Its a long-simmering disagreement that shows no sign of reaching a conclusion: law enforcement wants access to encrypted devices and messaging apps to fight crime. Tech companies say any system that allows for lawful access would instantly be attacked and put legitimate users in danger.

The latest spat between the FBI and Apple was over the locked devices of Mohammed Saeed Alshamrani, who was suspected of killing three people and injuring eight in a shooting spree on a Navy base in Pensacola, Florida on December 6, may have escalated the conflict, but it's unlikely to break the deadlock.

While the debate has been framed as a battle between privacy and security, the reason for the stalemate is that the conversation between law enforcement and tech firms has largely focused on one solution. With tech firms moving to stronger security and end-to-end encryption across messaging apps, the US Justice Department along with the UK and Australia - has asked companies to create a key or backdoor into the design of their products that would allow law enforcement to unlock the phones of criminal suspects and access data a move that Facebook says is impossible without weakening the strength of its encryption.

Surprisingly little thought, however, has been given to alternative ways of handling the challenge of thwarting criminals who hide behind encryption, while also preserving the privacy of legitimate users. So what are the alternatives, and is there a possibility that both sides could agree a middle ground?

Facebook has offered its own solution. Anxious to avoida scenario where unbreakable encryption would effectively become illegal,Facebook says it should still be able to provide some critical location and account information.

This is because end-to-end encryption hides all content, but not all metadata of the conversation taking place.We are building tools to look for signals and patterns of suspicious activity so that we can stop abusers from reaching potential victims, Facebooks Jay Sullivan told the Judiciary Committee last month.

The big fear, however, is that 12 million referrals of child sexual abuse - currently flagged by tech giants - would be lost annually if Facebook implements its plans. Stronger encryption would limit the chances of identifying the abusers and rescuing the victims.

Then there is the argument that Facebook cannot be trusted, with critics pointing to numerous security breaches and the mass collection of users personal data for financial gain.

Anotheroption, put forward by the Carnegie Endowment for International Peace in a new paper calledMoving the Encryption Policy Conversation Forward, attempts to find some middle ground by separating data at rest and data in motion. It would prevent police from being able to carry out live surveillance of discussions that are in progress, but allow them with a court-ordered search warrant to see data at rest on mobile phones.This would include photos and messages that are already held on suspects mobile phones, laptops and in cloud storage.

Exploring mobile phone data at rest seems to be an area most likely to kick start the debate.New York County District Attorney Cyrus Vance is among supporters of this approach and wants federal legislative action to push it through.His frustration stems from Apples refusal to provide access to the phone of the San Bernardino shooter following the 2015 massacre.

Even so,many in the computer security community are skeptical, and the approach rigorous testing and debate to see if its viable.

A third option isnt so much a backdoor, more an emergency entrance. Here the government, the tech company and a neutral third party, such as a court, would each keep a fragment of a cryptographic key. Authorities would get sanctioned and pre-agreed access to messaging data a bit like a bank safe deposit box which can only be opened if the bank and the customer are present.

According to Andersen Cheng, CEO of Post-Quantum, this scenario option would significantly limit the ability of rogue actors to get access because it means no one authority has a master key to unlock millions of accounts. Any concerns over government control can be allayed because the key management could be hosted by the social media companies, he says.

The only problem and its a big one - is that no one appears to have any idea how to create such a thing at scale that will remain secret. Tech companies are likely to rail against any technical steps that would fundamentally weaken communications.

Then, theres the current solution. Each year,US police districts give millions of dollars to third-party commercial developers to access data saved to the cloud. As we know from recent scandals, undetectable spyware exploits vulnerabilities in software, allowing the buyer to access a device to read texts, pilfer address books, remotely switch on microphones and track the location of their target. There is no shortage of commercial surveillance companies that offer these services, and police reportedly used similar tools to access the phone of the San Bernardino shooter when Apple wouldnt help.

This kind of technology is playing an increasing part in helping government agencies all over the world prevent and investigate terrorism and crime and save lives: almost 50% of police investigations now involve cloud data.

Controversial Israeli firm NSO Group was involved in the capture notorious drug lord El Chapo, and recently police in Western Europe said that NSO spyware was helping them track a terror suspect they feared was plotting an attack during Christmas.

