When the DOJ announced that the FBI may have miraculously found a way in to Syed Farook's work iPhone after swearing to a court that such a thing was impossible, many people zeroed in on the possibility of "NAND Mirroring" as the technique in question. After all, during a Congressional hearing, Rep. Darrell Issa had gone fairly deep technically (for a Congressperson, at least) in asking FBI Director James Comey if the FBI had tested such a method. Well-known iPhone forensics guru Jonathan Zdziarski wrote up a good blog post explaining why such a technique was the most likely. While recognizing that there are other possibilities, he does a good job breaking down why none of the other possibilities are all that likely, given a variety of facts related to the case (I won't go through all of that -- just go read his post). It's worth a read. It also has a nice quick explanation of NAND mirroring:
This is where the NAND chip is typically desoldered, dumped into a file (likely by a chip reader/programmer, which is like a cd burner for chips), and then copied so that if the device begins to wipe or delay after five or ten tries, they can just re-write the original image back to the chip. This technique is kind of like cheating at Super Mario Bros. with a save-game, allowing you to play the same level over and over after you keep dying. Only instead of playing a game, they’re trying different pin combinations.
However, on Friday, we noted that FBI Director James Comey was already denying this was the method, saying that it "doesn't work." The FBI also "classified" the method in question which raised some additional eyebrows. Either way, Zdziarski was pretty sure that Comey's claim that NAND mirroring doesn't work was bogus:
FBI Director Comey, in a press conference, claims the NAND technique “doesn’t work”; this says more about the credibility of this information than anything. Every expert I’ve consulted (including three hardware forensics firms) believe it works, and multiple firms are still in the process of validating the technique. The amount of time to prep and test this technique alone is proving greater than the month that we’ve been discussing it – it’s very unlikely that any reputable source could have already discredited this method, given how much time and effort it is taking everyone else to fully flesh out and test it. When asked directly if the FBI tried this technique, Comey dodged the question and replied (on the topic of “chip copying”), “I don’t want to say beyond that”, indicating the FBI hadn’t tried it. This speaks volumes about how flippantly the FBI is willing to discount viable methods endorsed by numerous researchers.
This is a simple “concept” demonstration / simulation of a NAND mirroring attack on an iOS 9.0 device. I wanted to demonstrate how copying back disk content could allow for unlimited passcode attempts. Here, instead of using a chip programmer to copy certain contents of the NAND, I demonstrate it by copying the data using a jailbreak. For Farook’s phone, the FBI would remove the NAND chip, copy the contents into an image file, try passcodes, and then copy the original content back over onto the chip.
I did this here, only with a jailbreak: I made a copy of two property lists stored on the device, then copied them back and rebooted after five attempts. When doing this on a NAND level, actual blocks of encrypted disk content would be copied back and forth, whereas I’m working with files here. The concept is the same, and serves only to demonstrate that unlimited passcode attempts can be achieved by back-copying disk content. Again, NO JAILBREAK IS NEEDED to do this to Farook’s device, as the FBI would be physically removing the NAND to copy this data.
Elsewhere Zdziarski also points out that, despite the FBI insisting that it was reaching out to everyone who might be able to help, none of the top researchers in the space have been approached by the FBI (and apparently a few who reached out the other way were rebuffed). Once again, it looks like whatever the FBI is doing with the phone, it's not being particularly upfront with the public (or, potentially, the courts).
While there are 10 (known) cases covering 13 Apple devices that the DOJ is asking Apple to help unlock, there are two "big ones" that are receiving most of the focus. The big one in San Bernardino, which has been put on hold as the FBI claims it may have actually found a way into the phone -- and the one in NY where magistrate judge James Orenstein wrote a wonderful rejection letter for the DOJ's request. The Justice Department has appealed that decision, and the case has been handed over to Judge Margo Brodie.
As in the San Bernardino Matter, the DOJ argues in this case that an All Writs Act order is
appropriate because Apple’s assistance is necessary to effectuate the search warrant issued by the
Court.... (“[T]he government cannot access the contents of the phone and
execute the warrant without Apple’s assistance.”); .... (“The government does not
have any adequate alternatives to obtaining Apple’s assistance.”). This is a disputed issue. Judge
Orenstein concluded in his opinion that that the government “failed to establish that the help it seeks
from Apple is necessary” as required by New York Telephone.... Apple expects to
similarly contest the necessity requirement in connection with the DOJ’s application to this Court.
