I listened to a http://debatesofthecentury.org/ debate on encryption tonight between CNN's Fareed Zakaria and Edward Snowden. Zakaria had the position that the US should mandate backdooring encryption to allow government access to communication and Snowden had the position that backdooring encryption makes everyone less secure. My feelings on this topic are clear if you read my blog already but I wanted to discuss some other issues brought up tonight.
For the record, I think Zakaria is a reasonably intelligent fellow and a good debater. I don't see him much on tv anymore as I haven't watched CNN in years. Sorry, I just can't take a "news" organization seriously that openly discusses blackholes as potential causes for MH-370 going missing. But let's cut to the chase. Sometimes even smart people need to shut up and listen. Zakaria came across as an imbecile to anyone with a conceptual understanding of how cryptography works. To make it more maddening he seemed to be quite proud of the fact that he couldn't tell the difference between software development and cryptography. He persisted in arguing from authority saying essentially that Bill Gates == Technologist and Bill Gates == Supporter of Backdoors so Backdoors == Good. QED.
Unfuckingbelievable. Yes, you read that right. Zakaria doesn't need to understand the math behind crypto because Bill Gates. An operating system developer turned business mogul is not the same thing as an expert in cryptography. They are very separate things. Should we also assume that the owner of Home Depot is an expert in building Swiss chalet's because he sells hammers? The clown show didn't end there though. Zakaria went on to ramble about how if you write encryption software that there is no reason why you can't simply "undo" someone's cipher text. I mean, why not, you implemented the cryptosystem right? It was probably at this point that my head exploded or I just suffered a minor stroke.
Sadly, in my altered mental state I could still hear Fareed talking and the hits just kept on coming. He talked about American banks and Swiss banks. In particular he argued that if the US passes laws mandating backdoors Americans will not simply use crypto from other countries. Why not, you ask? Because it's just like in banking where American laws didn't force all Americans to switch to Swiss banks, according to Fareed. The problem here seemed obvious to me but was certainly lost on the debater. 30 years ago banking was a much more in person sort of affair. Americans didn't start using Swiss banks in large numbers because of the inconvenience of locations separated by an ocean. On the Internet though that's no longer an issue. If I can get another, more secure product from another country I will be using it. Why? Because it's too damn easy not to. Is it just me? This isn't hard, right?
Zakaria also had an opinion on patching. Surprise. He thinks that if the FBI finds a vulnerability in a US product they shouldn't report it to the vendor. Why not? Because it shouldn't be their job to make Apple better, again according to him. To recap, this guy is arguing that security is of paramount importance to our nation and if one measly vuln can get the FBI access to one extra cell phone where there may or may not be evidence of something then certainly it is worth putting the security of 300,000,000 other Americans at risk. What doesn't make sense about that? Snowden pointed out that Obama had used a Blackberry that had a known vuln which would have allowed the Canadians access to it to point out the importance of responsibly reporting vulns to vendors. Zakaria responded with something along the lines of, "Colgate should not have to report a problem with toothpaste to the president either." Snowden smartly followed up immediately with a, "Should Colgate let the president know if the flaw was fatal?" Zakaria stipulated to that. Then Snowden with his best point of the night said that, (again paraphrasing) "Vulns are poison to computers on the Internet."
I thought Snowden was particularly effective in the Colgate argument as he showed a willingness to mix it up with the overmatched Zakaria. My one complaint with Snowden was that he was too civil during the debate. I thought he let a lot of bullshit go unchecked to try and keep it civil. I appreciate this but when you have a bull shitter spewing bullshit someone needs to call them out for it. And this is why this debate was both good and terrible. It's good to expose people to these discussions. But very bad to give someone viewed as smart and credible as Fareed Zakaria such a platform to spread such an ignorant opinion.
