Wyden demands answers

One US senator is calling out the director of the Federal Bureau of Investigation for pushing the moronic notion that there is somehow a good way to add backdoors to encryption used to protect devices like Apple’s iPhone.

In a speech earlier this month, FBI Director Christopher Wray carried on the time-honored agency tradition of claiming that Silicon Valley can backdoor encryption safely if its workforce just nerds a little bit harder.

[...]

The problem, according to Wray, is that law enforcement is stymied by phone encryption, which is now widespread. [...] Tech companies, Wray said, “should be able to design devices that both provide data security and permit lawful access with a court order.”

But this is exactly what cryptographers and tech companies have repeatedly warned they can’t do, arguing that creating “lawful access” would also open the door to all sorts of hackers and malicious actors, undermining the security of the entire internet in the process.

[...]

During Wray’s confirmation process last summer, [Senator Ron] Wyden pressed him on the topic of encryption. Wray claimed he hadn’t formed a policy position on the issue, and Wyden requested that Wray consult with him before going public with his position. That apparently didn’t happen.

In a letter sent to Wray today, Wyden chastised him for advocating “a flawed policy that would harm American security, liberty, and our economy” and for not contacting Wyden prior to giving his speech.

Your stated position parrots the same debunked arguments espoused by your predecessors, all of whom ignored the widespread and vocal consensus of cryptographers. For years, these experts have repeatedly stated that what you are asking for is not, in fact, possible.

[...]

I would like to learn more about how you arrived at and justify this ill-informed policy proposal. Please provide me with a list of the cryptographers with whom you’ve personally discussed this topic since our July 2017 meeting and specifically identify those experts who advised you that companies can feasibly design government access features into their products without weakening cybersecurity. Please provide this information by February 23, 2018.

We’re guessing it’s a short list.

  Gizmodo

Or a blank one.

I'm still pissed off at Wyden for not reading out on the Senate floor - which was his to do - what he knew about the NSA's illegal domestic spying activities, allowing James Clapper to lie to Congress with impunity and forcing Edward Snowden to release classified documents and go into exile with a price on his head. I can't forgive Wyden. He'll have to do a lot more than this to make up for it.

...but hey, do what you want...you will anyway.

Kindle Fire Goes Downhill

While Apple is fighting the FBI in court over encryption, Amazon quietly disabled the option to use encryption to protect data on its Android-powered devices.

The tech giant has recently deprecated support for device encryption on the latest version of Fire OS, Amazon’s custom Android operating system, which powers its tablets and phones. In the past, privacy-minded users could protect data stored inside their devices, such as their emails, by scrambling it with a password, which made it unreadable in case the device got lost or stolen. With this change, users who had encryption on in their Fire devices are left with two bad choices: either decline to install the update, leaving their devices with outdated software, or give up and keep their data unencrypted.

  Motherboard

So, if your Kindle Fire is your go-to "computer", you might want to look for an altrnative.

...but hey, do what you want...you will anyway.

FBI Fail

Following the terrorist attacks in Paris and San Bernardino, Calif., FBI Director James Comey revealed to the Senate Judiciary Committee that one of the two Islamic State-inspired shooters in the May 3 attack in Garland, Tex., “exchanged 109 messages with an overseas terrorist” the morning of the attack. He followed up by saying that the FBI was unable to read those messages. His implication? Better regulation of message-disguising encryption technology could have revealed the shooters’ plans earlier and could help prevent attacks.

However, [...] Jihadists’ main tool for planning and executing attacks in recent years has been social media — to which the government has full access — not encrypted messaging.

[...]

The Garland, Tex., shooting — the only example Comey used as an impetus to regulate encrypted technology — in fact makes the opposite point. Attacker Elton Simpson, who was under previous FBI terror-related investigations, used Twitter to openly follow and communicate with high-profile terrorists. His account was followed by prominent English-speaking Islamic State fighters and recruiters Abu Rahin Aziz and Junaid Hussain — both of whom for a long time were known to provide manuals on how to carry out lone-wolf attacks from Raqqa, Syria, before they were killed. Simpson also followed and communicated with Mohamed Abdullahi Hassan, a known American jihadist in Somalia who pledged allegiance to the Islamic State.

[...]