The iPhone in this case runs an older operating system (iOS 7) than the iPhone in the San
Bernardino Matter (iOS 9). Regardless of what the DOJ concludes regarding whether the method
being evaluated in San Bernardino works on the iPhone here, it will affect how this case proceeds.
For example, if that same method can be used to unlock the iPhone in this case, it would eliminate
the need for Apple’s assistance. On the other hand, if the DOJ claims that the method will not work
on the iPhone here, Apple will seek to test that claim, as well as any claims by the government that
other methods cannot be used.
The outcome of the DOJ’s evaluation will not be known until April 5, when the DOJ
submits its status report in the San Bernardino Matter. In the interim, both the Court and the parties
lack sufficient information to determine the most appropriate way for this matter to proceed. Going
forward without such information would be highly inefficient.
It's becoming increasingly clear that the DOJ and Apple's lawyers are not very happy with each other. Elsewhere in the letter:
The government indicated that it did
not oppose a fourteen day extension of Apple’s deadline to respond to the government’s application
for an All Writs Act order, but did not want to join in Apple’s rationale for such request. The
government further indicated that after Apple filed its letter, the government would review and
consider how to respond.
There is an important point here: hacking into an iPhone 4S running iOS 7 is a lot easier than an iPhone running iOS 9. While the DOJ has used this to argue that Apple should absolutely be willing to help in this case, it actually plays against the DOJ's argument, because it should be much easier for the FBI to figure out a way in without help from Apple, because the protections in iOS 7 were much weaker (iOS 8 is where things got much trickier).
Either way, these court battles have a long, long way to go.
from the the-fed's-Big-Brother-program:-'adopt'-a-domestic-agency! dept
The FBI announced (without going into verifiable detail) that it had implemented new minimization procedures for handling information tipped to it by the NSA's Prism dragnet. Oddly, this announcement arrived nearly simultaneously with the administration's announcement that it was expanding the FBI's intake of unminimized domestic communications collected by the NSA.
So, which was it? Was the FBI applying more minimization or was it gaining more raw access? The parties involved have so far refused to offer any further details on either of the contradictory plans, save for vague assurances about the lawfulness of both options.
We respectfully request you confirm whether the NSA intends to routinely provide intelligence information-collected without a warrant-to domestic law enforcement agencies. If the NSA intends to go down this uncharted path, we request that you stop. The proposed shift in the relationship between our intelligence agencies and the American people should not be done in secret. The American people deserve a public debate. The United States has a long standing principle of keeping our intelligence and military spy apparatus focused on foreign adversaries and not the American people.
The letter points out that while Congress has granted the NSA "extraordinary authority" to conduct warrantless surveillance and harvest massive amounts of data, it has not done so for domestic intelligence and law enforcement agencies. But that deliberate limitation of powers has been undone by the administration's expansion. It may be indirect -- requiring the assistance of the NSA -- but it accomplishes the same purpose: giving warrantless surveillance and bulk collection powers to domestic agencies by proxy.
The letter -- sent to the heads of a variety of Congressional committees -- pulls no punches in its comparative depiction of this overreach.
We believe allowing the NSA to be used as an arm of domestic law enforcement is unconstitutional. Our country has always drawn a line between our military and intelligence services, and domestic policing and spying. We do not -- and should not -- use U.S. Army Apache helicopters to quell domestic riots; Navy Seal Teams to take down counterfeiting rings; or the NSA to conduct surveillance on domestic street gangs.
What's most amazing about the administration's move is that it followed -- directly -- two and a half years of NSA document leaks, their accompanying protests, lawsuits and backlash, the passage of the USA Freedom Act and an intense debate over the lawfulness of the PATRIOT Act. Add to that the fact that it was dropped right in the middle of a heated legal battle that has shown the FBI to be both grasping for power and incapable of telling the truth -- and it clearly shows the administration is so insulated from the collateral damage of a decade-plus of constantly expanding surveillance powers as to be completely unable to detect shifts in tone.
