Cloud Hosting

The United States government has demanded that Apple take an unprecedented step which threatens the security of our customers. We oppose this order, which has implications far beyond the legal case at hand.

This moment calls for public discussion, and we want our customers and people around the country to understand what is at stake.

Answers to your questions about privacy and security

Smartphones, led by iPhone, have become an essential part of our lives. People use them to store an incredible amount of personal information, from our private conversations to our photos, our music, our notes, our calendars and contacts, our financial information and health data, even where we have been and where we are going.

All that information needs to be protected from hackers and criminals who want to access it, steal it, and use it without our knowledge or permission. Customers expect Apple and othertechnology companies to do everything in our power to protect their personal information, and at Apple we are deeply committed to safeguarding their data.

Compromising the security of our personal information can ultimately put our personal safety at risk. That is why encryption has become so important to all of us.

For many years, we have used encryption to protect our customers personal data because we believe its the only way to keep their information safe. We have even put that data out of our own reach, because we believe the contents of your iPhone are none of our business.

We were shocked and outraged by the deadly act of terrorism in San Bernardino last December. We mourn the loss of life and want justice for all those whose lives were affected. The FBI asked us for help in the days following the attack, and we have worked hard to support the governments efforts to solve this horrible crime.We have no sympathy for terrorists.

When the FBI has requested data thats in our possession, we have provided it.Apple complies with valid subpoenas and search warrants, as we have in the San Bernardino case.We have also made Apple engineers available to advise the FBI, and weveoffered our best ideas on a number of investigative options at their disposal.

We have great respect for the professionals at the FBI, and we believe their intentions are good. Up to this point, we have done everything that is both within our power and within the law to help them. But now the U.S. government has asked us for something we simply do not have, and something we consider too dangerous to create. They have asked us to build a backdoor to the iPhone.

Specifically, the FBI wants us to make a new version of the iPhone operating system, circumventing several important security features, and install it on an iPhone recovered during the investigation. In the wrong hands, this software which does not exist today would have the potential to unlockanyiPhone in someones physical possession.

The FBI may use different words to describe this tool, but make no mistake: Building a version of iOS that bypasses security in this way would undeniably create a backdoor. And while the government may argue that its use would be limitedto this case, there is no way to guarantee such control.

Some would argue that building a backdoor for just one iPhone is a simple, clean-cut solution. But it ignores both the basics of digital security and the significance of what the government is demanding in this case.

In todays digital world, the key to an encrypted system is a piece of information that unlocks the data, and it is only as secure as the protections around it. Once the information is known, or a way to bypass the code is revealed, the encryption can be defeated by anyone with that knowledge.

The government suggests this tool could only be used once, on one phone. But thats simply not true. Once created, the technique could be used over and over again, on any number of devices. In the physical world, it would be the equivalent of a master key, capable of opening hundreds of millions of locks from restaurants and banks to stores and homes. No reasonable person would find that acceptable.

The government is asking Apple to hack our own users and undermine decades ofsecurity advancements that protect our customers including tens of millions of American citizens from sophisticated hackers and cybercriminals. The same engineers who built strong encryption into the iPhone to protect our users would, ironically, be ordered to weaken those protections and make our users less safe.

We can find no precedent for an American company being forced to expose its customers to a greater risk of attack. For years, cryptologists and national security experts have been warning against weakening encryption. Doing so would hurt only the well-meaning and law-abiding citizens who rely on companies like Apple to protect their data. Criminals and bad actors will still encrypt, using tools that are readily available to them.

Rather than asking for legislative action through Congress, the FBI is proposing an unprecedented use of the All Writs Act of 1789 to justify an expansion of its authority.

The government would have us remove security features and add new capabilities to the operating system, allowing a passcode to be input electronically. This would make it easier to unlock an iPhone by brute force, trying thousands or millions of combinations with the speed of a modern computer.

The implications of the governments demands are chilling. If the government can use the All Writs Act to make it easier to unlock your iPhone, it would have the power to reach into anyones device to capture their data. The government could extend this breach of privacy and demand that Apple build surveillance software to intercept your messages, access your health records or financial data, track your location, or even access your phones microphone or camera without your knowledge.

Opposing this order is not something we take lightly. We feel we must speak up in the face of what we see as an overreach by the U.S. government.

We are challenging the FBIs demands with the deepest respect for American democracy and a love of our country. We believe it would be in the best interest of everyone to step back and consider the implications.

While we believe the FBIs intentions are good, it would be wrong for the government to force us to build a backdoor into our products. And ultimately, we fear that this demand would undermine the very freedoms and liberty our government is meant to protect.