Despite this, encrypted devices and messaging platforms continue to complicate crime investigations, not least becausecritical evidence is often only available on the device itself, not in the cloud. The tools provided by commercial companies can also be expensive, with police claiming that justice is sometimes unattainable for crime victims in areas where police departments do not have the means to decrypt phones.

Campaigners also point to potential abuses and a lack of transparency over new forms of surveillance being used, and a more widespread adoption of this approach will mean that governments will have to impose careful controls to prevent misuse and enforce oversight.

Whatever the solution to the current debate over encryption, its unlikely to perfectly suit everyone. As the Carnegie Endowment report points out,cybersecurity advocates may have to accept some level of increased security risk, just as law enforcement advocates may not be able to access all the data they seek.

The first step, however, is recognizing that, with the lives and safety of so many at stake, lawmakers and tech firms should investigate every option.

Read the original post:
Options to End the End to End Encryption Debate - Infosecurity Magazine

If you follow security on the Internet, you may have seen articles warning you to beware of public Wi-Fi networks" in cafes, airports, hotels, and other public places. But now, due to the widespread deployment of HTTPS encryption on most popular websites, advice to avoid public Wi-Fi is mostly out of date and applicable to a lot fewer people than it once was.

The advice stems from the early days of the Internet, when most communication was not encrypted. At that time, if someone could snoop on your network communicationsfor instance by sniffing packets from unencrypted Wi-Fi or by being the NSAthey could read your email. They could also steal your passwords or your login cookies and impersonate you on your favorite sites. This was widely accepted as a risk of using the Internet. Sites that used HTTPS on all pages were safe, but such sites were vanishingly rare.However, starting in 2010 that all changed. Eric Butler released Firesheep, an easy-to-use demonstration of sniffing insecure HTTP to take over peoples accounts. Site owners started to take note and realized they needed to implement HTTPS (the more secure, encrypted version of HTTP) for every page on their site. The timing was good: earlier that year, Google had turned on HTTPS by default for all Gmail users and reported that the costs to do so were quite low. Hardware and software had advanced to the point where encrypting web browsing was easy and cheap.

However, practical deployment of HTTPS across the whole web took a long time. One big obstacle was the difficulty for webmasters and site administrators of buying and installing a certificate (a small file required in order to set up HTTPS). EFF helped launch Lets Encrypt, which makes certificates available for free, and we wrote Certbot, the easiest way to get a free certificate from Lets Encrypt and install it.

Meanwhile, lots of site owners were changing their software and HTML in order to make the switch to HTTPS. Theres been tremendous progress, and now 92% of web page loads from the United States use HTTPS. In other countries the percentage is somewhat lower80% in India, for examplebut HTTPS still protects the large majority of pages visited. Sites with logins or sensitive data have been among the first to upgrade, so the vast majority of commercial, social networking, and other popular websites are now protected with HTTPS.

There are still a few small information leaks: HTTPS protects the content of your communications, but not the metadata. So when you visit HTTPS sites, anyone along the communication pathfrom your ISP to the Internet backbone provider to the sites hosting providercan see their domain names (e.g. wikipedia.org) and when you visit them. But these parties cant see the pages you visit on those sites (e.g. wikipedia.org/controversial-topic), your login name, or messages you send. They can see the sizes of pages you visit and the sizes of files you download or upload. When you use a public Wi-Fi network, people within range of it could choose to listen in. Theyd be able to see that metadata, just as your ISP could see when you browse at home. If this is an acceptable risk for you, then you shouldnt worry about using public Wi-Fi.

Similarly, if there is software with known security bugs on your computer or phone, and those bugs are specifically exploitable only on the local network, you might be at somewhat increased risk. The best defense is to always keep your software up-to-date so it has the latest bug fixes.

What about the risk of governments scooping up signals from open public Wi-Fi that has no password? Governments that surveill people on the Internet often do it by listening in on upstream data, at the core routers of broadband providers and mobile phone companies. If thats the case, it means the same information is commonly visible to the government whether they sniff it from the air or from the wires.

In general, using public Wi-Fi is a lot safer than it was in the early days of the Internet. With the widespread adoption of HTTPS, most major websites will be protected by the same encryption regardless of how you connect to them.

There are plenty of things in life to worry about. You can cross public Wi-Fi off your list.

