When the DOJ announced that the FBI may have miraculously found a way in to Syed Farook's work iPhone after swearing to a court that such a thing was impossible, many people zeroed in on the possibility of "NAND Mirroring" as the technique in question. After all, during a Congressional hearing, Rep. Darrell Issa had gone fairly deep technically (for a Congressperson, at least) in asking FBI Director James Comey if the FBI had tested such a method. Well-known iPhone forensics guru Jonathan Zdziarski wrote up a good blog post explaining why such a technique was the most likely. While recognizing that there are other possibilities, he does a good job breaking down why none of the other possibilities are all that likely, given a variety of facts related to the case (I won't go through all of that -- just go read his post). It's worth a read. It also has a nice quick explanation of NAND mirroring:
This is where the NAND chip is typically desoldered, dumped into a file (likely by a chip reader/programmer, which is like a cd burner for chips), and then copied so that if the device begins to wipe or delay after five or ten tries, they can just re-write the original image back to the chip. This technique is kind of like cheating at Super Mario Bros. with a save-game, allowing you to play the same level over and over after you keep dying. Only instead of playing a game, they’re trying different pin combinations.
However, on Friday, we noted that FBI Director James Comey was already denying this was the method, saying that it "doesn't work." The FBI also "classified" the method in question which raised some additional eyebrows. Either way, Zdziarski was pretty sure that Comey's claim that NAND mirroring doesn't work was bogus:
FBI Director Comey, in a press conference, claims the NAND technique “doesn’t work”; this says more about the credibility of this information than anything. Every expert I’ve consulted (including three hardware forensics firms) believe it works, and multiple firms are still in the process of validating the technique. The amount of time to prep and test this technique alone is proving greater than the month that we’ve been discussing it – it’s very unlikely that any reputable source could have already discredited this method, given how much time and effort it is taking everyone else to fully flesh out and test it. When asked directly if the FBI tried this technique, Comey dodged the question and replied (on the topic of “chip copying”), “I don’t want to say beyond that”, indicating the FBI hadn’t tried it. This speaks volumes about how flippantly the FBI is willing to discount viable methods endorsed by numerous researchers.
This is a simple “concept” demonstration / simulation of a NAND mirroring attack on an iOS 9.0 device. I wanted to demonstrate how copying back disk content could allow for unlimited passcode attempts. Here, instead of using a chip programmer to copy certain contents of the NAND, I demonstrate it by copying the data using a jailbreak. For Farook’s phone, the FBI would remove the NAND chip, copy the contents into an image file, try passcodes, and then copy the original content back over onto the chip.
I did this here, only with a jailbreak: I made a copy of two property lists stored on the device, then copied them back and rebooted after five attempts. When doing this on a NAND level, actual blocks of encrypted disk content would be copied back and forth, whereas I’m working with files here. The concept is the same, and serves only to demonstrate that unlimited passcode attempts can be achieved by back-copying disk content. Again, NO JAILBREAK IS NEEDED to do this to Farook’s device, as the FBI would be physically removing the NAND to copy this data.
Elsewhere Zdziarski also points out that, despite the FBI insisting that it was reaching out to everyone who might be able to help, none of the top researchers in the space have been approached by the FBI (and apparently a few who reached out the other way were rebuffed). Once again, it looks like whatever the FBI is doing with the phone, it's not being particularly upfront with the public (or, potentially, the courts).
So now that there's been a little time to process the Justice Department's last minute decision to bail out on the hearing in the San Bernardino case, claiming it was because some mysterious third party had demonstrated a way to hack into Syed Farook's iPhone, it's becoming increasingly clear that (1) the DOJ almost certainly lied at some point in this case and (2) this move was almost entirely about running away from a public relations battle that it was almost certainly losing (while also recognizing that it had a half-decent chance of also losing the court case). Just replace "Sir Robin" with "the DOJ" in the following video.