Read this article:
Customer Letter - Apple

The WikiLeaksstashof CIA hacking documents shows tools used by the CIA to hack individual cell-phones and devices. There are no documents yet that suggest mass snooping efforts on a very large scale. Unlike the NSA which has a collect it all attitude towards internet traffic and content the CIA seems to be more interested in individual hacking.

This suggests that the CIA can not decipher the modern encrypted communication it adversaries use. It therefore has to attack their individual devices.

But it does not mean that the CIA can not engage in mass snooping.

The New York Timesdescriptionis wrong:

Some technical experts pointed out that while the documents suggest that the C.I.A. might be able to compromise individual smartphones, there was no evidence that the agency could break the encryption that many phone and messaging apps use.If the C.I.A. or the National Security Agency could routinely break the encryption used on such apps as Signal, Confide, Telegram and WhatsApp, then the government might be able to intercept such communications on a large scale and search for names or keywords of interest. But nothing in the leaked C.I.A. documents suggests that is possible.

Instead, the documents indicate that because of encryption, the agency must target an individual phone and then can intercept only the calls and messages that pass through that phone. Instead of casting a net for a big catch, in other words,C.I.A. spies essentially cast a single fishing line at a specific target, and do not try to troll an entire population.

The difference between wholesale surveillance and targeted surveillance is huge, said Dan Guido, a director at Hack/Secure, a cybersecurity investment firm. Instead of sifting through a sea of information, theyre forced to look at devices one at a time.

Snake-oil alert: Right diagnosis, wrong conclusion and therapy.

If the CIA breaks into an individual Samsung Galaxy 7 it can record what is typed on the screen, and whatever gets transferred via the microphone, camera and loudspeaker. No encryption can protect against that. But why should the CIA break into only one Galaxy 7?

It is wrong to conclude that the CIA can therefore not intercept such communications on a large scale. It can. Easily.

If you can break into one individual Samsung Galaxy 7 you can break into all of them. This can be automated.

The CIA also breaks into internet routers and network infrastructure systems. By watching the network traffic flowing by the CIA (and NSA) systems can see who uses encrypted communication. They can then launch programs to silently take over the communicating devices. Then the communication can be recorded from the devices and read in the clear. There is nothing at all that prohibits this to take place on a massive scale.

The reaction to the Snowden leaks about gigantic NSA snooping on internet lines led to an increased use of encryption. Suddenly everyone used HTTPS for web traffic and the user numbers of Signal, Telegram, WhatsApp and other encrypting communication applications exploded.

But encrypted traffic still sticks out. One can detect an encrypted skype call by watching the network traffic on this or that telecom network. One can detect what kind of end-devices are taking part in a specific call. With a library of attack tools for each of the usual end-devices (Iphone, Android, Windows, Mac) the involved end-devices can be silently captured and the call can be recorded without encryption.

The Times writes: Instead of casting a net for a big catch, in other words, C.I.A. spies essentially cast a single fishing line at a specific target, and do not try to troll an entire population.

It is right in one sense. There is not one central point in the river of traffic where one casts the net. But it is wrong in to conclude that the CIA or other services would then use a single fishing line. What hinders them from using hundreds of fishing lines? Thousands? Hundred-thousands?

Wide use on encryption simply moves the snooping efforts from the networks towards the end-devices. It might be a little more expensive to snoop on hundred-thousands of end-devices than on a few network backbones but budget or manpower restriction are not a problem the NSA and CIA have had in recent decades.

To tell users that it encryption really restricts the CIA and NSA is nonsense. Indeed it is irresponsible.

The sellers of encryption are peddling snake-oil. The dude from a cybersecurity investment firm the Times quotes is just selling his rancid wares.

Your neighbor snoops on your open WLAN traffic? Yes, chat encryption might prevent him from copying your session with that hot Brazilian boy or girl. But it does not prevent professionals from reading it. For that you would need secure devices on both ends of the communication. Good luck finding such.

Read the original:
Snake-Oil Alert Encryption Does Not Prevent Mass-Snooping - Center for Research on Globalization