Boback showed off a document, apparently from a senior executive of a Fortune 500 company, listing every acquisition the company planned to make -- along with how much it was willing to pay. Also included in the document were still-private details about the company's financial performance. Boback also showed numerous documents listing Social Security numbers and other personal details on 24,000 patients at a health care system, as well as FBI files, including surveillance photos of an alleged Mafia hit man that were leaked while he was on trial.
Boback was stealthily pitching his company's P2P monitoring service. During this hearing, he also claimed to have come across documents containing details about the President's helicopter on an Iranian computer.
Boback may have overplayed his hand. There were no discussions about purchases of his software. But there were discussions about legislation banning the use of P2P software on government computers.
A year before Boback's mob-and-helicopter show in front of Congress, Tiversa was trying to get LabMD to buy its services. It claimed to have found a document containing thousands of LabMD's customers' information while monitoring P2P traffic. When LabMD refused to sign a contract with Tiversa, it took the info to the FTC. The FTC went after LabMD. But the data breach details Tiversa handed to the FTC were bogus.
“The possibility that inaccurate information played a role in the FTC’s decision to initiate enforcement actions against LabMD is a serious matter,” said Chairman Issa in today’s letter. “The FTC’s enforcement actions have resulted in serious financial difficulties for the company. Additionally, the alleged collaboration between the FTC and Tiversa, a company which has now admitted that the information it provided to federal government entities—including the FTC—may be inaccurate, creates the appearance that the FTC aided a company whose business practices allegedly involve disseminating false data about the nature of data security breaches.”
The letter continues: “Further, the Committee has received information from current and former Tiversa employees indicating a lack of truthfulness in testimony Tiversa provided to federal government entities. The Committee’s investigation is ongoing, and competing claims exist about the culpability of those responsible for the dissemination of false information. It is now clear, however, that Tiversa provided incomplete and inaccurate information to the FTC.”
Among this new information was the testimony of Richard Wallace, a former employee of Tiversa. As Wallace explained, the general business model of Tiversa was to fake a data breach, approach potential customer with a sales pitch and a threat to turn them over to the FTC if they refused to purchase Tiversa's protection. LabMD told Tiversa to beat it, which Boback didn't appreciate. From Wallace's testimony:
Q. Did Mr. Boback have a reaction to LabMD's decision not to do business with Tiversa?
Q. And what was that reaction?
A. Do I say it?
MS. BUCHANAN: Answer the question.
THE WITNESS: He basically said f--- him, make sure he's at the top of the list.
According to the Congressional investigation, not only did Tiversa engage in corporate blackmail, but it faked metadata so it could claim sensitive documents had spread much further than they actually had. It also approached "affected" users directly, hoping to provoke reluctant companies into buying its services.
One of the customers it sought was the US government. But Tiversa lied to it as well. The supposed sensitive document it traced back to an Iranian computer? Sure, the document existed. But Tiversa could provide no proof that it had ever resided on that computer.
Federal agents are investigating whether cyber-security firm Tiversa gave the government falsified information about data breaches at companies that declined to purchase its data protection services, according to three people with direct knowledge of the inquiry.
The Federal Bureau of Investigation raided Tiversa’s Pittsburgh headquarters in early March and seized documents, the people said.
The Justice Department’s criminal investigation of Tiversa began after Richard Wallace, a former Tiversa employee, alleged in a 2015 Federal Trade Commission hearing that the cybersecurity firm gave the agency doctored evidence purporting to prove corporate data breaches, the people said.
When asked whether any others were involved in the kind of fraud Boback is allegedly being investigated for, the source stated that “it was always between Bob (Boback) and Rick (Wallace). Not too many people realized what was going on. Now people are looking into the data.” And the more they look into things, the source claims, the more they uncover in the way of lies and Boback asking or directing employees to falsify findings. The source later told DataBreaches.net that he was aware of one other instance where allegedly Boback asked someone to have multiple files spread to multiple IP addresses. It is not clear to DataBreaches.net whether that employee – whose identity is unknown to DataBreaches.net – ever cooperated with that request.