That said, there are still some things to clear up. First, did the DOJ lie? It seems pretty obvious that it must have. After all, it insisted earlier in the case, multiple times, that it had "exhausted" all other possibilities and "the only" way to get into the phone was with Apple's help. That's certainly raised some eyebrows:
The DOJ and its supporters, of course, will argue that "new shit has come to light, man," but that seems... doubtful. My first thought was that when the FBI said that it had been alerted to a way in over the weekend, it potentially was using the announcement from researchers at Johns Hopkins about a flaw in iMessage encryption. If so, that would be particularly bogus, since everyone admits that the vulnerability found would not apply to this case.
However, there's now a ton of speculation going around about the likely method (and the likely third party) that the FBI is probably using, involving copying the storage off the chip and then copying it back to brute force the passcode without setting off the security features or deleting the data. But, again, this possible solution isn't really new. Just a few weeks ago, during a Congressional hearing, Rep. Darrell Issa quizzed FBI Director James Comey about this very technique (which was so deep in the technical weeds, that many reporters and other policy folks were left scratching their heads):
That video is worth watching, because Director Comey insists, pretty clearly, that there is no way to get into the phone:
Comey: We wouldn't be litigating it if we could [get in ourselves]. We've engaged all parts of the US government to see 'does anyone have a way -- short of asking Apple to do it -- with a 5c running iOS 9 to do this?' and we do not.
At that point Issa starts asking really technical questions about can't the FBI remove the data from the phone to make copies of the storage, putting it with the encryption chip, trying passcodes, and then reflashing the memory before the 10 chance are used up -- thus brute forcing the passcode without setting off the security features. As Issa notes:
If you haven't asked that question, how can you come before this committee and before a federal judge and demand that somebody else invent something if you can't answer the question that your people have tried this? ... I'm asking who did you go to? Have you asked these questions? Because you're expecting to get an order and have somebody obey something they don't want to do and you haven't even figured out if you can do it yourself.
Comey is clearly befuddled by the questions and basically says that he's sure that his people must have thought about this, but he assumes that they're watching and if they haven't thought of this then they'll test it out. But, really, a few people had suggested similar things early on, so if that is the solution then it only adds weight to the idea that the FBI didn't do everything it could possibly do before running to the judge.
Others have questioned the "two week" timeframe for the DOJ to issue a status report to the court, noting that a brand new solution would almost certainly take much longer to test thoroughly before using it on the iPhone in question.
And then there's the other question: if the FBI really has tracked down a new "vulnerability" in Apple's encryption... will it tell Apple about it so that Apple can patch it? Remember, the White House has told the various parts of the federal government that they should have a "bias" towards revealing the flaws so they can be patched... but leaving a "broad exception for 'a clear national security or law enforcement need.'" It's pretty clear from how the DOJ has acted that it believes this kind of hole is a "law enforcement need."
So, if the FBI really did figure out a vulnerability in Apple's encryption, it probably won't actually reveal it -- but I'd imagine that Apple's security engineers are scrambling just the same to see if they can patch whatever flaws there may be here, because that's their job. And, again, that gets back to the point here: there are always some vulnerabilities in encryption schemes, and part of the job of security folks is to keep patching them. And one of the worries with the demand for backdoors is that the introduce a whole bunch of vulnerabilities that they're then not allowed to patch.
Either way, the DOJ's actions here are highly questionable, and it seems pretty clearly an attempt to save face in this round. But the overall fight is far from over.
Defendant Martell Chubbs currently faces murder charges for a 1977 cold case in which the only evidence against him is a DNA match by a proprietary computer program. Chubbs, who ran a small home-repair business at the time of his arrest, asked to inspect the software’s source code in order to challenge the accuracy of its results. Chubbs sought to determine whether the code properly implements established scientific procedures for DNA matching and if it operates the way its manufacturer claims. But the manufacturer argued that the defense attorney might steal or duplicate the code and cause the company to lose money. The court denied Chubbs’ request, leaving him free to examine the state’s expert witness but not the tool that the witness relied on.
That's a starkly mercenary stance to take. The "trade secret privilege" invoked here basically states that the company's potential loss of income outweighs a person's potential loss of freedom. It also asks for a level of trust it hasn't earned: that the software is as close to infallible as it needs to be. Cross-examination is next to useless when the software itself can't be examined.
Worse, this closed-off software operates in a field where nearly every previous form of "indisputable" evidence has proven to be severely flawed.