Archives: By Topic Select a Topic 113th Congress 114th Congress 1267 terrorist sanctions 1997 Mine Ban Treaty 2001 AUMF 2002 AUMF 2016 Presidential Electio 9/11 Commission Review Aamer v. Obama Abdirahman Sheik Mohamud Abdullah al-Shami Abu Ghaith Abu Ghraib Abu Khattala Abu Omar Abu Wa'el Dhiab Abu Zubaydah v. Poland Accountability ACLU ACLU v. CIA ACLU v. Clapper ACLU v. DOJ act of state Adam Schiff Additional protocol I Adnan Syed Adobe Afghanistan Africa African Commission on Hum African Court of Human an African Court of Justice African Union African Union Mission in African Union Regional Ta Aggression Ahmad Al Faqi Al Mahdi Ahmed Ghailani Ahmed Godane Ahmed Warsame Airstrikes Ajam v. Butler Akbar Akhtar Muhammad Mansur Al Bahlul IV Symposium Al Qaeda Al Shabaab Al Shumrani Al-Bahlul al-Iraqi Al-Janko v. Gates Al-Libi Al-Maqaleh v. Hagel Al-Nashiri Al-Nashiri v. Poland Al-Shimari v Caci et al. Al-Skeini v. United Kingd Al-Zahrani v. Rodriguez Alexander Litvinenko Algeria Ali v. Obama Alien Tort Statute All Writs Act Ambassador Robert Ford Ambassador Stephen Rapp Amends Amerada Hess American Law Institute American Samoa American Society of Inter Americans Amicus Brief amnesty Amnesty International Amos Guiora and Ibrahim al-Qosi Andrew Kleinfeld Andy Wright Angela Merkel Anonymity Ansar Dine Anthony Kennedy Anti-Muslim discriminatio Anti-Terrorism Act (ATA) Anti-Torture Amendment Antonin Scalia Anwar al-Awlaki AP I AP II APA Appellate Jurisdiction Apple AQAP AQIM Arab Spring armed attack armed conflict Armed Opposition Groups Arms Control army field manual Artesia Article 51 Article II Article III Ash Carter Ashraf Ghani Aspen Publishers Assad Assassination Ban Associated Forces asylum Atomic Energy Act atrocities prevention Attacks on Cultural Herit Attorney General attribution Auden AUMF AUMFs Australia authorization for the use Automated Searches Automated Weapons Autonomous Weapons Autonomous Weapons System Avril Haines Ba Odah v. Obama back doors Bagram Air Force Base Bankovic v. Belgium Baraawe Barack Obama Barbara Tuchman Barrel Bombs Barton Gellman Bashar al-Assad Bashir Belfast Peace Agreement Belgium Belhaj v. Straw Bemba Ben Emmerson Ben Wittes Benghazi Bernand Kleinman Bill Banks Bimenyimana Biodefense Bioterror Bivens Suit Black Sites Blackwater Blue Ribbon Study Panel o BND Boasberg body cameras Boim v. Holy Land Foundat Boko Haram Bond v. US Book Reviews Books We've Read Bosnia-Herzegovina Botnets Boumediene v. Bush Brad Heath Brazil Brett Kavanaugh Brexit Brian Egan British Library Bruce Ackerman Brussels Attacks BSA bulk collection Burkina Faso Burundi Bush Administration CAAF CALEA California Call for Papers Cambodia Cameron Munter Canada Canadian Security Intelli Canadian Supreme Court Cardozo Law Review Carly Fiorina Carnegie Mellon Universit Castro v. DHS CAT Ceasefire Cell Site Location Inform cell tracking Censorship Center for Civilians in C Center for Constitutional Center for Democracy and Center for National Secur Center for Naval Analysis Central African Republic Central District of Calif cert petitions Cessation of Hostilities Chad Chapter VII Charles Taylor Charleston Church Shootin Charlie Hebdo Charlie Savage Chatham House mini forum Chelsea Manning Chemical Weapons Chilcot Report Chile China Chivalry Chris Jenks Church Commission CIA CIDT CISA Civil Liberties Civil service Civilian Casualties Civilian-Military divide Civilian-Military relatio Claire McCaskill Clapper Clapper v. Amnesty Intern Clarence Thomas Classified Information Clipper Chip Cluster Munitions CMCR collective self-defense Colombia Colvin v. Syria combat troops Comey Commission on the Wartime Committee Against Torture Committee on the Eliminat Common Article 1 Common Article 3 Community Outreach Compliance with Court Ord Complicity Computer Security Inciden Conflict of interest Conflicts of Interest Congress congressional authorizati Congressional Hearing Congressional Hearings Congressional Investigati Congressional Oversight Consolidated Appropriatio Conspiracy Constitution constitutional law Contempt Content Continuous Combat Functio Convention Against Tortur Convention on Cluster Mun Convention on Conventiona Corporate Liability corporations Corruption Council of Europe Council on Foreign Relati Countering Violent Extrem Counterinsurgency counterintelligence Counterterrorism Court of Appeals for the Court of Military Commiss Courts Martial Couture-Rouleau Covert Action CQ Roll Call crime crime of aggression Crimea Crimes Against Humanity criminal trial Critical Infrastructure Cross-Border Data Request cross-ruffing Cruel cryptography CSIS Cuba Cully Stimson Customary International L CVE CWC Cy Vance Cyber Cyber Bonds Cyber Warfare Cyberattacks Cybersecurity Cybersecurity Act of 2015 Daily News Daily News Roundup Dan Markel Data Data Localization Data Protection Data Sharing David Barron David Ellis David Golove David Hicks David Kaye David Kris David Medine David Miranda David Sentelle David Tatel DC Circuit DC District Court DDoS DEA Deborah Pearlstein Deep Web Defense Directive 2310.01 Defense Select Committee Democracy Democratic Republic of Co Denmark Department of Defense Department of Homeland Se Department of Justice Department of State deradicalization detainee treatment Detention Detention Review Boards development Device Encryption DHS DIA Dianne Feinstein Diarmuid O'Scannlain Diplomacy diplomatic assurances Direct Participation in H Disinformation Dissent Dissent Channel Cable Distinction Division 30 Djibouti DNC DNC Hack DOD DoD Directive 2310.01E DOD Directive 5230.09 DOD Instruction 5230.29 DOJ Domestic Surveillance Dominic Ongwen Donald Trump Dreyer drone court Drone Papers Drones Drones Report due process Duncan Hunter Dustin Heard Dylann Roof Early Edition Ebola ECHR Economic Espionage ECPA ECPA Reform Editors' Picks EDNY Edward Snowden EFF v. DoJ Effective Control Egypt el salvador Electronic Frontier Found Elena Kagan Email Privacy Act Emergency Powers Emoluments Clause Empirical Research Encryption End-to-End Encryption Enemy Belligerents Engines of Liberty EO 12333 EPIC Eric Garner Eric Holder Espionage Act Ethics EU Data Retention Directi Europe European Commission European Convention on Hu European Convention on Na European Court of Human R European Court of Justice European Parliament European Union Evan Liberty event Events evidence Executive Order 12333 Executive Order 13470 Executive Order 13567 Executive