Was the claim to Congress and the media about plans for Marine 1 being found on an Iranian IP a lie, DataBreaches.net asked? “Yes,” was the simple answer.
“You have to understand that Tiversa had a great technology that is the real deal but RB fucked it up. Greed. Above the law, untouchable,” the source tells DataBreaches.net.
The DOJ's move isn't surprising, considering the allegations in the House Oversight Committee's report. The problem now is what to do about the FTC, which relied on tips from Tiversa to go after nearly 100 companies for supposed data breaches.
One would hope that if more concerns about Tiversa become public, then to the extent the FTC relied up on Tiversa at all for any investigation, they will do some internal contemplation about their methods and the need to independently investigate and verify third-party representations. Would FTC v. LabMD ever have happened if not for Tiversa? I seriously doubt it.
So now that there's been a little time to process the Justice Department's last minute decision to bail out on the hearing in the San Bernardino case, claiming it was because some mysterious third party had demonstrated a way to hack into Syed Farook's iPhone, it's becoming increasingly clear that (1) the DOJ almost certainly lied at some point in this case and (2) this move was almost entirely about running away from a public relations battle that it was almost certainly losing (while also recognizing that it had a half-decent chance of also losing the court case). Just replace "Sir Robin" with "the DOJ" in the following video.
That said, there are still some things to clear up. First, did the DOJ lie? It seems pretty obvious that it must have. After all, it insisted earlier in the case, multiple times, that it had "exhausted" all other possibilities and "the only" way to get into the phone was with Apple's help. That's certainly raised some eyebrows:
The DOJ and its supporters, of course, will argue that "new shit has come to light, man," but that seems... doubtful. My first thought was that when the FBI said that it had been alerted to a way in over the weekend, it potentially was using the announcement from researchers at Johns Hopkins about a flaw in iMessage encryption. If so, that would be particularly bogus, since everyone admits that the vulnerability found would not apply to this case.
However, there's now a ton of speculation going around about the likely method (and the likely third party) that the FBI is probably using, involving copying the storage off the chip and then copying it back to brute force the passcode without setting off the security features or deleting the data. But, again, this possible solution isn't really new. Just a few weeks ago, during a Congressional hearing, Rep. Darrell Issa quizzed FBI Director James Comey about this very technique (which was so deep in the technical weeds, that many reporters and other policy folks were left scratching their heads):
That video is worth watching, because Director Comey insists, pretty clearly, that there is no way to get into the phone:
Comey: We wouldn't be litigating it if we could [get in ourselves]. We've engaged all parts of the US government to see 'does anyone have a way -- short of asking Apple to do it -- with a 5c running iOS 9 to do this?' and we do not.
At that point Issa starts asking really technical questions about can't the FBI remove the data from the phone to make copies of the storage, putting it with the encryption chip, trying passcodes, and then reflashing the memory before the 10 chance are used up -- thus brute forcing the passcode without setting off the security features. As Issa notes:
If you haven't asked that question, how can you come before this committee and before a federal judge and demand that somebody else invent something if you can't answer the question that your people have tried this? ... I'm asking who did you go to? Have you asked these questions? Because you're expecting to get an order and have somebody obey something they don't want to do and you haven't even figured out if you can do it yourself.
Comey is clearly befuddled by the questions and basically says that he's sure that his people must have thought about this, but he assumes that they're watching and if they haven't thought of this then they'll test it out. But, really, a few people had suggested similar things early on, so if that is the solution then it only adds weight to the idea that the FBI didn't do everything it could possibly do before running to the judge.
Others have questioned the "two week" timeframe for the DOJ to issue a status report to the court, noting that a brand new solution would almost certainly take much longer to test thoroughly before using it on the iPhone in question.
And then there's the other question: if the FBI really has tracked down a new "vulnerability" in Apple's encryption... will it tell Apple about it so that Apple can patch it? Remember, the White House has told the various parts of the federal government that they should have a "bias" towards revealing the flaws so they can be patched... but leaving a "broad exception for 'a clear national security or law enforcement need.'" It's pretty clear from how the DOJ has acted that it believes this kind of hole is a "law enforcement need."
