Tag: Apple

Security v. Security – Tech Companies, Backdoors and Law Enforcement Authorities

Grab the popcorns, this is going to be fun!

Grab the popcorns, this is going to be fun!

The access request to the information stored on the Smartphone of one of the San Bernardino shooting suspects has intensified the debate on the implementation of backdoors to enable the access to mobile devices for law enforcement purposes.

The issue does not refer to whether the law enforcement authorities, by means of a proper warrant, are entitled to search a mobile phone and access its content. That is a straightforward fact. They do.

What is at stake is Apple’s objection to a court order requiring it to provide the ongoing federal investigation the proper means to access such information. More concretely, it has been required to actually write a code modifying the iPhone software, that would bypass an important security function put in place, by disabling the feature which automatically erases information after ten attempts of entering the wrong password. This would enable authorities to endlessly enter wrong credentials and eventually crack the device’s password through brute force, without risking the deletion of content, thus being able to access it and extract the information contained on the iPhone of the suspect.

The use of new technologies to conduct criminal and terrorist activities has made it difficult to ignore the advantages of accessing the communications by means of such technologies in the investigation, prevention and combat of criminal activities. Law enforcement authorities point that it is particularly pertinent in the fight against terrorism, paedophilia networks and drug trafficking cases.

In this context, the use of encryption in communications has become a cornerstone of the debate. Investigative authorities are willing to see implemented backdoors in mobile devices in order to ensure the access when necessary. Contrastingly, companies such as Apple refuse to retain access keys – and consequently provide it upon request of law enforcement authorities – to such encrypted communications.

Just recently, FBI Director James Comey has told the US Senate Intelligence Committee that intelligence services are not interested in a ‘backdoor’ per se access to secure devices. Instead, what is at stake is requiring companies to provide the encrypted messages sent through those devices. James Comey is a wordplay habitué. He once said he wanted ‘front doors’ instead of ‘back doors’.

In the same line, White House Press Secretary, Josh Earnest recently stated that, by the abovementioned court order, Apple is not being asked to redesign its products or to create a backdoor.

While these are, at the very least, very puzzling statements, they nevertheless clearly express the subjacent motivation: the ban on encryption products with no backdoors and the implementation of backdoors.

Indeed, if companies can be required to undermine their security and privacy protection features in order to provide access to law enforcement authorities, regardless the legitimate inherent purpose, and disregarding the concrete designation one might find preferable, that is the very definition of a backdoor.

It never ceases to amaze me how controversial among free people living in a democracy it seems to be that the implementation of backdoors is – on both legal and technological grounds and for the sake of everyone’s privacy and security – a very bad idea.

Well, the main argument supporting the concept is that such technological initiative will chiefly help the combat of criminal activities. That is unquestionably a very legitimate purpose. And nobody opposing the implementation of backdoors actually argues otherwise.

However, it is a fact that backdoors would automatically make everyone’s communications less secure and exposed them to a greater risk of attacks by third parties and to further privacy invasions. Moreover, no real warranties in regards of the risk of the abuse which could ensue are ever provided. Those arguing in favour of the access to information through backdoors fail to adequately frame the context. It is vaguely stated that such mechanism will be used when necessary, without any strict definition. What is necessary, anyway? Would it depend on the relevance of the information at stake? Would it depend on the existence of alternative means or of how burdensome those are?

At least, if Apple complies with the order, it is difficult to accept that more similar requests will not immediately ensue. In fact, one will risk saying that those can be expected and will certainly be encouraged in the future. Ultimately, the creation of this cracking software could be used and abused in future cases. And this is particularly worrisome considering the lack of legal framework and the judicial precedent basis.

One may be tempted to sacrifice privacy in the interest of public security. That it is not a wrongful viewpoint. I don’t know anyone that would disagree on that. Except when considering the very own limitations of backdoors when it comes to fighting terrorism for instance. It is harder to support backdoors to prevent criminal activities when confronted with their very own inherent inefficiency and limitations, which seem to go unacknowledged by their supporters.