Orders Executive Power Executive Privilege extradition Extrajudicial Release Extraordinary African Cha Extraordinary Renditions Extraterritoriality F Facebook FARC Fast & Furious Fatou Bensouda FBI FBI Director FBI v. Apple Featured Federal Communications Co Federal Courts federal program Federal Trade Commission federalism Feminism Ferguson Fifth Amendment Filartiga financing First Amendment FISA FISA Amendments Act of 20 FISA Improvements Act FISA Reform FISC Five Eyes Florence Hartmann FOIA force-feeding Foreign Affairs Foreign Claims Act Foreign Fighters Foreign Law Foreign Policy Foreign Sovereign Immunit foreign sovereign immunit Foreign Surveillance foreign terrorist fighter Foreign Terrorist Organiz Forever War Fourth Amendment Fourth Circuit France Frank Wolf Fred Korematsu Freedom of Association freedom of expression Freedom of the Press FSIA FTC fugitive Gabor Rona Gabriel Schoenfeld Gag Order Garcetti v. Ceballos Gaza GCHQ Gender General Warrants Geneva Conventions genocide Geoff Corn George W. Bush Georgia Gerald Seib Germany Gideon v. Wainwright GJIL Summit Glenn Greenwald Going Dark golden key golden number Google Goran Hadi Government Shutdown Greece Group of Governmental Exp Guantanamo Guardian Guatemala Guest Post Guide to Torture Report Gulf War Guns of August Guns of September Habeas Habre hacking Hae Min Lee Hagel Haiti Hamdan Hamdi v. Rumsfeld Hamid Karzai Handschu Agreement Harold Koh Harvard Law Review Harvard Law School Hassan v. City of New Yor Hate Crimes Hate Speech Hatim v. Obama Heikkila v. Barber Helms Amendment Hernandez v. United State Hezbollah Hicks High commissioner for hum High-Value Detainee Inter Hillary Clinton Hoffman report Holder v. Humanitarian La Holidays Holocaust Holy See Hossam Bahgat Hostage Act Hostile Intent House Armed Forces Commit House Committee on Foreig House Demolitions House Judiciary House lawsuit House Permanent Select Co House Un-American Activit HPSCI HTTPS Huawei Human Right Law human rights Human Rights Committee Human Rights Council Human Rights First Human Rights Law Human Rights Watch Human Shields human trafficking Humanitarian Intervention Humanitarian Law Humanitarian relief opera Hussain v. Obama Hybrid Justice IACHR Ibrahim v. DHS Ibrahim v. US ICC ICCPR ICRAC ICRC ictr ICTY IDF IHL IHR immigration Imminent Threat Immunity immunity for official act Imran Khan Incendiary Weapons India individual self-defense Information Sharing inhuman and degrading tre injury in fact INS v. St. Cyr Inspector General Insular Cases Insurance Intelligence activities Intelligence and Security intelligence community Intelligence Community Di Intelligence Reform International Arm International Armed Confl International Convention international court International Court of Ju International Courts International Criminal Co International Criminal La International Law International Law Commiss International Right to En International Right to Pr internet Internet freedom Internet of Things Interrogation Investigatory Powers Bill Investigatory Powers Trib Iqbal Iran Iran Negotiations Act Iran Nuclear Agreement Re Iran nuclear deal Iran nuclear negotiations Iran Nuclear Negotiations Iraq Iraqi Kurdistan Irek Hamidullan Ireland ISAF ISIL ISIL AUMF Islam Islamic Islamic State Israel Italy Jack Goldsmith James Clapper James Comey James Foley James Risen Jamie Orenstein Jamshid Muhtorov Janice Rogers Brown Jason Smith Jean Pierre Bemba Jeffrey Brand Jeh Johnson Jennifer Granick Jeremy Ridgeway Jerry Brown Jim Sensenbrenner Joe Biden John Bellinger John Brennan John Gleeson John Kerry John McCain John Reed John Walker Lindh John Yoo Joint Committee on Human joint criminal enterprise Jon Cornyn Jonathan Horowitz Jones v. UK Jordan Joseph McCarthy Joshua Arap Sang Journalist journalists JSOC Judge Bates Judge Raymond Randolph Judicial Appointments Judicial Review Judith Rogers Junaid Hussain Jus ad Bellum jus cogens violations jus in bello Just Security Just Security anniversary Just Security Candidates Just Security interns Just Security internship Just security jobs Just War Justice Against Sponsors Justin Raimondo Karen Greenberg Karen LeCraft Henderson Katz v. United States Kazemi v. Iran Keith Alexander Kennedy v. Mendoza-Martin Kenneth Dahl Kenya Kevin Heller Khadr Khalid Sheikh Mohammed Khouzam Killer Robots Kiobel v. Royal Dutch Pet Kiyemba v. Obama Klayman v. Obama Korean landmines Korematsu Korematsu v. United State Kristen Gillibrand KSM Kunduz Kyrgyzstan Laird vs Tatum Lakhdar Brahimi landmines Latif v. Holder Laurence Silberman Lavabit Law enforcement Law Enforcement Hacking Law of Armed Conflict Law of War Manual Law of War Manual Forum Law of War Manual. ICRC Lawfare Lawful Hacking Laws of War Leak Investigations Leaks Lebanon Legal Adviser Legal Adviser, DoS legal offices Legal Services Corp. v. V Letters to the Editor Lewis Kaplan Lex Specialis LGBT Libertarianism Libya Limburg Lindsey Graham Lithuania Livestream Logan Act Lord Peter Goldsmith Lords Resistance Army LTTE Luban Lujan v. Defenders of Wil Luther v. Borden Mac Thornberry Magistrate Judges Maher Arar Mahmoud Abbas Majid Khan Mali Manmohan Singh Mar-a-Lago Marco Rubio Marcy Wheeler Margo Brodie Marine Corps Mark Martins Mark VIsger Marketplace of Ideas Marne Marsha Berzon Martin Luther King Jr. Marty Lederman Material Support Matt Blaze Matthew Waxman Mauritania Mavi Marmara MCA McCain-Feinstein Amendmen McCarthyism McClatchy Mdecins Sans Frontire Media Media Shield Law Medical Personnel membership Memorial Day Mercenaries Merrick Garland Meshal v. Higgenbotham Metadata Mexico Michael Brown Michael Flynn Michael Ratner Michael Weiss Michel Foucault Microsoft Microsoft v. DOJ Microsoft Warrants Case Middle East midterm elections midterms Migrant migration Mike Rogers Military Military aid Military Commissions Military Extraterritorial Military Justice Review G military justice system Military Objective Minimization Procedures Ministry of Defense v. Ra Mitch McConnell MLAT Mohamed v. Jeppesen Datap Mohammed v. MOD Monday Reflection Money Monsanto Montreaux Document Mootness Mosaic Theory Mosul Munitions murder Muslim ban Muslim Brotherhood Mustafa al-Shamiri Mutual Legal Assistance namibia narco-trafficking Nasr v. Italy Nathalie Weizmann National Archives National Institute of Sta national security National Security Council National Security Lawyeri National Security Letters NATO Nawaz Sharif NCIS NCTC NDAA NDU Speech