“Travel “naked” as one encryption expert told me. If any government wants your information, they will get it no matter what,” she adds.
Something has gone terribly awry if this is the advice that journalists working for international news outlets are giving to those entering or exiting the United States.
Adding encryption you control inside an iMessage transmission can provide more assurances that your messages remain unreadable to others, but there a whole lot of provisos you need to consider before accepting this as a higher level of security.
It’s nice to see reviewers of applications present the concerns, first, before what might be nice about new ‘security’ apps. Namely that crypto is hard to do, not all crypto is the same, and there are basic questions concerning the reliability of the companies providing the security assurance.
More broadly, that applications can route double-encrypted messages through Apple Messages will not necessarily enhance security but, instead, mean that comunications are only as secure as the application applying the second layer of security. Apple is a great big target that everyone wants to penetrate and so Apple hires terrific technical and legal staff to keep government and others at bay. Can we expect that app developers selling encryption apps for a dollar or two will possess an equivalent commitment and competency?
I’ve come to see encryption as the natural extension a computer scientist can give a democracy. A permeation of the simple assurance that you can carry out your life freely and privately, as enshrined in the constitutions and charters of France, Lebanon as well as the United States. To take away these guarantees doesn’t work. It doesn’t produce better intelligence. It’s not why our intelligence isn’t competing in the first place. But it does help terrorist groups destroy the moral character of our politics from within, when out of fear, we forsake our principles.
If we take every car off the street, every iPhone out of people’s pockets and every single plane out of the sky, it wouldn’t do anything to stop terrorism. Terrorism isn’t about means, but about ends. It’s not about the technology but about the anger, the ignorance that holds a firm grip over the actor’s mind.
Nadim’s explanation of what encryption is used for, and his correlates between using encryption or automobiles for terror-related activties, is amongst the clearest I’ve read. It’s worth the 5-7 minutes it’ll take you to read.
Secure Boot snafu: Microsoft leaks backdoor key, firmware flung wide open:
Microsoft has inadvertently demonstrated the intrinsic security problem of including a universal backdoor in its software after it accidentally leaked its so-called “golden key”—which allows users to unlock any device that’s supposedly protected by Secure Boot, such as phones and tablets.
The key basically allows anyone to bypass the provisions Microsoft has put in place ostensibly to prevent malicious versions of Windows from being installed, on any device running Windows 8.1 and upwards with Secure Boot enabled.
And while this means that enterprising users will be able to install any operating system—Linux, for instance—on their Windows tablet, it also allows bad actors with physical access to a machine to install bootkits and rootkits at deep levels. Worse, according to the security researchers who found the keys, this is a decision Microsoft may be unable to reverse.
There’s a lot that can be said about this absolute debacle. I’ll restrain myself to two things:
Also: remember when Apple said they didn’t, and would vigorously fight, any effort to backdoor their operating systems? Microsoft’s absolutely failure to secure the cryptographic material is just one rationale behind Apple’s security posture.
We have never had absolute privacy in this country. Cars, safe deposit boxes, our apartments, our houses, even the contents of our minds—any one of us, in appropriate circumstances, can be compelled to say what we saw. We have never lived with large swaths of our life off limits, where judicial authority is ineffective. That is something we need to talk about. I don’t think the FBI should tell people what to do. I don’t think tech companies should tell people what to do. The American people need to decide.
James Comey, Director of the FBI
The problem is that Comey is simply wrong: the state has never held absolute power over citizens. The 5th Amendment in the United States guarantees a right to avoid testifying against oneself. Our devices are now so personalized with our communciations, thoughts, banking, business, and life that they are functionally a self-testamonial about our lives.
Moreover, even when some evidence is unavailable – be it because authorities don’t know to look for it, or cannot find it – that doesn’t immediately mean that a case is terminated. Instead, a range of powers as well as alternate charges can be brought to bear. And the price of a democracy is that, sometimes, authorities cannot bring charges against people they suspect but cannot prove may have broken the law. This restraint on state power is a core feature of liberal democratic governance and is a restraint that needs to be maintained so that we can all enjoy our freedoms.
Meet Moxie Marlinspike, the Anarchist Bringing Encryption to All of Us:
In March, Brazilian police briefly jailed a Facebook exec after WhatsApp failed to comply with a surveillance order in a drug investigation. The same month, The New York Times revealed that WhatsApp had received a wiretap order from the US Justice Department. The company couldn’t have complied in either case, even if it wanted to. Marlinspike’s crypto is designed to scramble communications in such a way that no one but the people on either end of the conversation can decrypt them (see sidebar). “Moxie has brought us a world-class, state-of-the-art, end-to-end encryption system,” WhatsApp cofounder Brian Acton says. “I want to emphasize: world-class.”
For Marlinspike, a failed wiretap can mean a small victory. A few days after Snowden’s first leaks, Marlinspike posted an essay to his blog titled “We Should All Have Something to Hide,” emphasizing that privacy allows people to experiment with lawbreaking as a precursor for social progress. “Imagine if there were an alternate dystopian reality where law enforcement was 100 percent effective, such that any potential offenders knew they would be immediately identified, apprehended, and jailed,” he wrote. “How could people have decided that marijuana should be legal, if nobody had ever used it? How could states decide that same-sex marriage should be permitted?”