While companies may be forced to implement such backdoors, to provide access to encrypted communications, there is a myriad of alternatives in the marketplace for criminal seeking encrypted products where no such backdoors are installed. Encryption apps, files encryption, open source products, virtual private networks…

Let’s talk about Isis for instance. It has been alleged – without further demonstration – that they have their own open source encrypted communications app. Therefore, except from weakening the communications’ safety of everybody relying on encrypted messaging apps, considering the open source nature of the app used by Isis, the implementation of backdoors would be pointless for the purpose intended to be achieved.

Thus said, one can easily understand the stance of Apple. Having built its reputation on the privacy and security provided by its devices, it is very risky from a commercial viewpoint to be asked to develop software that counter its core business. Indeed, it modified its software in 2014 in order to become unable to unlock its Smartphones and access its customers’ encrypted data.

The fact that the company is now being asked to help enforcement law authorities by building a backdoor to get around a security function that prevents decryption of its content appears to be just another way of achieving the same outcome. Under a different designation.

Because it now goes way further than requiring companies to comply with a lawful order and warrant to the extent they are able to, requesting private companies to create a tool intended to weaken the security of their own operating systems just goes beyond any good sense. Indeed, it just amounts to require (force?) private companies to create and deliver hacking tools to law enforcement authorities which actually put everyone’s privacy and cybersecurity at risk.

And if this becomes a well accepted requirement in democratic systems, either by precedent either through legislative changes, well, one can only wonder with what enthusiasm such news will be welcomed by some repressive regimes eager to expand their surveillance powers.

From an EU viewpoint, and considering how uncertain is the future of the Privacy Shield framework, and despite the existing divergences among EU Member States in respect of encryption, this whole case certainly does not solve any trust issues in regards of the security of the data transferred to the US.

Celebgate or The Cloud Conundrum

iCloudy with a chance of pictures.

iCloudy with a chance of pictures.

So, after women being already the main target of social engineering, street harassment, cyber harassment, workplace harassment, sexual harassment, or revenge porn, and all the other creepy forms of gender orientated attacks, the online world has recently assisted to the leak of hundreds of intimate pictures of celebrities, such as Jennifer Lawrence, Kristin Dunst, Rihanna and Kim Kardashian.

Well, the word ‘leak’ might not be the most suitable, considering the outlines of the situation… Theft, break-in, hacking, privacy violation, online assault or pirating are far more realistic expressions.

So what happened, really?

Someone – who I just cannot help but picturing as a disgusting and sexually frustrated slobbering pervert with no sense of civility – accessed the iCloud accounts of some targeted celebrities and disclosed their personal pictures online. 1)For those who might not be aware, the Cloud is a storage and back-up system which enables users to keep personal information. As the data is kept online, it allows users to save space in their computers, smartphones or tablets, while being able to access them from any device and from anywhere. Companies as Apple, Google, Microsoft and Amazon, just to name a few, all provide cloud-based storage.

What do all the victims have in common? Well, to start with, they all are worldly known for some reason… and all are women.

I really cannot understand why someone would be tempted to access intimate pictures of women against their consent, even celebrities, when the internet is full of websites with pictures of women who willingly or professionally display their naked selves.

It was an evident gender orientated attack, which seems to be a usual and sick practice on the Internet nowadays, intended to publicly expose and shame the victims. As far as I am aware, men are not usually targeted by such endeavours.

Anyway, the central hubs for the displaying and divulgation of the links to the pictures were the websites Reddit and 4chan. The photos then have spread across the Internet like wildfire and the case has been inimitably nicknamed as ‘Celebgate’.

This incident has leaded the public attention to an immediate question: how could attractive young women even dare to take pictures of them or let themselves to be photographed in erotic or sexual poses or situations? For a vast – and scary – amount of internet users, the victims are therefore the major culprits for their own violation. Being celebrities (or should I say women?) they should have known better than to take pictures intended to remain private or only to be shared with whoever they wanted.