The encrypted messages Comey mentioned before the Judiciary Committee were discovered by the FBI only after the attack took place, but Simpson’s open-source communication was available far in advance.

[...]

[I]ncitement for the Texas shooting came from Hassan’s 31st Twitter account. Simpson, a friend and follower of Hassan, retweeted the call and later requested that Hassan send him a direct message. We at SITE, using only open-source information, reported on the call before the attack took place, and the FBI had a week to investigate the matter before the shooting.

[...]

Our research, investigations and reporting are based on open-source information — social media, forums, websites, blogs, IP addresses — which can be immensely powerful if used wisely. Government agencies, however, seem blind to this bountiful intelligence resource, and too often rely solely on classified documents and back-end access to websites.

Rather than try to create backdoors to encrypted communication services, or use the lack thereof as an excuse to intelligence failures, the U.S. government must first know how to utilize the mass amount of data it has been collecting and to improve its monitoring of jihadist activity online.

  WaPo

That supposes the real goal of the government's push to eliminate encryption is to stop terror attacks.

...but hey, do what you want...you will anyway.

UPDATE 3/29/17:  60 Minutes investigated the Garland, Texas, attacks.  What they discovered is outrageous.  An FBI agent was on the scene in what was just one of many FBI "foiled terror attacks" that most likely would never have happened without the FBI's input.

 

It's All Ed Snowden's Fault

“It’s still a capital crime, and I would give him the death sentence, and I would prefer to see him hanged by the neck until he’s dead, rather than merely electrocuted,” former CIA Director James Woolsey said during an appearance on CNN on November 19.

  New American

London Mayor Boris Johnson says the former National Security Agency contractor, who two years ago outed the U.S. government’s program of telephone and Internet surveillance, effectively taught terrorists “how to avoid being caught.” CIA Director John Brennan complained Monday that “a number of unauthorized disclosures” in recent years about the extent of federal snooping has made tracking terrorists “much more challenging.” Snowden also drew a borderline-profane slam on Twitter over the weekend from former George W. Bush press secretary Dana Perino.

[...]

The criticism of Snowden comes as intelligence officials seek to reopen a debate over the balance between security and privacy — a balance that seemed, before the deaths of 129 individuals in Paris, to have been settled firmly in favor of civil liberties.

[...]

“We’ve had a public debate. That debate was defined by Edward Snowden, right, and the concern about privacy,” former CIA Deputy Director Michael Morell said Sunday on “Face the Nation.” “I think we're now going to have another debate about that. It's going to be defined by what happened in Paris.”

In his memoirs earlier this year, Morell said Snowden's revelations had a near-immediate effect on intelligence gathering: Within weeks, “communications sources dried up, tactics were changed."

  Politico

02/05/2001 - Updated 05:17 PM ET

Terror groups hide behind Web encryption

By Jack Kelley, USA TODAY

WASHINGTON — Hidden in the X-rated pictures on several pornographic Web sites and the posted comments on sports chat rooms may lie the encrypted blueprints of the next terrorist attack against the United States or its allies.

[...]

"Uncrackable encryption is allowing terrorists — Hamas, Hezbollah, al-Qaida and others — to communicate about their criminal intentions without fear of outside intrusion," FBI Director Louis Freeh said last March during closed-door testimony on terrorism before a Senate panel.

  USA Today

Check the date of that article.

...but hey, do what you want...you will anyway.

You Cannot Escape the Big Eye

From the UK:

Companies such as Apple, Google and others will no longer be able to offer encryption so advanced that even they cannot decipher it when asked to, the Daily Telegraph can disclose.

Measures in the Investigatory Powers Bill will place in law a requirement on tech firms and service providers to be able to provide unencrypted communications to the police or spy agencies if requested through a warrant.

[...]

On its website, Apple promotes the fact that it has, for example, “no way to decrypt iMessage and FaceTime data when it’s in transit between devices”.

It adds: “So unlike other companies’ messaging services, Apple doesn’t scan your communications, and we wouldn’t be able to comply with a wiretap order even if we wanted to.”

[...]

Ministers have no plans to ban encryption services because they have an important role in the protection of legitimate online activity such as banking and personal data.

  UK Telegraph

I call bullshit on that. If they are mandating encryption that can be broken, they are effectively banning encryption.

