Posted on

Reclassifying Semi-Automatic Rifles under the National Firearms Act

I originally published this in 2016, and dust it off every time there’s a mass shooting in the news. This post has seen the top of my feed year after year, as politicians continue to offer nothing but thoughts and prayers.

I’ve been a long time responsible gun owner, by the old definition of what that used to mean. Like a majority of them, I’ve wanted more controls on semi-automatic rifles – particularly, assault rifles, for a long time. There’s idiocy on both sides of this debate, and both have some questionable notions about them. The extreme left seems to have developed an irrational fear and hatred of all guns and the extreme right believes the only solution to guns are more guns. Consider this more realistic perspective from someone who spent over a decade shooting and working on guns, held NRA certifications to supervise ranges and carry concealed weapons, and up until some years ago – when I sold the rights to it – produced the #1 ballistics computer in the App Store.

What much of the nation does not realize is that there is already a system in place to perform strict checks of individuals looking to own firearms categorized as highly lethal – but it isn’t being used to control most assault rifles. Introduced in the National Firearms Act legislation, this system was applied to machine guns, short barrel rifles, silencers, sawed off shotguns, and other types of firearms that individuals can still legally own today, but with more than the casual regulation of AR-15s and other such firearms. It could be changed to include semi-automatic rifles. In my opinion, it should be, and in this post I’ll argue why I’d like to see the President and legislators push for this.

Continue reading “Reclassifying Semi-Automatic Rifles under the National Firearms Act”
Posted on

Evangelical Christianity has Become Alien to me

All have turned aside, they have together become corrupt; there is no one who does good, not even one.

Psalm 14:2-3

 

I’ve devoted much of the past 30 years as an evangelical Christian “layperson” to Christian studies to try and become an educated one. Greek, theology, patristic authors, and Christian history should be in the wheelhouse of every Christian, yet many never study their own religion. Sadly, it’s of little surprise that what Christianity has become in America is entirely alien to historical Christianity and lately, basic human decency. I don’t recognize the church in the midst of the racism, hostility, and lies that Christians proliferate today. I’m frankly ashamed and embarrassed to have to share the label. Last year brought some of the worst out in us. I’m referring to the mainstream evangelical church – relatives, friends, and people I’ve grown up with – who were once a much-needed example of Christianity to me – have severely disappointed in how they’ve conducted themselves, causing me to question if they ever truly understood their own faith.

Every Christian’s example par excellence – Jesus – was abundantly clear in having nothing to do with the wicked. He literally turned tables on those whose agenda didn’t align with his. Scripture is chock full of warnings about the dangers of aligning with wicked people, or compromising one’s values to an end. Christianity teaches of a savior who demonstrated sheer disinterest in politics, from “Render unto Caesar” to his markedly uninterested appearance before an irrelevant Pontius Pilate. Early Christians wielded no political clout for over three hundred years, and were still victims of massacre and martyrdom for centuries beyond that. Yet today, we’re obsessed with having power – even to the degree of aligning with white nationalists who condone hate and murder, or expressing blind, cult-like loyalty to demagogues. The mere fact that any Christian would fervently support an administration that backed policies amounting to thinly veiled modern-day genocide, sowed racism and division throughout the country, and willfully left the congress of the United States to be murdered by insurrectionists – is the epitome of hypocrisy, a stain on Christianity, and yet sadly, a perfectly concise example of the new face of radicalized evangelicalism in America. Many Christians have, in the short span of a few years, become enablers of hate, violence, racism, immorality, and division through their alliances, their crowd funding, and trafficking in misinformation to rationalize it into a manufactured “Christian” reality. The church sacrificed her reputation and laid in bed with the devils of our generation, all for the kind of influence and power that Jesus would yawn at.

This cannot be reconciled with Christianity, which celebrates a meek savior who saw intrinsic value in people regardless of their race, their past, or their status. He called for the lifting up of those who were downcast and mistreated by society. He called for sacrificial love of the disenfranchised. To reflect compassion. Generosity. Selflessness. He thought mankind was valuable enough to sacrifice for. Christianity should be, by definition, a mirror image of Christ’s sacrificial love for humanity, and an example of integrity and truth, even to one’s own detriment. I don’t see the character of Jesus Christ in today’s American Christians. Christians couldn’t even bother wearing a mask to save the life of someone sitting next to them.