negotiations Network Investigative Tec New York Times New York Times v. DOJ Nicholas Lewin Nicholas Merrill Nicholas Slatten Niger Nigeria No-Fly List Non-international Armed C non-refoulement non-self-executing treati Nonproliferation Treaty Noor Uthman Muhammed Norms Watch North Korea Northern Ireland Notice NSA NSA Reform NSLs Nuclear Nuclear Weapons Nuremberg NYPD Obama administration occupation October Office of Legal Counsel Office of the Director of official act immunity OLC Drone Memo Oman Omar al-Bashir Omar Khadr Oona Hathaway Operation Operation Barkhane Operation Inherent Resolv Operation Protective Edge Operation Storm of Resolv Opinion Poll OPM Organization for Security Organization for the Proh Orin Kerr Osama bin Laden OTP Strategic Plan Ottawa Convention Ottawa shootings Oversight Oversight v. Holder Pakistan Palestine Palmer Raids Panetta Panetta Review Paris Attacks Paris Climate Accord parli Particularity Partition Parwan Patrick Leahy Patrio Patriot Act Paul Slough Paul Wolfson PCLOB Peace Talks Peacekeeping Pen Registers Pentagon Pentagon Papers perfidy Periodic Review Boards Periodic Review Boards (P persecution Peter Burke Peter Margulies Peter Raven-Hansen Philippines Pinochet Plea Agreement PMC PNSDA Poland Police militarization political question doctri Posse Comitatus Power Wars Symposium PPD-28 PPD-30 PPG PRB Pre-publication Review Pr President Obama President's NDU Spee President's Review G Presidential Campaign 201 Presidential Policy Guida Presidential Powers Presidential Review Board Presidents Day PRISM Privacy Private Military and Secu private military contract proportionality protected persons Provisional measures Public Surveys Q+A Qualified Immunity Queen's Speech R2P Rachel Kleinfeld racial discrimination Radovan Karadi Ramzi Bin al-Shibh Rand Paul Raner Collins Ranger School Ransomware rape Rasul v. Bush Ray Mabus Raza v. City of New York Readers' Guide Reagan Real Estate Recusal Red Scare reddit Reengagement Assessment refugee Refugee Crisis Religion remedies Rendition Rep. Adam Schiff Republic of Korea Resolution 2170 Responsibility to Protect Restis Restis v. United Against Rewards for Justice Rex Tillerson Reyaad Khan Rhetoric Richard Burr Richard Leon Right to Be Forgotten Right to Life Right to Privacy Right to Truth Riley v. California Robert Gates Robert H. Jackson Robert Litt Robert Sack Rodriguez v. Swartz Rogue Justice Rome Statute Ron Wyden Roof Knocking Rosenberg vs Pasha Rothstein v. UBS AG Roy Cohn Royce Lamberth Rule 41 Rules of Engagement Rumsfeld v. Padilla Russia Rwanda Ryan Vogel Saddam Hussein SAFE Act of 2015 Safe Harbor safe zones Sahel Salahi Saleh v. Titan Corp Salim v. Mitchell Samantar v. Yousuf San Bernardino Shooting sanctions Sarah Cleveland Sarah Koenig SASC Saudi Arabia Schengen Zone Schlesinger v. Councilman Schrems Scotland Scott Shane SCOTUS SDNY Second Circuit Secrecy Secret Law Secret Service Section 215 Section 702 Security security agreement Security Assistance security clearance self-defense Senate Senate Armed Services Com Senate Foreign Relations Senate HSGAC Senate Intelligence Commi Senate Judiciary Committe Senegal Separation of powers Serdar Mohammed v. SSD Serial Service Providers Sexual Assault Sexual Violence Seymour Hersh SFRC SGBV Sgt. Bowe Bergdahl Sharia shooting Siege Warfare signals collection Silicon Valley Sir John Chilcot SJC Slahi slavery Smith v. Maryland Smith v. Obama Snooper's Charter Snowden Snowden Treaty social Social Media Solicitor General Somalia Sonia Sotomayor Sony South Africa South Ossetia South Sudan Special Forces special rapporteur Spying Sri Lanka SSCI SSCI Report SSCI Torture Report standing Stanley McChrystal Starvation state immunity State of the Union State Responsibility state secrets state secrets privilege State v. Andrews Statehood Staten Island Status of Forces Agreemen status-based immunity statute of limitations StellarWind Stephen Williams Steve Dycus Stimson Center StingRays Stored Communications Act Sudan Sunshine Week superior responsibility Supreme Court Supreme Court of Canada Surveillance Suspension Clause Sustainable Development G Sweden Syria Syrian opposition Syrian refugees Szabo v. Hungary TACT 2000 Tadic Tahir-ul-Qadri Taliban Taliban Sources Project Tallinn Manual target Targeted Killing Targeting Decisions Taylor v. KBR Teaching Technology Ted Cruz term limits terrorism terrorist Terrorist Expatriation Ac Third Circuit Thomas Ambro Thomas Griffith Thomas Lubanga Dyilo Tim Kaine Tim Starks Title III Tony Blair Tor Tor Browser torture Torture Report trafficking transitional justice Transparency transparency reports Treasury Department Treaties Treaty Implementation Treaty Law Trump Trump Administration Trump Administrations truth commission Tuaua Tunisia Turkey Turkmen Turkmenv.Hasty Turner v. Safley Tweet Roll Twitter UANI UDHR Uganda Uhuru Kenyatta Uighurs UK UK Elections UK High Court UK Parliament UK Supreme Court UK Terrorism Act 2000 Ukraine Umm Sayyaf UN Assistance Mission in UN Charter UN High Commissioner for UN High Commissioner on H UN Human Rights Committee UN Security Council Uniform Code of Military United Kingdom United Nations United Nations General As United Nations Human Righ United Nations Human Righ United States ex rel. Acc United States v. Graham United States v. Moalin Universal Declaration of Universal Jurisdiction Universal Periodic Review Unlawful Combatants UNSC UNSC Resolution 1441 UNSC Resolution 2178 UNSC Resolution 2249 unwilling or unable US AID US Army US Holocaust Museum and M US v. al-Darbi US v. al-Shibh US v. Garcia US v. Khadr US v. Mehanna US v. Mohammed US v. Warshak USA Freedom USA Freedom Act Use of Force USS Cole Vance v. Terrazas Verdugo-Urquidez Veterans Veterans Day Veto Victor Restis Video Vietnam Vladimir Putin Vojislav eelj voluntary manslaughter Vulnerabilities Equities war War Crimes War Crimes Act war memorial War on Drugs War on Terror War Powers War Powers Resolution Warafi warrant canary Warsame Wartime Contracts Washington Post Wassenaar Arrangement Waziristan weapons Weapons of Mass Destructi Weekly Recap West Bank Westgate WhatsApp Whistleblowing White House Wikimedia v. NSA William Bradford William Ruto William Samoei Ruto Wiretap Women Women in combat Women's Rights Wong Kim Ark Yahoo Year End 2015 Year End 2016 Yemen Yezidis Yugoslavia Zakharov v. Russia Zehalf-Bibeau Zero-Day Vulnerabilities Zimbabwe Zivotofsky v. Clinton Zivotofsky v. Kerry