Studies have disputed the scientific validity of pattern matching in bite marks, arson, hair and fiber, shaken baby syndrome diagnoses, ballistics, dog-scent lineups, blood spatter evidence, and fingerprint matching. Massachusetts is struggling to handle the fallout from a crime laboratory technician’s forgery of results that tainted evidence in tens of thousands of criminal cases. And the Innocence Project reports that bad forensic science contributed to the wrongful convictions of 47 percent of exonerees.
Everything tied to securing convictions seems to suffer from pervasive flaws compounded by confirmation bias. For four decades, the DOJ presented hair analysis as an unique identifier on par with fingerprints or DNA when it wasn't. A 2014 Inspector General's report found the FBI still hadn't gotten around to correcting forensic lab issues it had pointed out nearly 20 years earlier. This contributed to two decades of "experts" providing testimony that greatly overstated the results of hair analysis. All of this happened in the FBI's closed system, a place outsiders aren't allowed to examine firsthand.
That's the IRL version. The software version is just as suspect. Computers aren't infallible and the people running them definitely aren't. If the software cannot be inspected, the statements of expert witnesses should be considered highly dubious. After all, most expert witnesses representing the government have a vested interest in portraying forensic evidence as bulletproof. Without access to forensic software code, no one will ever be able to prove them wrong.
If a piece of software has the ability to deprive a member of the public of their freedom, its code should be open for inspection by the defense. "Trade secrets" should not take precedence over the public's right to defend themselves in court. Even in the highly unlikely event that Chubb's defense team would have copied the code and destroyed the company's future profits, it would still have the ability to seek redress through the court system. After all, that's the line the government uses when it argues for expanded "good faith exceptions" or warrantless searches and seizures: "Hey, if we screw up, you can always sue."
The judicial system is a remedy for wrongs, both criminal and civil. What it shouldn't be is a protective haven where ridiculous assertions like those made here are used to prevent an accused person from learning more about the evidence being used to convict them.
from the you're-free-to-'discover'-this-evidence-AFTER-it's-been-used-to dept
Law enforcement agencies -- including the FBI -- haven't put together the best track record when it comes to forensic evidence. The issues range from fraud to the deployment of junk science. This has led to several wrongful imprisonments. This has also led to the government seeking to address these problems in a very "government" sort of way -- by convening a committee to study the issue, headed by the DOJ.
Issues were found, but the DOJ doesn't want to talk about them. The problems it doesn't want to talk about were a fundamental part of the committee's purpose.
The panel was created to improve the overall reliability of forensic evidence after instances of shoddy scientific analysis by federal, state and local police labs helped convict suspects.
Last evening, January 27, 2015, I was telephonically informed that the Deputy Attorney General of the U.S. Department of Justice has decided that the subject of pre-trial forensic discovery -- i.e., the extent to which information regarding forensic science experts and their data, opinions, methodologies, etc., should be disclosed before they testify in court -- is beyond the “scope” of the Commission’s business and therefore cannot properly be the subject of Commission reports or discussions in any respect.
Which is contrary to the committee's goals. To fix broken forensics, you need to fix the discovery aspects. The government would rather keep both its bad forensics and broken discovery procedures because it gives it an advantage when it comes to prosecution.
Because I believe that this unilateral decision is a major mistake that is likely to significantly erode the effectiveness of the Commission -- and because I believe it reflects a determination by the Department of Justice to place strategic advantage over a search for the truth -- I have decided to resign from the Commission, effective immediately. I have never before felt the need to resign from any of the many committees on which I have served over the years; but given what I believe is the unsupportable position now taken by the Department of Justice, I feel I have no choice.
Rakoff points out elsewhere in his resignation letter that defendants in criminal cases are perpetually disadvantaged during forensic discovery.
As the federal rules of criminal procedure now stand, prosecutors who intend to call forensic experts to testify do not have to supply the same full pre-trial discovery about those experts and the methodological and evidentiary bases for their opinions that parties calling forensic experts in civil cases are required to supply under federal rules of civil procedure.