In retrospect, this has been a long time coming. It is of little surprise that Christians support racist leaders, as the church has become the most segregated institution in the country. White Christians have spent generations basking in the privilege of not having to think or preach about racism and inequality, while black and brown Christians in churches down the road are haunted by it daily. The ability to remain blissfully ignorant of racism has been the darling sin of every white suburban Christian church since history was first tormented to create a white Jesus. And is it any surprise that Christians have become extreme anti-science in the wake of infectious disease? The church’s historical inability to grasp our own God as chief architect with any tools other than magic has caused otherwise intelligent people to become modern-day imbeciles – even in the broad daylight of mass graves and outdoor crematoriums resembling hell on Earth. 

Christians, we are called to be innocent of evil, not to align ourselves with it. How can we support the immorality of those we elect to govern us, or crowd fund for murderers and white supremacists when it so clearly has borne the fruit of evil? As Christians and human beings, this should grieve us, not excite us. This manufactured reality doesn’t represent the God that I worship, study, and aspire to be more like. If it resembles your god, I suggest you examine what you are worshipping.

Our actions are not without accountability in the next life, I fear, much to the pains of those who don’t care who they align themselves with, who they infect, or what atrocities they help fund. God knows every hair we’ve harmed through our indifference. Church leaders will be held to an even higher accounting when they face God. The famous words Jesus uttered, “I stand at the door and knock” in Revelation was not directed at the lost, but at the church, who often left their own savior out in the cold. The behavior many Christians and Christian leaders today have exhibited more closely resembles mob rule under oppressive dictatorships than it does the meek and sacrificial historical Jesus. I do not believe most of the church could even recognize their own savior anymore. This grieves me immeasurably.

Posted on

Biden Should Take the White House off of Twitter

The Biden administration is having a little Twitter fight about whether or not to reset the followers of the @potus account. While followers were rolled over from the Obama administration to Trump’s, the Trump administration, who views Twitter followers as if they represented actual voters-who-love-Donald, doesn’t think the incoming president should get to inherit all of those bots and disenfranchised twelve-year olds. Let us stop and reflect on the stupidity and pettiness of this argument. What the Biden administration really should be thinking about is whether to close @potus and get the White House off of Twitter completely.

Social media, especially Twitter, has year after year been on a steady course of devolving into one of the most toxic and unpleasant public gatherings on the Internet. Long before Trump took office, social media was the leading source of disinformation, threats, harassment, toxicity, and division. Combined with a platform that adopts thought-terminating loaded language hash tags (e.g. #StopTheSteal) and abbreviated messaging that lacks critical thought, Twitter has long been a platform designed to capitalize on the cult phenomenon. Twitter has been not only markedly complicit, but in a position to profit off of the toxicity, disinformation, and abuse it allows by the Trump administration and other public officials who’ve started emulating the behavior.

Continue reading “Biden Should Take the White House off of Twitter”
Posted on

Truth is not Partisan

If you watched yesterday’s senate judiciary hearings with CEOs from Twitter and Facebook, two things would have stuck out to you. First, why is Jack Dorsey addressing the senate from the kitchen department at an IKEA? Second, how did a judiciary hearing about misinformation campaigns somehow turn into a misinformation campaign itself? At the heart of this hearing were social media companies making tools and information available to users to combat misinformation through the use of labels and interstitials; why weren’t any senators interested in examining the facts surrounding such policies, I wonder? Rather, senators demonstrated an eye-rolling indifference to truth and instead took the opportunity to peddle their own conspiracy theories, including partisan bias and mind control by robber barons using project management software. The entire thing ended up one big partisan temper tantrum, and was an embarrassment to the American people, frankly.

Truth and facts – regardless of topic, have never been, and never will be a matter of partisan perspective, and anyone who tells you differently is a politician. Truth doesn’t work in reverse – it is impossible to start with a narrative, and then create facts to accommodate it, yet that’s how our terribly dysfunctional political system has worked for the past four years. One can only draw a perspective out of an interpretation of truth based on the facts, wherever they fall. Without accurate facts, narrative ends up where it is today – anything you want it to be, if you’re willing to torture truth to be what you wish it was. But facts don’t change just because you “believe” something different, and when genuine facts disagree with your narrative, you just look like an ass trying to wage war against it.