I don't know how this affects the rest of the world if implemented, but we're at the same point here where Ladar Levison shut down his US company (Lavabit: encrypted email services) rather than comply with a similar demand from the FBI. I'm sure Apple won't be folding.

British police already have the power to compel someone to disclose cryptographic keys under RIPA (i.e., to order decryption on provision of a warrant).

[...]

Where a corporat[ion] such as Apple, Google, or WhatsApp knows about or engineers a weakness in encryption, this will allow an attacker to utilise and take advantage of that same weakness, no matter who that attacker is. Whether it be the service of a warrant by the home secretary, a foreign state, a terrorist, or that most insidious of threats, a bored teen-ager, all are equal before the eyes of mathematics.

  Weia Industries

Indeed.

...but hey, do what you want...you will anyway.

Shutting Down America

Glenn Greenwald and Edward Snowden comment on the Lavabit closure.

Secret courts issuing secret rulings invariably in favor of the US government that those most affected are barred by law from discussing? Is there anyone incapable at this point of seeing what the United States has become?

[...]

As security expert Bruce Schneier wrote in a great Bloomberg column last week, this is one of the key aspects of the NSA disclosures: the vast public-private surveillance partnership. That's what makes Lavabit's stance so heroic: as our reporting has demonstrated, most US-based tech and telecom companies (though not all) meekly submit to the US government's dictates and cooperative extensively and enthusiastically with the NSA to ensure access to your communications.

Snowden, who told me today that he found Lavabit's stand "inspiring", added:

[...]

"America cannot succeed as a country where individuals like Mr. Levison have to relocate their businesses abroad to be successful. Employees and leaders at Google, Facebook, Microsoft, Yahoo, Apple, and the rest of our internet titans must ask themselves why they aren't fighting for our interests the same way small businesses are. The defense they have offered to this point is that they were compelled by laws they do not agree with, but one day of downtime for the coalition of their services could achieve what a hundred Lavabits could not.

"When Congress returns to session in September, let us take note of whether the internet industry's statements and lobbyists - which were invisible in the lead-up to the Conyers-Amash vote - emerge on the side of the Free Internet or the NSA and its Intelligence Committees in Congress."

[...]

A report issued this week by the Technology and Innovation Foundation [...] notes that other nations' officials have been issuing the same kind of warnings to their citizens about US-based companies as the one issued by Lavabit yesterday:

And after the recent PRISM leaks, German Interior Minister Hans-Peter Friedrich declared publicly, 'whoever fears their communication is being intercepted in any way should use services that don't go through American servers.' Similarly, Jörg-Uwe Hahn, a German Justice Minister, called for a boycott of US companies."

[...]

Obviously, the Obama administration, telecom giants, and the internet industry are not going to be moved by appeals to transparency, privacy and basic accountability. But perhaps they'll consider the damage being done to the industry's global reputation and business interests by constructing a ubiquitous spying system with the NSA and doing it all in secret.

  Glenn Greenwald

Yeah, I don’t know. I don’t think they’re that rational.

Under the Heel of Big Brother 's Boot

.

The highly encrypted email service reportedly used by NSA leaker Edward Snowden has gone offline - and its administrator claims the company is legally barred from explaining why.

  RT

I think we know why.

Based in Texas, Lavabit attracted attention last month when NSA leaker Edward Snowden used an email account with the service to invite human rights workers and lawyers to a press conference in the Moscow airport where he was then confined. A PGP crypto key apparently registered by Snowden with a Lavabit address suggests he’s favored the service since January 2010 — well before he became the most important whistleblower in a generation.

[...]

Reading between the lines, it’s reasonable to assume Levison has been fighting either a National Security Letter seeking customer information — which comes by default with a gag order — or a full-blown search or eavesdropping warrant.

Court records show that, in June, Lavabit complied with a routine search warrant targeting a child pornography suspect in a federal case in Maryland. That suggests that Levison isn’t a privacy absolutist. Whatever compelled him to shut down now must have been exceptional.

  Wired

I think we can safely surmise that the customer whose communications the NSA was seeking was in fact Edward Snowden. (Not that there wouldn't be others.)