Surely without a hint of irony, just a day after WikiLeaks dumped a vault-load of documents detailing the Central Intelligence Agencys use of hacking tools and software exploits, FBI Director James Comey told an audience at a Boston College conference on cybersecurity that [t]here is no such thing as absolute privacy in America. Comeys elevator pitch in support of his claim was that there is no place outside of judicial reach, citing the fact that even time-tested testimonial privileges of the spousal, clergypenitent, and attorneyclient sort can be pierced by judges in appropriate circumstances. Comeys argument, which hes made at a steady drumbeat for several years now, is that sure, privacy is important, but law-enforcement access is paramount. The government and judges, not technology, should decide when the government can get to your private information.

If only things were that simple. Comey has at various times tried to disclaim any desire to have Congress mandate backdoors to encryption-enabled devices and services, even getting himself laughed off of C-SPAN when he suggested that his approach would provide a front door instead. When it comes to encryption, doors are doors, andas Julian Sanchez comprehensively explained more than two years ago, at the dawn of the Crypto Wars sequelthey are a truly terrible idea. To briefly recapitulate Julians post: it is damn near impossible to create a security vulnerability that can only be exploited by the good guys; there are lots of governments out there that no freedom-loving person would classify as the good guys (an observation that takes on a chilling new cast in light of recent events); any backdoor or retention mandate both implicitly assumes and, if it is to be effective, must effectivelyencouragecentralized over decentralized computing and communications architectures; and even if encryption really is law enforcements digital-age bte noire, it is a small price to pay in the Golden Age of Surveillance.