Alas, politicians aren’t known for operating in truth. Quite the contrary, politicians are known throughout history to excel at lying. Were this not true, there would be little need for fact checkers in this country. It was quite ironic to see the people doing the fact checking getting roasted by the very reason we need fact checking in the first place. What hubris there must be, in those who govern by our consent to consider themselves ones to lord over the watchers.

Posted on

Presidential Policy Directive 19

Is anyone surprised the Obama-era whistleblower directive put into place actually worked? I bet Edward Snowden is. Not only did it work, but Congress wouldn’t have given it such weight had the information been otherwise leaked in a Snowden or Manning-esque style, nor would the IG have had the chance to acknowledge the information as “credible and urgent”. Historical treatment of whistleblowers has been deplorable, but we also didn’t have these protections in the 70s, when Ellsberg or others could have used them, so the comparison is also irrelevant. Congress, the IC, and the press are taking “extreme measures” to protect the anonymity (and safety) of the whistleblower, and most acknowledge how crucial it is to do so in order to keep a democracy. This is a very different outcome than what Snowden predicted would happen if he’d made an attempt at the proper channels first. While the jury is still out on the hero vs. traitor debate, the fact that these whistleblower procedures undeniably succeeded in bringing things to light can’t be helping Snowden’s image.

Posted on

On NCCIC/FBI Joint Report JAR-16-20296

Social media is ripe with analysis of an FBI joint report on Russian malicious cyber activity, and whether or not it provides sufficient evidence to tie Russia to election hacking. What most people are missing is that the JAR was not intended as a presentation of evidence, but rather a statement about the Russian compromises, followed by a detailed scavenger hunt for administrators to identify the possibility of a compromise on their systems. The data included indicators of compromise, not the evidentiary artifacts that tie Russia to the DNC hack.

One thing that’s been made clear by recent statements by James Clapper and Admiral Rogers is that they don’t know how deep inside American computing infrastructure Russia has been able to get a foothold. Rogers cited his biggest fear as the possibility of Russian interference by injection of false data into existing computer systems. Imagine the financial systems that drive the stock market, criminal databases, driver’s license databases, and other infrastructure being subject to malicious records injection (or deletion) by a nation state. The FBI is clearly scared that Russia has penetrated more systems than we know about, and has put out pages of information to help admins go on the equivalent of a bug bounty.

Continue reading “On NCCIC/FBI Joint Report JAR-16-20296”

Posted on

San Bernardino: Behind the Scenes

I wasn’t originally going to dig into some of the ugly details about San Bernardino, but with FBI Director Comey’s latest actions to publicly embarrass Hillary Clinton (who I don’t support), or to possibly tip the election towards Donald Trump (who I also don’t support), I am getting to learn more about James Comey and from what I’ve learned, a pattern of pushing a private agenda seems to be emerging. This is relevant because the San Bernardino iPhone matter saw numerous accusations of pushing a private agenda by Comey as well; that it was a power grab for the bureau and an attempt to get a court precedent to force private business to backdoor encryption, while lying to the public and possibly misleading the courts under the guise of terrorism.

Continue reading “San Bernardino: Behind the Scenes”

Posted on

WSJ Describes Reckless Behavior by FBI in Terrorism Case

The Wall Street Journal published an article today citing a source at the FBI is planning to tell the White House that “it knows so little about the hacking tool that was used to open terrorist’s iPhone that it doesn’t make sense to launch an internal government review”. If true, this should be taken as an act of recklessness by the FBI with regards to the Syed Farook case: The FBI apparently allowed an undocumented tool to run on a piece of high profile, terrorism-related evidence without having adequate knowledge of the specific function or the forensic soundness of the tool.

Best practices in forensic science would dictate that any type of forensics instrument needs to be tested and validated. It must be accepted as forensically sound before it can be put to live evidence. Such a tool must yield predictable, repeatable results and an examiner must be able to explain its process in a court of law. Our court system expects this, and allows for tools (and examiners) to face numerous challenges based on the credibility of the tool, which can only be determined by a rigorous analysis. The FBI’s admission that they have such little knowledge about how the tool works is an admission of failure to evaluate the science behind the tool; it’s core functionality to have been evaluated in any meaningful way. Knowing how the tool managed to get into the device should be the bare minimum I would expect anyone to know before shelling out over a million dollars for a solution, especially one that was going to be used on high-profile evidence.

