A Little Lesson on 5-14-3-18-25-16-20-9-15-14

For awhile now, I have been watching the ongoing case between Apple and The Department of Justice/FBI regarding encryption. If you are not familiar:

The U.S. Department of Justice filed a motion on Friday seeking to compel Apple Inc to comply with a judge’s order to unlock the encrypted iPhone belonging to one of the San Bernardino shooters, portraying the tech giant’s refusal as a “marketing strategy.”…

The Federal Bureau of Investigation is seeking the tech company’s help to access shooter Syed Rizwan Farook’s phone by disabling some of its passcode protections. The company so far has pushed back and on Thursday won three extra days to respond to the order.

This has started a whirlwind of debate in the Federal Government and in Silicon Valley; however most consumers/users have no idea what the hell this is all about and why it is so important for them to be able to have encryption without having a “backdoor” built into it.

Now before we get into this, let me address this argument: “Well, if you ain’t got nothing to hide, then you shouldn’t be worried”.  My answer to this is that everyone has something that they do not want the general public or anyone else to know. If you truly “do not have anything to hide” and do not care who sees what then I invite you to remove all of the doors in your home (including the front & back doors), take down your curtains/blinds, leave your car unlocked, remove the passwords from everything that you own that requires a password or combination (phones, tablets, computers, locks, diaries…etc) and also, just leave your keys out on the table. Call your doctor(s) and have your medical records sent over (or just tell them that you want them released to the general public), print up all of your banking statements for public viewing (print up all of your credit card statements, too), and pull out your driver’s license and social security card and tape those to the front of the house. Oh, and be sure you do all of that for your spouse, and kids, too (Marriage license, your spouse’s weight, kids birth certificates, their report cards, their electronics need to be opened, too, don’t forget any of the kid’s journals/diaries/or poetry, all of their medical info, and all of their id cards, too) . Because I am sure they have don’t have anything to hide either, right? Not jumping up and doing this? Haven’t done it already? That’s because no one in their right mind will do any of this because everyone has something to “hide”.

OK, now that’s done. Let’s talk about two questions: What & Why?

What is encryption? 

Encryption is the most effective way to achieve data security. To read an encrypted file, you must have access to a secret key or password that enables you to decrypt it. Unencrypted data is called plain text ; encrypted data is referred to as cipher text.

http://www.webopedia.com/TERM/E/encryption.html

Basically, when you encrypt data it is unreadable. To decrypt it, you have to have a decryption key, usually a password, to read the data.

Why do I want to encrypt data? 

Encryption protects our data. It protects our data when it’s sitting on our computers and in data centers, and it protects it when it’s being transmitted around the Internet. It protects our conversations, whether video, voice, or text. It protects our privacy. It protects our anonymity. And sometimes, it protects our lives.

This protection is important for everyone. It’s easy to see how encryption protects journalists, human rights defenders, and political activists in authoritarian countries. But encryption protects the rest of us as well. It protects our data from criminals. It protects it from competitors, neighbors, and family members. It protects it from malicious attackers, and it protects it from accidents.

https://www.schneier.com/blog/archives/2015/06/why_we_encrypt.html

This was the most non-technical explanation that I could find.  Encryption protects us by protecting our data. When our financial files are sitting there in the bank’s data center, they are encrypted. When our doctor has all of our medical files digitalized, they are encrypted. Certain websites are encrypted to keep your browsing safe, and certain messenger apps are encrypted to keep your conversations private.  Your phone has the option to be encrypted or may come already encrypted so that if someone does try to crack into it, they will not be able to easily get to your data.

So, why is the government so against encryption?  Well, it isn’t. The Department of Justice and the FBI are. They want law enforcement to have a “back door” into encryption so they can capture terrorists and gather evidence without having to crack through encryption.  They want it so bad that they dug up and used a law from 1789 to get this case into a courtroom. Basically, they want Apple, Google, Microsoft, HTC, Lenovo, Samsung and every other manufacturer to make their jobs incredibly easy.

Despite how the FBI & DOJ feel about it, the Obama administration has already stated:

“…it is not possible to give American law enforcement and intelligence agencies access to that information without also creating an opening that China, Russia, cybercriminals and terrorists could exploit.”

http://www.nytimes.com/2015/10/11/us/politics/obama-wont-seek-access-to-encrypted-user-data.html?_r=0

Even the Commander of the U.S. Cyber Command and Director of the  NSA is saying that encryption is “foundational to the future” and that’s coming from the man in charge of not only snooping on citizens, but also guarding every major infrastructure in the country!

So, when it comes to building backdoors in encryption, you have the private sector saying it’s a bad idea, you have the president saying it’s a bad idea, you have the NSA saying it’s a bad idea. Why though? Isn’t catching terrorists and criminals a great idea? Well, yeah, but this is just a horrible way of doing it.

Let’s say a law passes that you have to leave your house’s back door unlocked or having a lock on your back door is illegal. This is so that the police can enter your home more easily if there is an emergency or if there is probable cause to enter your home (like a suspected burglar or something). So, it is now common knowledge that every home in America has an unlocked back door. Do you honestly think that every thief, vandal, and just plain bad person is not going to take advantage of this? Are you going to feel secure knowing that your house has a way for someone to get in easily? This is exactly what can (and probably will) happen if the FBI/DOJ gets its way. Simply because this now creates an exploit in encryption that will constantly have to be patched and updated to keep out malicious “hackers” from all over the globe.

The point is encryption is good, and you should do it.

Now onto a different story regarding the whole Apple vs. the DoJ/FBI thing.

We don’t have to worry about the case of Apple vs. the DoJ/FBI anymore, because it was dropped earlier this month!

The Justice Department withdrew its legal action against Apple…earlier this month…

http://www.usatoday.com/story/news/nation/2016/03/28/apple-justice-department-farook/82354040/

Yep, the FBI had motioned to delay the proceedings and then the case was dropped. Why? Because the FBI hired a “3rd Party” and they cracked into the iPhone with no assistance from Apple.  So, now the FBI has the data from the phone from the San Bernardino shooter and Apple is off the hook (for now).

That 3rd party is a company called Cellebrite, now they say that they are a mobile forensics company for law enforcement, the military and all of these other exciting sounding things; however I know them for this:

cellebrite

This is a Cellebrite Touch, most Radio Shack’s, Best Buy’s and Mom & Pop’s cellphone retailers have them. (I know because I used to troubleshoot them when I did support for Radio Shack.) They copy your contacts, pictures, and other information from your  old or broken phone to your new or replacement phone. This is the type of “forensic technology” that it took to break into the iPhone 5c that the FBI couldn’t figure out. Now I am not saying it was this exact machine, but it’s from the same company that makes them. It’s like announcing that an encrypted super-computer has been cracked by the people that make the cash registers at Wendy’s. But, those guys at Cellebrite must be doing something right.

Now, you are probably thinking: “Wait, encryption can be broken? Wait? Then why encrypt stuff?” Because breaking encryption is VERY VERY DIFFICULT. It took the FBI and an Israeli forensics company  almost 5 months to crack into this phone. That’s a Government Agency and a Forensics Corporation. Do you think some “hacker” would have the same capability or patience? My answer is probably not. Some encryption can take months, some can take years, some can take decades and, depending on your phone, by the time you notice your phone is missing, or get a replacement, you can remote wipe and clear all of your data from the phone. So, the person that has taken/found your device gets nothing and once the phone is reported lost/stolen, the IMEI number cannot be activated again.

So, encrypt your mobile devices and learn how to enable remote control of your device in case something does happen to it.

Thanks for reading.

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s