So what does this all have to do with the Vault 7 leak? Its a fair question. Software exploits of the type disclosed by Wikileaks and encryption backdoors might both technically be lines of computer code, but the stakes surrounding each are distinct. For the reasons Julian put forward (and more), encryption backdoors should be a complete non-starter. Mandating backdoors would present a grave security threat to critical internet infrastructure. As a quartet of leading security researchers put it in a highly regarded paper in 2014, mandating built-in encryption backdoors amounts to intentionally and systematically creating a set of predictable new vulnerabilities that despite best efforts will be exploitable by everyone.

When law enforcement or intelligence agencies exploit existing security vulnerabilities, things are perhaps less clear cut. Unlike with backdoors, not every exploit of a software vulnerability poses a systemic risk. (While a backdoor to the iPhone would put a hole in every pocket, the targeted deployment of an exploit would not.) Still, many vulnerability exploits have widespread consequences, putting internet security at risk. As the security quartet put it, the danger of proliferation means each use of an exploit, even if it has previously run successfully, increases the risk that the exploit will escape the targeted device. Call it the Jurassic Park Rule of Internet Security:

Jim, the kind of control youre attempting simply is . . . its not possible. If there is one thing the history of internet security has taught us its that vulnerabilities will not be contained. Vulnerabilities break free, they expand to new territories and crash through barriers, painfully, maybe even dangerously, but, uh . . . well, there it is. . . . Im simply saying that vulnerabilities . . . find a way.