The DOJ likes its strategic advantage and doesn't want Rakoff screwing with it. You say you want due process? Too bad. As a criminal defendant in today's justice system, you're little more than a bullet catcher for prosecutorial gunslingers.
The notion that pre-trial discovery of information pertaining to forensic expert witnesses is beyond the scope of the Commission seems to me clearly contrary to both the letter and the spirit of the Commission’s Charter… A primary way in which forensic science interacts with the courtroom is through discovery, for if an adversary does not know in advance sufficient information about the forensic expert and the methodological and evidentiary bases for that expert’s opinions, the testimony of the expert is nothing more than trial by ambush.
There's supposed to be equitable sharing and access to anything uncovered during discovery. But there obviously isn't. Rakoff recognized this and made his opinion known to the DOJ. Law enforcement agencies have apparently grown used to dealing from the bottom of the discovery deck and the United States' Deputy DA wants this privilege to remain intact. (See also: Judge Kozinski's dissenting opinion, which called out prosecutors for their "epidemic of Brady [exculpatory evidence] violations." It's not just junk science and fraud. It's also the withholding of evidence that could clear a person facing criminal charges.)
“This is obviously a critically important issue to the Department,” Yates said. “We take very seriously our obligation to ensure that defendants receive a fair trial."
Except that its original conversation with Judge Rakoff indicates that it would rather do anything but "ensure… defendants receive a fair trial." But its "trial by ambush" intentions were exposed by Rakoff's public resignation and it had no choice but attempt to paper this over with some honorable-sounding words.
While committing to nothing, and mouthing the empty platitudinous “We take very seriously our obligation to ensure that defendants receive a fair trial,” which is a corollary to “we’re from the government, and we’re here to help,” at least one honorable person will sit on the committee to see whether this rises to the level of serious reform.
So, Judge Rakoff is back on the panel. Hopefully, this will lead to a change in the system and a public release of information relating to law enforcement's forensic failings. This nation seems to have no shortage of zealous prosecutors who are willing to secure convictions at the expense of true due process. The balance needs to shift back to the center. Judge Rakoff's resignation has brought this long-running problem back out into public eye -- along with the DOJ's apparent desire to keep its ambush tactics from being disrupted.
We've all seen those forensic "aging" pictures that are often used to try to show what a fugitive might look like now, when law enforcement doesn't have a recent photo available. I always assumed that there was some sort of science behind doing that. However, it appears that when it comes to the FBI, the way it's done is to do a Google Image search, find an image the FBI likes and then do a simple photo merge with the person they're trying to "age." Of course, that became a bit of a problem recently, when it came out that the photo the FBI used to age both Osama bin Laden and another senior al-Qaida leader, Atiyah Abd al-Rahman, happened to be a Spanish member of parliament named Gaspar Llamazares.
Llamazares is not happy about this -- especially since both of the people who his likeness was used to demonstrate have since been assassinated. He's now planning to sue the FBI. I am curious what charges he'll bring. I can't see anything really sticking, to be honest. There might be a copyright claim from whoever holds the copyright on the image -- and that would be pretty amusing, given the Justice Department's rather strong views on the absolute evils of copyright infringement. But really, the whole story seems pretty ridiculous.
Last year, we wrote about Microsoft's COFEE tools, which are a set of computer forensic and auditing tools that Microsoft puts on a USB key and gives to law enforcement to use in trying to extract info from a computer. There was some fear that it was a "back door," but people insisted it was no such thing, but just a collection of basic tools. Still, the fact that the system was promoted as being useful for decrypting passwords and analyzing a computer's data and internet activity seemed troubling. We noted that if Microsoft was giving it out to law enforcement, it seemed likely that others would have access to it as well.
Still, you have to imagine that the software is very much out there. So, the question still remains, is this a big deal or not? When we did our original post, many people insisted that there was no big deal in Microsoft COFEE and it was just basic everyday auditing software. Yet, when even What.cd is removing the torrent, claiming they "didn't like" what they saw when they examined the software, in terms of "the potential impact on the site and security of our users and staff," it does raise certain questions that are similar to those we originally raised.
So, once again, let's get some feedback from the folks reading here. Is this really a big deal? Or is it just your ordinary tools?