So, if the FBI really did figure out a vulnerability in Apple's encryption, it probably won't actually reveal it -- but I'd imagine that Apple's security engineers are scrambling just the same to see if they can patch whatever flaws there may be here, because that's their job. And, again, that gets back to the point here: there are always some vulnerabilities in encryption schemes, and part of the job of security folks is to keep patching them. And one of the worries with the demand for backdoors is that the introduce a whole bunch of vulnerabilities that they're then not allowed to patch.
Either way, the DOJ's actions here are highly questionable, and it seems pretty clearly an attempt to save face in this round. But the overall fight is far from over.
While the DOJ may be thinking about ways to weasel out of the San Bernardino fight with Apple, the underlying fight about backdooring encryption remains. The DOJ may focus on other cases, such as the one in NY, where the facts line up a bit more in its favor, or elsewhere. Or we may soon see legislation to backdoor encryption.
We've seen so much confusion and misinformation going around, that I thought it might be useful to create a short "explainer video" that shows why this is such a big deal, and why everyone should be supporting Apple, in this case, against the Justice Department (and against any legislation that requires backdoors). Please check it out and share it.
This is the kind of thing we'd like to do a lot more of, but it takes a fair bit of time to get ready. If you like this and would like to see us do more videos like this, please support our crowdfunding campaign that ends this week...
More evidence of Stingray obfuscation has been uncovered in Milwaukee. What appeared at first to be a bog standard court order for tracking of a suspect using a cell phone provider's own "network equipment" actually appears to be something else. The ACLU was already involved in this case, arguing that such tracking by cell phone providers only be available with a warrant. But as it dug into the specifics, it became obvious the tracking had not been performed by the cell provider.
As we read through documentation from the case, however, we began to suspect that something else was going on. It appears that police secretly used a cell site simulator, also known as a Stingray, to track the phone, but successfully concealed that fact from the defense and the court.
Our suspicion was first raised because police initially did not disclose to the defendant that they had located him by tracking his phone, only revealing it at an evidentiary hearing. In reports prepared after the defendant’s arrest, police officers used oddly vague language to explain how they located him: one officer merely wrote that law enforcement had “obtained information” about the defendant’s location; another said that police “obtained information from an unknown source” about where he was. This sounded to us a lot like the kind of intentionally ambiguous language used by police across the country to hide their Stingray use.
Like every other law enforcement agency with a Stingray device in its possession, the Milwaukee PD had signed a nondisclosure agreement with the FBI. This "allowed" it to withhold the information from courts and defendants. But cracks in the NDA appeared and a prolific FOIA filer was able to pry loose documents detailing MPD's use of cell tower spoofers.
Last fall, privacy activist Mike Katz-Lacabe obtained a list of 579 investigations in which the Milwaukee Police Department used Stingrays. (Here are Mike’s public records request and MPD’s response letter). That previously unpublicized list includes an entry for a case that matches the date and description of this one: an October 28, 2013, apprehension of a “fugitive” “related to [an] FBI roundup.”
In a letter sent to James Comey (who kind of has a lot on his plate already, tbh), the Congress members demand to know why the FBI is actively hiding information about these tracking devices from the public.
The FBI’s stated reason for secrecy was that disclosing the existence of the capabilities may allow “the subject of investigation wherein this equipment/technology is used to employ countermeasures to avoid detection by law enforcement.” But certainly not lost on the FBI was the fact that secrecy shields the technology from debate and inevitable controversy. Courts could not review its constitutionality. The public could not debate the merits and costs of the technology and what limitations might be appropriate. While this type of secrecy may be appropriate in the national security context, it is entirely inappropriate in the context of law enforcement where citizens have the constitutional right to challenge the government’s evidence against them
We are not prejudging the outcome of the debate over the use of Stingray technology, but we categorically denounce the use of nondisclosure agreements that limit the ability of the public and of courts to debate the merits of the technology and to implement limits they may deem appropriate.
The letter acknowledges that the FBI has recently backed away from supporting its own NDAs. The FBI's last statement on the matter basically said the NDAs should not be read as saying exactly what they say: that information about Stingray usage should be hidden from everyone, if possible. It also expressed mild disbelief that the agreements were being taken so literally. The disingenuous and self-serving nature of this walkback is highlighted in the letter.