Read the original here:
Why Public Wi-Fi is a Lot Safer Than You Think - EFF

Feature

By Lester Victor MarksFriday, January 24, 2020, 05:49 am PT (08:49 am ET)

AppleInsider editor Victor Marks and writer William Gallagher discuss:

We like reader email send us your comments and concerns!

The show is available on iTunes and your favorite podcast apps by searching for "AppleInsider." Click here to listen, subscribe, and don't forget to rate our show.

Listen to the embedded SoundCloud feed below:

Sponsors:

Masterclass - Get unlimited access to EVERY MasterClass, and as an AppleInsider listener, you get 15% off the Annual All-Access Pass! Go to masterclass.com/appleinsider.

CLEAR is the absolute best way to get through airport security. It works great with Pre-Check too! Right now, listeners of our show can get their first two months of CLEAR for FREE. Go to clearme.com/appleinsider and use code appleinsider.

Show notes:

Follow our hosts on Twitter: @vmarks and @wgallagher

Feedback and comments are always appreciated. Please contact the AppleInsider podcast at [emailprotected] and follow us on Twitter @appleinsider, plus Facebook and Instagram.

Those interested in sponsoring the show can reach out to us at [emailprotected].

See the rest here:
Apple Watch rewards, iCloud encryption, and WhatsApp hacks on the AppleInsider Podcast - AppleInsider

An Amazon Web Services (AWS) engineer last week inadvertently made public almost a gigabytes worth of sensitive data, including their own personal documents as well as passwords and cryptographic keys to various AWS environments.

While these kinds of leaks are not unusual or special, what is noteworthy here is how quickly the employees credentials were recovered by a third party, whoto the employees good fortune, perhapsimmediately warned the company.

On the morning of January 13, an AWS employee, identified as a DevOps Cloud Engineer on LinkedIn, committed nearly a gigabytes worth of data to a personal GitHub repository bearing their own name. Roughly 30 minutes later, Greg Pollock, vice president of product at UpGuard, a California-based security firm, received a notification about a potential leak from a detection engine pointing to the repo.

Despite the privacy concerns, labor strikes, and reports that Amazon is selling literal trash on

An analyst began working to verify what specifically had triggered the alert. Around two hours later, Pollock was convinced the data had been committed to the repo inadvertently and might pose a threat to the employee, if not AWS itself. In reviewing this publicly accessible data, I have come to the conclusion that data stemming from your company, of some level of sensitivity, is present and exposed to the public internet, he told AWS by email.

AWS responded gratefully about four hours later and the repo was suddenly offline.

Since UpGuards analysts didnt test the credentials themselveswhich would have been illegalits unclear what precisely they grant access to. An AWS spokesperson told Gizmodo on Wednesday that all of the files were personal in nature and unrelated to the employees work. No customer data or company systems were exposed, they said.

At least some of the documents in the cache, however, are labeled Amazon Confidential.

Alongside those documents are AWS and RSA key pairs, some of which are marked mock or test. Others, however, are marked admin and cloud. Another is labeled rootkey, suggesting it provides privileged control of a system. Other passwords are connected to mail services. And there are numerous of auth tokens and API keys for a variety of third-party products.

AWS did not provide Gizmodo with an on-the-record statement.

It is possible that GitHub would have eventually alerted AWS that this data was public. The site itself automatically scans public repositories for credentials issued by a specific list of companies, just as UpGuard was doing. Had GitHub been the one to detect the AWS credentials, it would have, hypothetically, alerted AWS. AWS would have then taken appropriate action, possibly by revoking the keys.

But not all of the credentials leaked by the AWS employee are detected by GitHub, which only looks for specific types of tokens issued by certain companies. The speed with which UpGuards automated software was able to locate the keys also raises concerns about what other organizations have this capability; surely many of the worlds intelligence agencies are among them.

GitHubs efforts to identify the leaked credentials its users uploadwhich began in earnest around five years agoreceived scrutiny last year after a study at North Carolina State University (NCSU) unearthed over 100,000 repositories hosting API tokens and keys. (Notably, the researchers only examined 13 percent of all public repositories, which alone included billions of files.)

While Amazon access key IDs and auth tokens were among the data examined by the NCSU researchers, a majority of the leaked credentials were linked to Google services.

GitHub did not respond to a request for comment.

UpGuard says it chose to make the incident known to demonstrate the importance of early detection and underscore that cloud security is not invulnerable to human error.