Tuesday, April 26, 2016
Saturday, March 26, 2016
You Can Not Have Freedom Without Security
I recently watched a 60 Minutes piece from Lesley Stahl where she discussed the terror attack in Paris with a French prosecutor. The prosecutor bemoaned ISIS using the popular app, "Telegram" which has the capacity to provide end to end encryption for messaging on the Internet. He used several of the same arguments law enforcement in the United Stated uses when discussing encryption, such as law enforcement is going dark, there needs to be a balance, terror communication is a black hole, etc. Pretty standard the sky is falling type of arguments.
As a former Special Agent from the pre popular encryption apps era, I was amazed at the amount of information law enforcement was able to access in this new digital world. People think very little before putting something online and it is often there for all to see for an indefinite time. The advent of computers and smart phones has given law enforcement far more information and investigative leads then ever could have been imagined even just 10 years ago. While encryption limits some of this overall it is still a huge net gain of visibility by law enforcement. After the Snowden leaks it should be surprising to no one that private citizens are increasingly concerned about their own privacy.
I served many search warrants in my law enforcement capacity. Something that most people do not think about is just how private the nature of photographs is. For instance, I have gone through dozens of people's houses during the execution of warrants and while it is certainly an invasion of privacy for the affected individual, it pales in comparison to going through someone's private pictures found on the same search warrant. I will never forget going through a man's house from top to bottom, including all of his and his wife's underwear drawers, with several other agents and not finding what we were looking for. However, we did come across a stash of private pictures he had of himself and his wife in many different sexual positions. Mind you these photos had nothing to do with the execution of the warrant. Yes, looking at someone's personal pictures on a search warrant where I was authorized to also go through their underwear drawers was the most I ever invaded someone's privacy. To make matters worse in this case, other agents left a particular picture they found of the man's wife engaging in fellatio with him on his table so the wife would know that we had looked at them. This was meant to embarrass her and to put her on notice that her privacy had been severely violated.
This always pissed me off. A lot of folks I worked with in law enforcement behaved in a manner such as this, very short on respect for many of the people they were investigating. Not all law enforcement officers were like this but there was no shortage of them either. When some want to pretend that law enforcement will act responsibly with the most sensitive private data belonging to someone I hope they will think of this story. Cops are people too and people do stupid shit. Encryption is a way to keep assholes out of your stuff. Think about the pictures, banking information, texts, email, etc you have on your own cell phone. It would be a phenomenal intrusion of your privacy should it be breached. I would argue, even a bigger invasion than merely serving a search warrant on a house because of the nature of the data being stored on phones nowadays. A cell phone and the data in it really gives someone a window into your innermost thoughts and beliefs.
People should want to keep this sensitive data protected. Encryption by its mathematical nature is binary. It is secure or it is not. A backdoor can not only be provided to law enforcement that does not seriously undermine the security of the device. There is no magic golden key or any other means to make your device secure from everyone except law enforcement. I didn't agree with all of Justice Antonin Scalia's legal decisions but there is something he got exactly right. In Arizona v. Hicks in 1987 he said,
"There is nothing new in the realization that the Constitution sometimes insulates the criminality of a few in order to protect the privacy of us all."
I can think of nothing more appropriate in this recent debate over encryption. Ironically, at the end of the Stahl segment in which she and the French prosecutor were clearly on the side of magically getting law enforcement more access to encrypted communication they closed with, "You Can Not Have Freedom Without Security". This was to suggest that police need to have access to our smart phones in order for us to live in a free and functioning society. What they missed is that those of us on my side of the argument would say the same thing. We can not enjoy the great things the Internet has to offer without security. The only way that security is currently possible is with strong encryption. Encryption either works or it doesn't. It is the classic Yoda, do or do not. You can not have freedom without security. Indeed.
As a former Special Agent from the pre popular encryption apps era, I was amazed at the amount of information law enforcement was able to access in this new digital world. People think very little before putting something online and it is often there for all to see for an indefinite time. The advent of computers and smart phones has given law enforcement far more information and investigative leads then ever could have been imagined even just 10 years ago. While encryption limits some of this overall it is still a huge net gain of visibility by law enforcement. After the Snowden leaks it should be surprising to no one that private citizens are increasingly concerned about their own privacy.
