The FBI Can Bypass Encryption: Cyber Security Is a Magic Act

The FBI Can Bypass Encryption: Cyber Security Is a Magic Act

Nov 3, 2014 | Government Agenda, News

fbi-encryption

Encryption has gained the attention of actors on both sides of the mass surveillance debate. For example in a speech at the Brookings Institution FBI Director James Comey complained that strong encryption was causing U.S. security services to “go dark.” Comey described encrypted data as follows:

“It’s the equivalent of a closet that can’t be opened, a safe deposit box that can’t be opened, a safe that can’t ever be cracked.”

Got that? Comey essentially says that encryption is a sure bet. Likewise during an interview with James Bamford whistleblower Ed Snowden confidently announced that:

“We have the means and we have the technology to end mass surveillance without any legislative action at all, without any policy changes… By basically adopting changes like making encryption a universal standard—where all communications are encrypted bydefault—we can end mass surveillance not just in the United States but around the world.”

If you glanced over the above excerpts and took them at face value you’d probably come away thinking that all you needed to protect your civil liberties is the latest encryption widget. Right? Wow, let me get my check book out! Paging Mr. Omidyar…

Not so fast bucko. There’s an important caveat, some fine print that Ed himself spelled out when he initially contacted film director Laura Poitras. In particular Snowden qualified that:

“If the device you store the private key and enter your passphrase on has been hacked, it is trivial to decrypt our communications.”

This corollary underscores the reality that, despite the high profile sales pitch that’s being repeated endlessly, strong encryption alone isn’t enough. Hi-techsubversion is a trump card as the Heartbleed bug graphically illustrated. In light of the NSA’s mass subversion programs it would be naïve to think that there aren’t other critical bugs like Heartbleed, subtle intentional flaws, out in the wild being leveraged by spies.

The FBI’s Tell

James Comey’s performance at Brookings was an impressive public relations stunt. Yet recent history is chock full of instances where the FBI employed malware like Magic Lantern and CIPAV to foil encryption and identify people using encryption-based anonymity software like Tor. If it’s expedient the FBI will go so far as to impersonate a media outlet to fool suspects into infecting their own machines. It would seem that crooks aren’t the only attackers who wield social engineering techniques.

In fact the FBI has gotten so adept at hacking computers, utilizing what are referred to internally as Network Investigative Techniques, that the FBI wants to change the law to reflect this. The Guardian reports on how the FBI is asking the U.S. Advisory Committee on Rules and Criminal Procedure to move the legal goal posts, so to speak:

“The amendment [proposed by the FBI] inserts a clause that would allow a judge to issue warrants to gain ‘remote access’ to computers ‘located within or outside that district’ (emphasis added) in cases in which the ‘district where the media or information is located has been concealed through technological means’. The expanded powers to stray across district boundaries would apply to any criminal investigation, not just to terrorist cases as at present.”

In other words the FBI wants to be able to hack into a computer when its exact location is shrouded by anonymity software. Once they compromise the targeted machine it’s pretty straightforward to install a software implant (i.e. malware) and exfiltrate whatever user data they want, including encryption passwords.

If encryption is really the impediment that director Comey makes it out to be then why is the FBI so keen to amend the rules in a manner which implies that they can sidestep it? In the parlance of poker this is a “tell.”

Denouncement

As a developer who has built malicious software designed to undermine security tools I can attest that there is a whole burgeoning industry which prays on naïve illusions of security. Companies like Hacking Team have found a lucrative niche offering products to the highest bidder that compromise security and… a drumroll please… defeat encryption.

There’s a moral to this story. Cryptome’s own curmudgeon, John Young, prudently observes:

“Protections of promises of encryption, proxy use, Tor-likeanonymity and ‘military- grade’ comsec technology are magic acts –ELINT, SIGINT and COMINT always prevail over comsec. The most widely trusted and promoted systems are the most likely to be penetrated, exploited, spied upon, successfully attacked, covertly compromised with faults hidden by promoters, operators, competitors, compromisers and attackers all of whom warn against the others while mutually benefiting from continuous alarms about security and privacy.”

When someone promises you turnkey anonymity and failsafe protection from spies, make like that guy on The Walking Dead and reach for your crossbow. Mass surveillance is a vivid expression of raw power and control. Hence what ails society is fundamentally a political problem with economic and technical facets, such that safeguarding civil liberties on the Internet will take a lot more than just the right app.

by Bill Blunden via Cryptompe.org

October 31, 2014

Bill Blunden is an independent investigator whose current areas of inquiry include information security, anti-forensics, and institutional analysis. He is the author of several books, including The Rootkit Arsenal and Behold a Pale Farce: Cyberwar, Threat Inflation, and the Malware-Industrial Complex. Bill is the lead investigator at Below Gotham Labs.

Encryption Becomes Illegal In the UK: Jail Time For Failure To Provide Keys

Encryption Becomes Illegal In the UK: Jail Time For Failure To Provide Keys

Jul 12, 2012 | Abuses of Power, News

There was some surprise in the comments of yesterday’s post over the fact that the United Kingdom has effectively outlawed encryption: the UK will send its citizens to jail for up to five years if they cannot produce the key to an encrypted data set.