This, however, is at odds with the explicit language of the NDA which precludes disclosure to the public in any manner “including but not limited to: in press releases, in court documents, during judicial hearings, or during other public forums or proceedings.” The agreement, in fact, goes much further and states that the Milwaukee Police Department should seek FBI permission before responding to court ordered disclosures and should be prepared to dismiss cases at the FBI’s request if necessary to protect against disclosure.
The FBI has until March 25th to answer the following questions:
• Does the FBI consider state and local law enforcement to be bound by the NDAs related to the use of cell-site simulators? • Has the FBI ever requested that a law enforcement agency dismiss a case to maintain the secrecy of law enforcement technology? • How many NDAs has the FBI signed with state and local law enforcement agencies regarding cell-site simulators? • Are there other technologies for which the FBI demands state and local law enforcement sign an NDA? • Does the FBI continue to believe that NDAs are appropriate? • Would the FBI ever condone perjury to Congress or judges to protect the existence of technology?
The answers should be illuminating -- if the public is actually allowed to see the responses. The FBI may still try to claim this super-secret technology that everyone knows about can't be discussed in an open forum. And I'm certain the agency will claim it would not condone perjury even though its NDAs strongly hint this would be preferable to exposing "sensitive" law enforcement methods.
So, this morning we wrote about a new flaw found in the encryption in Apple's iMessage system -- though it was noted that this wouldn't really have impacted what the FBI was trying to do to get into Syed Farook's work iPhone. However, just a little while ago, the Justice Department asked the court to delay the big hearing planned for tomorrow afternoon, because of this newly disclosed vulnerability:
Since the attacks in San Bernardino on December 2, 2015, the Federal Bureau of Investigation (“FBI”) has continued to pursue all avenues available to discover all relevant evidence related to the attacks.
Specifically, since recovering Farook’s iPhone on December 3, 2015, the FBI has continued to research methods to gain access to the data stored on it. The FBI did not cease its efforts after this litigation began. As the FBI continued to conduct its own research, and as a result of the worldwide publicity and attention on this case, others outside the U.S. government have continued to contact the U.S. government offering avenues of possible research.
On Sunday, March 20, 2016, an outside party demonstrated to the FBI a possible method for unlocking Farook’s iPhone. Testing is required to determine whether it is a viable method that will not compromise data on Farook’s iPhone. If the method is viable, it should eliminate the need for the assistance from Apple Inc. (“Apple”) set forth in the All Writs Act Order in this case.
Accordingly, to provide time for testing the method, the government hereby requests that the hearing set for March 22, 2016 be vacated. The government proposes filing a status report with the Court by April 5, 2016.
This could mean a variety of different things... including that the DOJ is looking for a way "out" of this case without setting the precedent it doesn't want, after discovering that the case and public opinion didn't seem to be going the way the DOJ had hoped it was going to go when it first brought it last month. Either way, there's never a dull moment in this case...
Update: And the judge has accepted the request, meaning the hearing is off. The DOJ put out a statement trying to spin this as being about how they're just really interested in getting into this one phone and not about setting a precedent:
Our top priority has always been gaining access into the phone used by the terrorist in San Bernardino. With this goal in mind, the FBI has continued in its efforts to gain access to the phone without Apple's assistance, even during a month-long period of litigation with the company. As a result of these efforts, an outside party demonstrated to the FBI this past weekend a possible method for unlocking the phone. We must first test this method to ensure that it doesn't destroy the data on the phone, but we remain cautiously optimistic. That is why we asked the court to give us some time to explore this option. If this solution works, it will allow us to search the phone and continue our investigation into the terrorist attack that killed 14 people and wounded 22 people.
Of course, that statement is more misleading bullshit from the DOJ. It's pretty clear that the DOJ is just trying to get out of this case as it's realized that the original plan completely backfired, and they were likely to lose.
Update 2: Okay, the court has officially posted its decision to grant the DOJ's request. You can see it below as well.
One of the points that seems to be widely misunderstood by people who don't spend much time in computer security worlds, is that building secure encryption systems is really hard and almost everything has some sort of vulnerability somewhere. This is why it's a constant struggle by security researchers, cryptographers and security engineers to continually poke holes in encryption, and try to fix up and patch systems. It's also why the demand for backdoors is idiotic, because they probably already exist in some format. But purposely building in certain kinds of backdoors that can't be closed by law almost certainly blasts open much larger holes for those with nefarious intent to get in.