We live in a world where mass surveillance is a point of fact, not a fear linked with dystopic science fiction novels. Moxie’s work doesn’t blind the watchers but it has let massive portions of the world shield the content of their communications – if not the fact they are communicating in the first place – from third-parties seeking to access those communications. Now unauthorized parties such a government agencies are increasingly being forced to target specific devices, instead of the communications networks writ large, which may have the effects of shifting state surveillance from that which is mass to that which is targeted. Such a consequence would be a major victory for all persons, regardless of whether they live in a democratic state or not.
But researchers from two-factor authentication service Duo Security told Ars that an estimated 37 percent of all the Android phones that use the Duo app remain susceptible to the attack because they have yet to receive the patches. The lack of updates is the result of restrictions imposed by manufacturers or carriers that prevent end users from installing updates released by Google.
Beyond hacks, Beniamini said the design makes it possible for phone manufacturers to assist law enforcement agencies in unlocking an encrypted device. Since the key is available to TrustZone, the hardware makers can simply create and sign a TrustZone image that extracts what are known as the keymaster keys. Those keys can then be flashed to the target device.
And double yikes: do we now need to get phone manufacturers to release transparency reports that indicate whether they’ve compromised devices after receiving requests to do so from law enforcement agencies?
Encryption: Officials seek ‘backdoor’ entry points; critics decry government overreach:
In other words, University of Toronto’s Chris Parsons wrote on Twitter, “you either support backdoors, or you support the murderers and child abuser.”
…
“I think that each company will have to evaluate the corporate risks associated with implementing any backdoors,” Mr. Parsons, a postdoctoral fellow who studies privacy and security at Citizen Lab, a division of the university’s Munk School of Global Affairs, told The Washington Times this week.
“While satisfying U.S. and U.K. government authorities might (temporarily) relieve pressure, the companies would suffer tremendous international criticism and suspicion were they to undermine the security of their products,” he continued, adding that a likely plummet in profits, if nothing else, “will buttress corporate principles and force companies (on their shareholders’ behalfs) to maintain their current security stances.”
…
Neither Google nor Apple has publicly responded yet to this week’s op-ed, but Mr. Parsons in Toronto says that it’s so far been promising to hear that law enforcement can’t crack a type of encryption that now comes standard.
“To a certain degree, it is reassuring that consumer-level encryption is sufficiently robust that even state authorities find it challenging to break. People and businesses entrust highly sensitive information and capabilities to their devices, and so this affirmation confirms that criminals who steal devices will have similar difficulties in using these against their owners,” he told The Times.
But it’s also reassuring, he added, “because the adoption of these strong standards is a result of companies acknowledging that law enforcement and other state agencies are overreaching in their access to customer data,” including federal and local security and law enforcement groups.
“Legal protections have simply not kept up with the people’s privacy expectations, and the adoption of these strong standards is an encouraging sign that companies are responding accordingly,” he said. “The reality is that, while this may close off one avenue of investigation to state agencies, these agencies now have access to more information with fewer legal restrictions than at any time in recent history.”
Pakistan Is Ordering Telecom Companies to Ban BlackBerry Encrypted Messaging:
The government of Pakistan is “requesting” that three telecom companies stop providing BlackBerry’s encrypted messaging services to customers, according to documents obtained by civil rights group Bytes for All Pakistan.
…
“This demonstrates, at a policy level, that a very large government is willing to ban communications if they can’t gain access to it,“ said Chris Parsons, a post-doctoral fellow at digital rights group Citizen Lab.”Maybe it’s just Pakistan, and nobody else will do it, but it’s certainly a strong change to, ‘If we can’t backdoor it, then we will ban it,’” he added.
Forgive me for sounding a little paranoid, but I’ve had the rainbows ripped from my eyes. Last fall, I signed up to work on a CBC investigation into Canada’s electronic spying programs, relying on the CBC’s exclusive access to the Edward Snowden/NSA leaks. It has been shocking to learn the capabilities of our intelligence agencies. But it has also been a surprising crash course in new technology, privacy and vital questions facing the future of journalism.
…
But surveillance risks go beyond reporters covering foreign conflicts, terrorism or spies, notes Christopher Parsons of the Citizen Lab at the University of Toronto’s Munk School of Global Affairs, who has helped the CBC dissect the Canadian Snowden documents. “Sports reporters might be less interesting to signals intelligence organizations but might still be very interesting to other sporting organizations, criminal betting organizations and so forth.”
…
“Malware and spyware infect computers across Canada on a regular basis; what do you do when your work computer, holding audio or text files pursuant to a sensitive story, has been compromised?” asks Parsons. “Do you want to notify sources? Do you want to have an ‘air gapped’ computer, which is disconnected from the Internet, where you store source materials, and another computer or device for writing your stories?”
These are awkward questions. No news organization wants to publicly admit its electronic communications are vulnerable. Frankly, I’ve never had a single conversation with the CBC’s IT people about whether we’ve been hacked or compromised, let alone been told what we do specifically to protect sensitive information. And it’s vital, because so much of our email and work these days lives in the cloud.
Excited Pixels