First of all, references – the law is here. You will be sent to jail for refusing to give up encryption keys, regardless of whether you have them or not. Five years of jail if it’s a terrorism investigation (or child porn, apparently), two years otherwise. It’s fascinating – there are four excuses that keep coming back for every single dismantling of democracy. It’s terrorism, child porn, file sharing, and organized crime. You cannot fight these by dismantling civil liberties – they’re just used as convenient excuses.

We knew that this was the next step in the cat-and-mouse game over privacy, right? It starts with the government believing they have a right to interfere into any one of your seven privacies if they want to and find it practical. The next step, of course, is that the citizens protect themselves from snooping – at which point some bureaucrat will confuse the government’s ability to snoop on citizen’s lives for a right to snoop on citizen’s lives at any time, and create harsh punishments for any citizens who try to keep a shred of their privacy. This is not a remotely dystopic scenario; as we see, it has already happened in the UK.

But it’s worse than that. Much worse. You’re not going to be sent to jail for refusal to give up encryption keys. You’re going to be sent to jail for an inability to unlock something that the police think is encrypted. Yes, this is where the hairs rise on our arms: if you have a recorded file with radio noise from the local telescope that you use for generation of random numbers, and the police asks you to produce the decryption key to show them the three documents inside the encrypted container that your radio noise looks like, you will be sent to jail for up to five years for your inability to produce the imagined documents.

But wait – it gets worse still.

The next step in the cat-and-mouse game over privacy is to use steganographic methods to hide the fact that something is encrypted at all. You can easily hide long messages in high-resolution photos today, just to take one example: they will not appear to contain an encrypted message in the first place, but will just look like a regular photo until decoded and decrypted with the proper key. But of course, the government and police are aware of steganographic methods, and know that pretty much any innocent-looking dataset can be used as a container for encrypted data.

So imagine your reaction when the police confiscate your entire collection of vacation photos, claim that your vacation photos contain hidden encrypted messages (which they don’t), and sends you off to jail for five years for being unable to supply the decryption key?

This is not some dystopic pipe dream: this law already exists in the United Kingdom.

 

SOURCE: Falkvinge.net

Appeals Court: No Forced Decryption

Appeals Court: No Forced Decryption

Feb 28, 2012 | Anonymous, News

Privilege Against Self-Incrimination Applies to Act of Decrypting Data

San Francisco – A federal appeals court has found a Florida man’s constitutional rights were violated when he was imprisoned for refusing to decrypt data on several devices. This is the first time an appellate court has ruled the 5th Amendment protects against forced decryption – a major victory for constitutional rights in the digital age.

In this case, titled United States v. Doe, FBI agents seized two laptops and five external hard drives from a man they were investigating but were unable to access encrypted data they believed was stored on the devices via an encryption program called TrueCrypt. When a grand jury ordered the man to produce the unencrypted contents of the drives, he invoked his Fifth Amendment privilege against self-incrimination and refused to do so. The court held him in contempt and sent him to jail.

The Electronic Frontier Foundation (EFF) filed an amicus brief under seal, arguing that the man had a valid Fifth Amendment privilege against self-incrimination, and that the government’s attempt to force him to decrypt the data was unconstitutional. The 11th U.S. Circuit Court of Appeals agreed, ruling that the act of decrypting data is testimonial and therefore protected by the Fifth Amendment. Furthermore, the government’s limited offer of immunity in this case was insufficient to protect his constitutional right, because it did not extend to the government’s use of the decrypted data as evidence against him in a prosecution.

“The government’s attempt to force this man to decrypt his data put him in the Catch-22 the 5th Amendment was designed to prevent – having to choose between self-incrimination or risking contempt of court,” said EFF Senior Staff Attorney Marcia Hofmann. “We’re pleased the appeals court recognized the important constitutional issues at stake here, and we hope this ruling will discourage the government from using abusive grand jury subpoenas to try to expose data people choose to protect with encryption. ”

A similar court battle is ongoing in Colorado, where a woman named Ramona Fricosu has been ordered by the court to decrypt the contents of a laptop seized in an investigation into fraudulent real estate transactions. EFF also filed a friend of the court brief in that case, arguing that Fricosu was being forced to become a witness against herself. An appeals court recently rejected her appeal, and she has been ordered to decrypt the information this month.

“As we move into an increasingly digital world, we’re seeing more and more questions about how our constitutional rights play out with regards to the technology we use every day,” said EFF Staff Attorney Hanni Fakhoury. “This is a case where the appeals court got it right – protecting the 5th Amendment privilege against self-incrimination.”

John Doe was represented by Chet Kaufman of the Federal Public Defender’s Office in Tallahassee.

For the full court ruling:
https://www.eff.org/document/opinion

Contacts:

Marcia Hofmann
Senior Staff Attorney
Electronic Frontier Foundation
[email protected]

Hanni Fakhoury
Staff Attorney
Electronic Frontier Foundation
[email protected]