I served many search warrants in my law enforcement capacity. Something that most people do not think about is just how private the nature of photographs is. For instance, I have gone through dozens of people's houses during the execution of warrants and while it is certainly an invasion of privacy for the affected individual, it pales in comparison to going through someone's private pictures found on the same search warrant. I will never forget going through a man's house from top to bottom, including all of his and his wife's underwear drawers, with several other agents and not finding what we were looking for. However, we did come across a stash of private pictures he had of himself and his wife in many different sexual positions. Mind you these photos had nothing to do with the execution of the warrant. Yes, looking at someone's personal pictures on a search warrant where I was authorized to also go through their underwear drawers was the most I ever invaded someone's privacy. To make matters worse in this case, other agents left a particular picture they found of the man's wife engaging in fellatio with him on his table so the wife would know that we had looked at them. This was meant to embarrass her and to put her on notice that her privacy had been severely violated.
This always pissed me off. A lot of folks I worked with in law enforcement behaved in a manner such as this, very short on respect for many of the people they were investigating. Not all law enforcement officers were like this but there was no shortage of them either. When some want to pretend that law enforcement will act responsibly with the most sensitive private data belonging to someone I hope they will think of this story. Cops are people too and people do stupid shit. Encryption is a way to keep assholes out of your stuff. Think about the pictures, banking information, texts, email, etc you have on your own cell phone. It would be a phenomenal intrusion of your privacy should it be breached. I would argue, even a bigger invasion than merely serving a search warrant on a house because of the nature of the data being stored on phones nowadays. A cell phone and the data in it really gives someone a window into your innermost thoughts and beliefs.
People should want to keep this sensitive data protected. Encryption by its mathematical nature is binary. It is secure or it is not. A backdoor can not only be provided to law enforcement that does not seriously undermine the security of the device. There is no magic golden key or any other means to make your device secure from everyone except law enforcement. I didn't agree with all of Justice Antonin Scalia's legal decisions but there is something he got exactly right. In Arizona v. Hicks in 1987 he said,
"There is nothing new in the realization that the Constitution sometimes insulates the criminality of a few in order to protect the privacy of us all."
I can think of nothing more appropriate in this recent debate over encryption. Ironically, at the end of the Stahl segment in which she and the French prosecutor were clearly on the side of magically getting law enforcement more access to encrypted communication they closed with, "You Can Not Have Freedom Without Security". This was to suggest that police need to have access to our smart phones in order for us to live in a free and functioning society. What they missed is that those of us on my side of the argument would say the same thing. We can not enjoy the great things the Internet has to offer without security. The only way that security is currently possible is with strong encryption. Encryption either works or it doesn't. It is the classic Yoda, do or do not. You can not have freedom without security. Indeed.
Thursday, March 24, 2016
An Open Letter to Cryptophobes
— Cory Doctorow (@doctorow) March 26, 2016
Before beginning, I should point out a couple of things. One, I am a computer security professional. This can mean a lot of things as it's a very broad domain. So I will revise that to say I received my MS in Computer Science because of my thesis work on breaking a fingerprint crypto-system. It is fair to say that I know more than the average security bear about encryption. Frankly, it is what I find to be the most interesting of all security topics so I am passionate about it as well. Additionally, I will add that I was a Special Agent for the Department of Homeland Security in what seemed like another lifetime now. What this means is that I had oodles of more training in Constitutional law than your average security pro or crypto fiend. Constitutional law is also something I get excited about. Now that you know these things about me you can imagine how quickly my blood pressure rises when I get going about the FBI v. Apple shenanigans. It is with this in mind that I am posting a recent email I received from someone that I think is representative of what a lot of folks think and my response to it. The person that sent me the initial email has needled me for years over computer security so my response isn't one to just any random person on the street. It should be viewed as a frustrated response to someone that I have tried to educate on the subject on previous tries. Enjoy
Patrick,
I am going to open myself up to a lot of grief here but this Apple thing has been driving me crazy.