On a second thought, this occurrence lead the internet users to reflect on how really private is our private information. A very legitimate concern considering the revelations of Edward Snowden, the recent data breaches news regarding American retailers, as Target and Home Depot, and the hacking conducted on Chinese hospitals’ medical record.

But the incident has put the spotlight on the online security in general. After all, it is very likely that hackers gained access to much more sensitive data than pictures and videos. And if celebrities’ accounts can be hacked, it can happen to anybody, right?

Apple denied having suffered a data security breach and insisted that none of the material was obtained from the company’s servers directly. In a released statement, it affirmed having discovered; instead, that the hacking seemed to be the result of a brute-force attack on users names, passwords and security questions.

Notwithstanding, while the poor choice in passwords and the non implementation of Apple’s two-factor authentication might have been a hinder in terms of security, the vulnerabilities on the security software were undeniable. For instance, iCloud specific backup system did not implement adequate safeguards against brute-force attacks. 2)Brute-force attacks refer to repetitive attempts to break into a user’s account by trying possible combinations of letters, numbers and symbols in order to discover the correct password.

Apple’s announcement that it will strengthen its security measures for its cloud storage platform iCloud thus might not come as a coincidence. Tim Cook informed that users will receive an alert when someone tries to change an account password, restore iCloud data to a new device, or when a device logs into an account for the first time. Moreover, Apple intends to broaden its use of an enhanced two-factor authentication security system.

Despite the unfortunate implications for the victims, it has drawn the very much needed attention and raised awareness – as no other incident so far – to how people share, store and secure their personal and sensitive data.

There are valuable lessons to learn from this incident. The apparent ugly truth is that if someone with the proper time, knowledge and means wants to access your personal data, they will try to and might get it if the proper security measures are not taken. So it is better to assume that nobody is safe from a similar assault.

It is therefore necessary to improve our personal security posture and implement all the available tools to prevent the success of potential future attacks.

To start with, you must be aware if you use services that automatically backup your data and choose if it is convenient for you to keep that feature on or to turn it off. If you intend to use a cloud service, choose one which will encrypt your data.

Secondly, it is very important to implement strong login credentials. A multifactor authentication and the use of a complex and unique password for each online account are usually highly recommended. You can go even further and use passphrases instead of passwords. A password manager will allow you to achieve a deeper protection. 3)The two factor authentication implies two elements: something you know and something you have. Therefore, besides the password (what you know), you will asked for a second form of identification the first time you log onto an account from a new device. It normally involves being sent a code by text message (what you have/can access).

These are some basic and well-known measures but the ‘Celebgate’ is here to remind us that everybody, and not only women, needs to take a better care of their online selves. Women might be the main target of hacking intended to publicly humiliate them, but anybody can be a target of hacking with all intends and purposes, with more or less serious and far-reaching consequences: to creepily spy on friends or family or the girl that rejected them; for ‘intellectual’ challenge; to steal services and valuable files, namely regarding intellectual propriety; to collect credit cards details or engage in other forms of credit card fraud; computer take-over; identity theft; mail hacking to disseminate spam…

Some might prefer to judge the victims and to look at their pictures. But the big picture to look at is: use whatever devices and services you want, but use them knowingly and safely. Nobody will protect you online better than yourself.

References   [ + ]

1. For those who might not be aware, the Cloud is a storage and back-up system which enables users to keep personal information. As the data is kept online, it allows users to save space in their computers, smartphones or tablets, while being able to access them from any device and from anywhere. Companies as Apple, Google, Microsoft and Amazon, just to name a few, all provide cloud-based storage.
2. Brute-force attacks refer to repetitive attempts to break into a user’s account by trying possible combinations of letters, numbers and symbols in order to discover the correct password.
3. The two factor authentication implies two elements: something you know and something you have. Therefore, besides the password (what you know), you will asked for a second form of identification the first time you log onto an account from a new device. It normally involves being sent a code by text message (what you have/can access).

© 2017 The Public Privacy

Theme by Anders NorenUp ↑