Amazon Web Services is the largest provider of public cloud services, claiming about half of the market share, Pollock said. In 2019, a former Amazon employee allegedly stole over a hundred million credit applications from Capital One, illustrating the scale of potential data loss associated with insider threats at such large and central data processors.

In this case, Pollock added, theres no evidence that the engineer acted maliciously or that any customer data was affected. Rather, this case illustrates the value of rapid data leaks detection to prevent small accidents from becoming larger incidents.

Read more here:
Amazon Engineer Leaked Private Encryption Keys. Outside Analysts Discovered Them in Minutes - Gizmodo

Once again, the FBI is putting pressure on Apple to help them break into the phone of a mass shooter. And once again, Apple has been largely resistant to the effort. Which is good, because a government having control over a private company that gives them secret backdoor access into people's personal technology devices is an authoritarian wet dream waiting to happen.

It also doesn't matter anyway because as Reuters pointed out this week Apple already buckled under FBI pressure a few years and cancelled their plans to add end-to-end encryption to all iPhone backups in iCloud:

The company said it turned over at least some data for 90% of the requests it received [from the FBI]. It turns over data more often in response to secret U.S. intelligence court directives, which sought content from more than 18,000 accounts in the first half of 2019, the most recently reported six-month period.

But what if the FBI wants access to someone's locked iPhone, and they haven't backed it up to iCloud? Theystill don't need Apple's help, because as with the San Bernardino shooting there are plenty of third-party companies that can and will gladly solve the problem in exchange for money.

From OneZero:

Over the past three months,OneZero sent Freedom of Information Act (FOIA) requests to over 50 major police departments, sheriffs, and prosecutors around the country asking for information about their use of phone-cracking technology. Hundreds of documents from these agencies reveal that law enforcement in at least 11 states spent over $4 million in the last decade on devices and software designed to get around passwords and access information stored on phones.

[]

The documents range from contracts, requests for proposals (RFPs), invoices for payments by law enforcement, quotes from forensic companies, and emails traded between officials discussing vendor approval. They suggest that most law enforcement agencies bought forensic investigation products from a small group of companies that includeCellebrite, Grayshift, Paraben, BlackBag, and MSAB. In addition to selling the software and hardware needed to unlock phones, these companies also charge thousands of dollars each year to upgrade the software in their products. In addition, their customers spend thousands on training sessions to teach personnel in their offices how to use the tools.

And perhaps that's the most frustrating thing about this whole scenario. The US government is always warning us about the authoritarian overreaches of surveillance states like those in China, but really, they just want to replicate it without feeling guilty. Meanwhile, supposed-innovations of free market enterprise are providing the same opportunities for authoritarian surveillance capitalism, but, ya know, privately-owned, so immune to any legal oversight or transparency, because America. Isn't that supposed to be the dream?

Exclusive: Apple dropped plan for encrypting backups after FBI complained [Joseph Menn / Reuters]

Exclusive: U.S. Cops Have Wide Access to Phone Cracking Software, New Documents Reveal [Michael Hayes / OneZero]

Image via the White House

No encrypted iCloud backups for you, citizen!

The time is always right to do what is right, thats true. But the timing of this is a pretty ugly retconespecially after a new trove of FBI files on Martin Luther King, Jr. were just released six months ago, painting an ugly picture of frequent sexual misconduct.

Gee, thanks.

Thanks to a series of progressive movements throughout the United States, more and more states are allowing people to smoke in the great outdoors with absolute freedom. Unfortunately, most pipe-makers have been slow to catch up with this new reality, which leads to avid smokers stuffing a cumbersome glass pipe in their pocket every time []

Its no secret that when it comes to building your brand online, nothing beats having a powerful and streamlined website. BoxHosting Website Hosting makes it easy to create an extensive online presence with room for 500 domains, 500 10GB email accounts, and unlimited desk spaceand you only have to pay $45 for life. In addition []

Theres never been a better time to work as a web developerregardless of whether youre looking to work with a big company or as a solo freelancer. The Essential PHP Coding Bundle will get you up to speed with one of the worlds most popular and powerful web development scripting languages, and its currently available []

Here is the original post:
The FBI doesn't need Apple to give it a backdoor to encryption, because it already has all the access it needs - Boing Boing