A tool should not make changes to a device, and any changes should be documented and repeatable. There are several other variables to consider in such an effort, especially when imaging an iOS device. Apart from changes made directly by the tool (such as overwriting unallocated space, or portions of the file system journal), simply unlocking the device can cause the operating system to make a number of changes, start background tasks which could lead to destruction of data, or cause other changes unintentionally. Without knowing how the tool works, or what portions of the operating system it affects, what vulnerabilities are exploited, what the payload looks like, where the payload is written, what parts of the operating system are disabled by the tool, or a host of other important things – there is no way to effectively measure whether or not the tool is forensically sound. Simply running it against a dozen other devices to “see if it works” is not sufficient to evaluate a forensics tool – especially one that originated from a grey hat hacking group, potentially with very little actual in-house forensics expertise.

Continue reading “WSJ Describes Reckless Behavior by FBI in Terrorism Case”

Posted on

Open Letter to Congress on Encryption Backdoors

To the Honorable Congress of the United States of America,

I am a proud American who has had the pleasure of working with the law enforcement community for the past eight years. As an independent researcher, I have assisted on numerous local, state, and federal cases and trained many of our federal and military agencies in digital forensics (including breaking numerous encryption implementations). Early on, there was a time when my skill set was exclusively unique, and I provided assistance at no charge to many agencies flying agents out to my small town for help, or meeting with detectives while on vacation. I have developed an enormous respect for the people keeping our country safe, and continue to help anyone who asks in any way that I can.

With that said, I have seen a dramatic shift in the core competency of law enforcement over the past several years. While there are many incredibly bright detectives and agents working to protect us, I have also seen an uncomfortable number who have regressed to a state of “push button forensics”, often referred to in law enforcement circles as “push and drool forensics”; that is, rather than using the skills they were trained with to investigate and solve cases, many have developed an unhealthy dependence on forensics tools, which have the ability to produce the “smoking gun” for them, literally with the touch of a button. As a result, I have seen many open-and-shut cases that have had only the most abbreviated of investigations, where much of the evidence was largely ignored for the sake of these “smoking guns” – including much of the evidence on the mobile device, which often times conflicted with the core evidence used.

Continue reading “Open Letter to Congress on Encryption Backdoors”

Posted on

The Dangers of the Burr Encryption Bill

The Burr Encryption Bill – Discussion Draft dropped last night, and proposes legislation to weaken encryption standards for all United States citizens and corporations. The bill itself is a hodgepodge of technical ineptitude combined with pockets of contradiction. I would cite the most dangerous parts of the bill, but the bill in its entirety is dangerous, not just for its intended uses but also for all of the uses that aren’t immediately apparent to the public.

The bill, in short, requires that anyone who develops features or methods to encrypt data must also decrypt the data under a court order. This applies not only to large companies like Apple, but could be used to punish developers of open source encryption tools, or even encryption experts who invent new methods of encryption. Its broad wording allows the government to hold virtually anyone responsible for what a user might do with encryption. A good parallel to this would be holding a vehicle manufacturer responsible for a customer that drives into a crowd. Only it’s much worse: The proposed legislation would allow the tire manufacturer, as well as the scientists who invented the tires, to be held liable as well.

Screen Shot 2016-04-08 at 10.20.12 AM

Continue reading “The Dangers of the Burr Encryption Bill”

Posted on

An Open Letter to FBI Director James Comey

Mr. Comey,

Sir, you may not know me, but I’ve impacted your agency for the better. For several years, I have been assisting law enforcement as a private citizen, including the Federal Bureau of Investigation, since the advent of the iPhone. I designed the original forensics tools and methods that were used to access content on iPhones, which were eventually validated by NIST/NIJ and ingested by FBI for internal use into your own version of my tools. Prior to that, FBI issued a major deviation allowing my tools to be used without validation, due to the critical need to collect evidence on iPhones. They were later the foundation for virtually every commercial forensics tool to make it to market at the time. I’ve supported thousands of agencies worldwide for several years, trained our state, federal, and military in iOS forensics, assisted hands-on in numerous high-profile cases, and invested thousands of hours of continued research and development for a suite of tools I provided at no cost – for the purpose of helping to solve crimes. I’ve received letters from a former lab director at FBI’s RCFL, DOJ, NASA OIG, and other agencies citing numerous cases that my tools have been used to help solve. I’ve done what I can to serve my country, and asked for little in return.