For example, despite reportedly rigorous testing before deployment, the Stuxnet worm used by the United States and Israel to attack an Iranian nuclear facility unexpectedly spread to non-target computers. And when the government sits on a zero-day exploit to be able to exploit it later, there is always the chance that an adversary is doing the same thing. These risks are, for the most part, inherently unknowable beforehand.

While its true that there are unknown risks associated with both exploits and encryption backdoors, only the latter amount to deliberately introduced vulnerabilities. Nevertheless, Comey has been quite skeptical of the notion that giving the government a golden key into the encrypted devices of millions of users would present a broad threat to the security of the internet. His theory, after all, is that the governmentwith judges as gatekeeperwill use such a key responsibly and with oversight. But Vault 7 is a visceral reminder that the public cant trust the government to keep this stuff safehell, not even the government can trust the government to do so. And backdoors present an even more cut-and-dried case than exploits.

Even if an exploit or a backdoor is yours and yours alone for now, your monopoly is either a chimera, or it will be short-lived. And the consequences of spillover can beas Jeff Goldblum learned the hard wayequally unpredictable and devastating. While WikiLeaks did not publish any malicious code this week, it did claim that the contents of Vault 7 have been circulating among former U.S. government hackers and contractors in an unauthorized manner.

What happens when a highly weaponized suite of hacking tools makes its way into the broader internet? I hope we are not about to find outbut if we are, I suspect that Comey and his colleagues at the FBI are unlikely to be happy with what they find. Heres hoping the experience gives them pause the next time they ponder whether their solution to the threat of absolute privacy is really such a good one after all.

Image: Darin McCollister/Getty.

Read the rest here:
Encryption Backdoors, Vault 7, and the Jurassic Park Rule of Internet Security - Just Security

As alarm bells sound around the latest document dump from WikiLeaks, misinformation can spread like wildfire. Journalists are just starting to pore over the files, but a number of security researchers and privacy advocates are hoping to quash the misconception that encrypted chat apps like Signal and WhatsApp have been compromised.

A now corrected tweet by The New York Times seems to have set some of this speculation in motion.

I think a lot of people look at the headlines from this morning and think Oh well, I shouldnt use those apps,' Ross Schulman of the Open Technology Institute explained in a call with TechCrunch. What is actually true is that those apps are really important for people to use, they protect a lot of people.

The main distinction here is that if a device like your smartphone is compromised, say through malware in iOS for example, no amount of encryption can make it safe again.

Theres nothing that the app can do, it has to decrypt the message in order for you to read it, otherwise it would be kind of useless, Schulman explains. And when that happens, thats when malware on the computer or on the handset can kick in and read the plain text just as well as you can.

In spite of the misconceptions, somein security still see the WikiLeaks Vault7 data as awake-up call for those who dont yet take privacy seriously. Signal, WhatsApp and other encrypted messaging services are still functioning exactly as originally intended as the hackers arent breaking that encryption,Ajay Arora, CEO and co-founder of security firmVera, told TechCrunch.

Security is all about a series of layers concentrating on depth and breadth. The encryption of the apps themselves isnt whats in question and people who want to continue to use their favorite apps, should. However they should also consider other measures of security, as there is no one silver bullet to solve all security issues.

According to Joseph Hall, chief technologist for the Center for Democracy & Technology, the WikiLeaks files do not appear to contain any evidence that apps like Signal have been compromised. Its one of these unfortunate collisions of a whole lot of data and a whole lot of interests all at once, Hall told TechCrunch. Theres nothing that seems to indicate that the crypto is broken.

Hall thinks the documents might contain some interesting details that further confirm ongoing concerns around the kind of poorly secured IoT devices we bring into our homes, but the worryover Signal is misguided. They seem to be getting into the devices before the encryption is applied, Hall explains.

If the CIA (or anyone else) gains access to your device, it gains total control. Hall explains how this would work with hypothetical spying malware:

They can install a little thing that can take a picture of your screen every half a second or something like that. And that would be pretty useful for one reading anything that you type into one of these encrypted messaging apps, but also reading anything you readin these encrypted messaging apps. Its not just about your messages but about anyone you communicate with as well.

Ultimately, encrypted apps like Signal remain one of the most robust ways to protect your private communications todays WikiLeaks news didnt change that.

Unfortunately, you have to keep very, very good control over your phone, Hall said. Theres just no perfect answer in terms of being 100% unexploitable by these powerful, powerful governments.

More:
No, you shouldn't delete Signal or other encrypted apps - TechCrunch