Case in point: over the weekend, computer science professor Matthew Green and some other researchers announced that they'd discovered a serious hole in the encryption used for Apple's iMessage platform, allowing a sophisticated hacker to access encrypted messages and pictures. And, Green, who has been vocal about the ridiculousness of the DOJ's request against Apple, notes how this is yet more evidence that the DOJ's request is a bad idea:
“Even Apple, with all their skills — and they have terrific cryptographers — wasn’t able to quite get this right,” said Green, whose team of graduate students will publish a paper describing the attack as soon as Apple issues a patch. “So it scares me that we’re having this conversation about adding back doors to encryption when we can’t even get basic encryption right.”
It's worth noting that the flaw that he and his team found would not have helped the FBI get what it wants off of Syed Farook's iPhone, but it's still a reminder of just how complex cryptography currently is, at a time when people are trying to keep everyone out. Offer up any potential backdoor, and you're almost certainly blasting major holes throughout the facade.
Apple is getting ready to push out a software update that will fix the flaw shortly. And this, alone, is yet another reason why the DOJ's case is so dangerous -- since the method it wants to use to get into Farook's phone is via its capabilities to push software updates. Patching software holes is a major reason to accept regular software updates, but the FBI is now trying to co-opt that process to install unsafe code. That, in turn, may prompt people to avoid software updates altogether, which in most cases will make them less safe.
The US government has made numerous attempts to obtain source code from tech companies in an effort to find security flaws that could be used for surveillance or investigations.
The government has demanded source code in civil cases filed under seal but also by seeking clandestine rulings authorized under the secretive Foreign Intelligence Surveillance Act (FISA), a person with direct knowledge of these demands told ZDNet. We're not naming the person as they relayed information that is likely classified.
With these hearings held in secret and away from the public gaze, the person said that the tech companies hit by these demands are losing "most of the time."
That's hardly heartening. The DOJ would only go so far as to confirm this has happened before, likely because there's no way to deny it. The documents from the Lavabit case have been made public -- with the DOJ using a formerly-sealed document to hint at what could be in store for Apple if it refuses to write FBiOS for it.
Unfortunately, because of the secrecy surrounding the government's requests for source code -- and the court where those requests have been made -- it's extremely difficult to obtain outside confirmation. Whittaker contacted more than a dozen Fortune 500 companies about the unnamed official's claims and received zero comments.
A few, however, flatly denied ever having handed over source code to the US government.
Cisco said in an emailed statement: "We have not and we will not hand over source code to any customers, especially governments."
IBM referred to a 2014 statement saying that the company does not provide "software source code or encryption keys to the NSA or any other government agency for the purpose of accessing client data." A spokesperson confirmed that the statement is still valid, but did not comment further on whether source code had been handed over to a government agency for any other reason.
Cisco is likely still stinging from leaked documents showing its unwitting participation in an NSA unboxing photo shoot and has undoubtedly decided to take a stronger stance against government meddling since that point. As for IBM, its statement is a couple of years old and contains a major qualifying statement.
Previously-leaked documents somewhat confirm the existence of court orders allowing the NSA to perform its own hardware/software surgery. Presumably, the introduction of backdoors and exploits is made much easier with access to source code. Whittaker points to a Kaspersky Lab's apparent discovery of evidence pointing to the NSA being in possession of "several hard drive manufacturers'" source code -- another indication that the government's history of demanding source code from manufacturers and software creators didn't begin (or end) with Lavabit.
The government may be able to talk the FISA court into granting these requests, given that its purview generally only covers foreign surveillance (except for all the domestic dragnets and "inadvertent" collections) and national security issues. The FBI's open air battle with Apple has already proceeded far past the point that any quasi-hearing in front of the FISC would have. That's the sort of thing an actually adversarial system -- unlike the mostly-closed loop of the FISA court -- tends to result in: a give-and-take played out (mostly) in public, rather than one party saying "we need this" and the other applying ink to the stamp.