I am not an Apple fan. To me Steve Jobs played games with his product line very much like IBM did in the ‘60’s, ‘70’s, ‘80’s and even into the ‘90’s, namely trying to keep all competition off their product line. Whether it was software or hardware. Yes, they had a fine product but to me open access brings about a healthy competition which makes the overall product better for the consumer and for the industry in general. One problem with open access is it can be more vulnerable to hacking. Due to its control methods and it smaller user base, Apple wasn’t getting hacked as much as Microsoft and PC’s.
If Apple wanted to remain low on the hacker radar, they should have quietly had the FBI hand over the phone and given it back to them with a new password. By blowing this whole thing up in the press, they basically threw out a challenge to the hacking community saying “we dare you to find a way into our device”. How arrogant and foolish of them to think it could not be done. Next time I bet they will be a lot more cooperative with the Feds when they come knocking.
Sincerely,
John
John,
Your naivety on this topic is jarring. First, open access almost always leads to more secure products. Security by obscurity is a myth. Open source code is more secure over time and always will be. It's the nature of the beast. When people can see what's going on under the technical covers it results in better and more secure solutions being implemented. Apple products have not historically gotten hacked as much primarily because of economics. Windows systems are far more insecure and its what the majority use so that's where intrusion effort goes. But to say this is the only reason is silly.
"If Apple wanted to remain low on the hacker radar, they should have quietly had the FBI hand over the phone and given it back to them with a new password." This is beyond absurd. I think you have been watching too much Fox News or CNN to get this argument. Apple would have gladly accepted this scenario. The FBI wouldn't let them because they always wanted this case to set a precedent. As such, if the FBI had won in court (they wouldn't have by the way) they would have a back door into any Apple product running that version of iOS. If the FBI had that capability then so would every scum bag hacker as well as every repressive government in the world. A couple of other points here. One, if the FBI didn't have technical morons working for them they had all of the tools needed to get into the phone at the onset of the investigation. Those idiots screwed it up so that they needed someone else to get into the phone because of how they mishandled the device in its original state.
This is not the same as picking a lock. This is creating a key that unlocks every door in the world. Further, to suggest that Apple wanted to blow this up in the media is equally asinine. Again, the US government chose to have this fight to set precedent. This phone, which will yield 0 evidence, was not requested to be back-doored by the FBI for more than 50 days after San Bernandino (must have been a real emergency). The powers that be were trying to capitalize on a terror attack to further their power. Nothing more. Apple, as every security person with half a brain, knows that there is no infallible security technology. Measures are designed to merely buy time. We are always just weeks or months from the newest exploit subverting our privacy and digital security. The US government took up a losing fight and just got embarrassed by their own ineptitude.
As Apple and people like myself said since day 1, someone would find a way in and the government shouldn't be compelling a software company to write code. Do you know that the Supreme Court has already ruled that software code is protected free speech? How do you feel about the US government compelling someone to make a certain kind of speech they don't want to make. I am sure that would be very popular in North Korea but I for one, support the 1st and 4th amendments. At the end of the day the US government and sadly most Americans do not understand computer security, especially encryption. It is my hope that changes over time but in the mean time it should be terrifying to everyone that only a company with the resources of Apple could stand up to an unconstitutional and moronic request from the government. Frankly, there are not many, if any, serious computer security experts that support the FBI in this. As you probably wouldn't read any papers from experts as they can be exceedingly dull why don't you take a look at this from John Oliver. It is only about 15 minutes and really explains rather elegantly the problem with what the FBI is trying to do here.
Patrick
Subscribe to:
Posts
(
Atom
)