First let me say that I am glad FBI has found a way to get into Syed Farook’s iPhone 5c. Having assisted with many cases, I understand from firsthand experience what you are up against, and have enormous respect for what your agency does, as well as others like it. Often times it is that one finger that stops the entire dam from breaking. I would have been glad to assist your agency with this device, and even reached out to my contacts at FBI with a method I’ve since demonstrated in a proof-of-concept. Unfortunately, in spite of my past assistance, FBI lawyers prevented any meetings from occurring. But nonetheless, I am glad someone has been able to reach you with a viable solution.

Continue reading “An Open Letter to FBI Director James Comey”

Posted on

How Apple Can Make Their FBI Problems Go Away

An adversary has an unknown exploit, and it could be used on a large scale to attack your platform. Your threat isn’t just your adversary, but also anyone who developed or sold the exploit to the adversary. The entire chain of information from conception to final product could be compromised anywhere along the way, and sold to a nation state on the side, blackmailed or bribed out of someone, or just used maliciously by anyone with knowledge or access. How can Apple make this problem go away?

The easiest technical solution is a boot password. The trusted boot chain has been impressively solid for the past several years, since Apple minimized its attack surface after the 24kpwn exploit in the early days. Apple’s trusted boot chain consists of a multi-stage boot loader, with each phase of boot checking the integrity of the next. Having been stripped down, it is now a shell of the hacker’s smorgasbord it used to be. It’s also a very direct and visible execution path for Apple, and so if there ever is an alleged exploit of it, it will be much easier to audit the code and pin down points of vulnerability.

Continue reading “How Apple Can Make Their FBI Problems Go Away”

Posted on

Why a Software Exploit Would be a Threat to Secure Enclave Devices

As speculation continues about the FBI’s new toy for hacking iPhones, the possibility of a software exploit continues to be a point of discussion. In my last post, I answered the question of whether such an exploit would work on Secure Enclave devices, but I didn’t fully explain the threat that persists regardless.

For sake of argument, let’s go with the theory that FBI’s tool is using a software exploit. The software exploit probably doesn’t (yet) attack the Secure Enclave, as Farook’s 5c didn’t have one. But this probably also doesn’t matter. Let’s assume for a moment that the exploit being used could be ported to work on a 64-bit processor. The 5c is 32-bit, so this assumes a lot. Some exploits can be ported, while others just won’t work on the 64-bit architecture. But let’s assume that either the work has already been done or will be done shortly to do this; a very plausible scenario.

Continue reading “Why a Software Exploit Would be a Threat to Secure Enclave Devices”

Posted on

FBI Breaks Into San Bernardino iPhone

As expected, the FBI has succeeded in finding a method to recover the data on the San Bernardino iPhone, and now the government can see all of the cat pictures Farook was keeping on it. We don’t know what method was used, as it’s been classified. Given the time frame and the details of the case, it’s possible it could have been the hardware method (NAND mirroring) or a software method (exploitation). Many have speculated on both sides, but your guess is as good as mine. What I can tell you are the implications.

Continue reading “FBI Breaks Into San Bernardino iPhone”

Posted on

My Take on FBI’s “Alternative” Method

FBI acknowledged today that there “appears” to be an alternative way into Farook’s iPhone 5c – something that experts have been shouting for weeks now; in fact, we’ve been saying there are several viable methods. Before I get into which method I think is being used here, here are some possibilities of other viable methods and why I don’t think they’re part of the solution being utilized:

