in a democratic society, it is the People who have the last word on what is law. Who else should get to decide, for instance, how members of society behave and how that behavior should be monitored and enforced? Who should get to decide on the value of privacy versus the need to detect bad behavior? In a democracy the People or their elected representatives make those sorts of decisions.

5. Perfect isn’t the goal.

Any discussion of security by its very nature involves risk assessment. How much a person spends on a door lock very much depends on the value of the goods behind the door and the perceived likelihood of attacker trying to open that door.

Some people in the technical community have made the argument that because bad guys can re-encrypt, no escrow solution is appropriate. But that negates the entire notion of a risk assessment. I suspect that many law enforcement officials would be quite happy with an approach that worked even half the time. But if a solution only works half the time, is it worth the risk that is introduced by new components in the system that include new central stores for many millions of keys? That is a risk assessment that needs to be considered by policy makers.

6. No one is perfectly good nor perfectly evil.

By highlighting weaknesses in the Internet architecture, Edward Snowden showed the technical community that we had not properly designed our systems to withstand pervasive surveillance. Whether we choose to design such a system is up to us. The IETF is attempting to do so, and there is good reason for that logic: even if you believe that the NSA is full of good people, if the NSA can read your communications, then others can do it as well, and may be doing so right now. And some of those others are not likely to fit anyone’s definition of “good”.

On the other hand, while it is beyond an open secret that A fallen angel governments spy on one another, Snowden’s release of information that demonstrated that we were successfully spying on specific governments did nothing more than embarrass those governments and harm U.S. relations with their leaders. Also, that the NSA’s capability was made public could have contributed to convincing ISIS to take stronger measures, but as I mentioned above, we will never know.

So What Is To Be Done?

History tells us that policy made in a crisis is bad. The Patriot Act is a good example of this. So too was the internment of millions of Americans of Japanese descent in World War II. The birth of the Cold War gave birth of a new concept: McCarthyism.

And so my first bit of advice is this: let’s consult and not confront one another as we try to find solutions that serve the interests of justice and yet provide confidence in the use of the Internet. Policy makers should consult the technical community and the technical community should provide clear technical advice in return.

Second, let’s acknowledge each others’ expertise: people in law enforcement understand criminology. The technical community understands what is both possible and practicable to implement, and what is not. Policy makers should take all of this into account as they work with each of these communities and their constituents to find the right balance of interests.

Third, let’s recognize that this is going to take a while. When someone asserts that something is impossible or impracticable, we are left with research questions. Let’s answer them. Let’s be in it for the long haul and invest in research that tests what is possible and what is not. While not ultimate proof, researching various approaches will expose their strengths and weaknesses. Ultimate proof comes in the form of experience, or as my friends in the IETF like to say, running code. Even if we get beyond the technical issues involved with escrow, policy makers will have to answer the question as to who gets to hold the keys such that people can be reasonably assured that they’re only being released in very limited circumstances. That’s likely to be a challenging problem in and of itself.

Fourth, the law of unintended consequences applies. Suppose policy makers find common cause with a specific group of countries. The other countries are still going to want a solution. How will businesses cater to one group of countries but not another? Policy makers need to be aware that any sort of key escrow system may put businesses in an impossible situation.

Finally I would be remiss if I didn’t make clear that everyone has a stake in this game. Citizens are worried about privacy; governments are worried about security; industry is concerned about delivering products to market in a timely fashion that help the Internet grow and thrive. Bad guys also have interests. Sometimes we end up assisting them when we strike balances. What is important is that we do this consciously, and that when necessary, we correct that balance.