In the weeks since the Guardian and Washington Post first began publishing stories with Snowden’s documents, the picture of the National Security Agency’s domestic-surveillance practices that’s come together is different from the one most everyone held before we’d ever heard Snowden’s name. And it has left the Administration’s explanations of what it does and doesn’t do looking pretty spotty, and at times just false.

  New Yorker

On Thursday, the homepage of Lavabit.com was changed to a letter from the company’s owner announcing that the site’s operations have ceased following a six-week long ordeal that has prompted the company to take legal action in the Fourth Circuit Court of Appeals.

Now in the midst of an escalating fight from the federal government aimed at cracking down on encrypted communications, one of the last free and secure services has thrown in the towel under mysterious circumstances.

“I have been forced to make a difficult decision: to become complicit in crimes against the American people or walk away from nearly ten years of hard work by shutting down Lavabit. After significant soul searching, I have decided to suspend operations,” owner and operator Ladar Levison of Dallas, Texas wrote in the statement. “I wish that I could legally share with you the events that led to my decision. I cannot.”

“I feel you deserve to know what’s going on--the First Amendment is supposed to guarantee me the freedom to speak out in situations like this. Unfortunately, Congress has passed laws that say otherwise,” wrote Levison. “As things currently stand, I cannot share my experiences over the last six weeks, even though I have twice made the appropriate requests.”

I’m sure that will be hit with an FOIA request. But it’s going to take a brave leaker to get it out.

“Lavabit believes that a civil society depends on the open, free and private flow of ideas. The type of monitoring promoted by the PATRIOT Act restricts that flow of ideas because it intimidates those afraid of retaliation. To counteract this chilling effect, Lavabit developed its secure e-mail platform. We feel e-mail has evolved into a critical channel for the communication of ideas in a healthy democracy. It’s precisely because of e-mail’s importance that we strive so hard to protect private e-mails from eavesdropping.”

[...]

Now as Levison and crew prepare for a fight in appeals court, he suggests that very few are safe from having even secure emails stolen by the US government.

“This experience has taught me one very important lesson: without congressional action or a strong judicial precedent, I would _strongly_ recommend against anyone trusting their private data to a company with physical ties to the United States,” Snowden said in the statement.

(click to enlarge)

Silent Circle shuttered its encrypted e-mail service on Thursday, the second such closure in just a few hours in an apparent attempt to avoid government scrutiny that may threaten its customers' privacy.

Silent Circle, which makes software that encrypts phone calls and other communications, announced in a company blog post that it could "see the writing on the wall" and decided it best to shut down its Silent Mail feature. The company said it was inspired by the closure earlier Thursday of Lavabit, another encrypted e-mail service provider that alluded to a possible national security investigation.

[...]

"We'd considered phasing the service out, continuing service for existing customers, and a variety of other things up until today. It is always better to be safe than sorry, and with your safety we decided that the worst decision is always no decision."

  CNET

The news about Lavabit came on the same day as a story by Charlie Savage, in the Times, in which he followed up on an awkwardly phrased passage in a document supposedly about all the very strict constraints on the N.S.A. when it comes to reading the contents of Americans’ e-mails—a reference to “cases where NSA seeks to acquire communications about the target that are not to or from the target.” What that meant, he learned from further reporting, was that the agency thought it was allowed read Americans’ e-mails pretty freely, by “temporarily copying and then sifting through the contents of what is apparently most e-mails and other text-based communications that cross the border.” The N.S.A. comes up with a search term that is “about” a foreign target, and then reads whatever e-mails sent into and out of the country that it finds containing it. How is this not “targeting” Americans, when their communications are pulled out of the stream and studied? The answer is a language game: the person to whom those e-mails belong is not, by the N.S.A.’s definition, its target, nor—and this is somewhat new—does that person even have to be in touch with any foreign target. All you really have to be is interested in the same things as a target—or even just to use some words the N.S.A. has decided are “about” the target.

The extreme example that an unnamed official gave Savage is a search for a phone number the N.S.A. believes terrorists are using to call each other. What about a name? Could the N.S.A. read e-mails from members of the public if they simply discuss the case of someone the government has said is a threat? It sounds like it. This is dangerous; we already have Senators constrained from talking about what they know. We can’t all be afraid to ask questions; for a democracy, the most threatening thing would be the absence of such conversations.

  New Yorker

..but hey, do what you want...you will anyway.