  1. A destructive method, such as de-capping or deconstruction of the microprocessor would preclude FBI from being able to come back in two weeks to continue proceedings against Apple. Once the phone is destroyed, there’s very little Apple can do with it. Apple cannot repair a destroyed processor without losing the UID key in the process. De-capping, acid and lasers, and other similar techniques are likely out.
  2. We know the FBI hasn’t been reaching out to independent researchers, and so this likely isn’t some fly-by-night jailbreak exploit out of left field. If respected security researchers can’t talk to FBI, there’s no way a jailbreak crew is going to be allowed to either.
  3. An NSA 0-day is likely also out, as the court briefs suggested the technique came from outside USG.
  4. While it is possible that an outside firm has developed an exploit payload using a zero-day, or one of the dozens of code execution vulnerabilities published by Apple in patch releases, this likely wouldn’t take two weeks to verify, and the FBI wouldn’t stop a full court press (literally) against Apple unless the technique had been reported to have worked. A few test devices running the same firmware could easily determine such an attack would work, within perhaps hours. A software exploit would also be electronically transmittable, something that an outside firm could literally email to the FBI. Even if that two weeks accounted for travel, you still don’t need anywhere near this amount of time to demonstrate an exploit. It’s possible the two weeks could be for meetings, red tape, negotiating price, and so on, but the brief suggested that the two weeks was for verification, and not all of the other bureaucracy that comes after.
  5. This likely has nothing to do with getting intel about the passcode or reviewing security camera footage to find Farook typing it in at a cafe; the FBI is uncertain about the method being used and needs to verify it. They wouldn’t go through this process if they believed they already had the passcode in their possession, unless it was for fasting and prayer to hope it worked.
  6. Breaking the file system encryption on one of NSA/CIAs computing clusters is unlikely; that kind of brute forcing doesn’t give you a two week heads-up that it’s “almost there”. It can also take significantly longer – possibly years – to crack.
  7. Experimental techniques such as frankensteining the crypto engine or other potentially niche edge techniques would take much longer than two weeks (or even two months) to develop and test, and would likely also be destructive.

Continue reading “My Take on FBI’s “Alternative” Method”

Posted on

Apple vs. FBI: Where We Are Now, and Where We’re Going

Much has happened since a California magistrate court originally granted an order for Apple to assist the FBI under the All Writs Act. For one, most of us now know what the All Writs Act is: An ancient law that was passed before the Fourth Amendment even existed, now somehow relevant to modern technology a few hundred years later. Use of this act has exploded into a legal argument about whether or not it grants carte blanche rights of the government to demand anything and everything from private companies (and incidentally, individuals) if it helps them prosecute crimes. Of course, that’s just the tip of the iceberg. We’ve seen strong debates about whether any person should be allowed to have private conversations, thoughts, or ideas that can’t later be searched, whether forcing others to work for the government violates the constitution, whether other countries will line up to exploit technology if America does, and ultimately – at the heart of all of these – whether fear of the word “terrorism” is enough to cause us all to burn our constitution.

Over the past few weeks, the entire tech community has gotten behind Apple, filing a barrage of friend-of-the-court briefs on Apple’s behalf. Security experts such as myself, Crypto “Rock Stars”, constitutionalists, technologists, lawyers, and 30 Helens all agree that Apple is in the right, and that backdooring iOS would cause irreparable damage to the security, privacy, and safety of hundreds of millions of diplomats, judges, doctors, CEOs, teenage girls, victims of crimes, parents, celebrities, politicians, and all men and women around the world. Throughout the past month, legal exchanges have escalated from ice cold to white hot, and from professional to a traveling flea circus as ridiculous terms such as “lying dormant cyber pathogen” have been introduced. Congress, the courts, and the public have seen strong technical and legal arguments, impassioned pleas from victims, attempts at reason by the law enforcement community, name calling, proverbial mugs-thrown-across-the-room, uncontrollable profanity on media briefings, and just about any other form of pressure manifesting itself that one can imagine.

Continue reading “Apple vs. FBI: Where We Are Now, and Where We’re Going”

Posted on

A Bomb on a Leash

The idea of a controlled explosion comes to mind when I think about pending proceedings with Apple. The Department of Justice argues that a backdoored version of iOS can be controlled in that Apple’s existing security mechanisms can prevent it from blowing up any device other than Farook’s. This is quite true. The code signing and TSS signing mechanism used to install firmware have controls that can most certainly bind a firmware bundle to a given device UDID. What’s not true is the amount of real control and protection this provides.

Think of Apple’s signing mechanisms as a kind of “leash” if you will; they provide a means of digital rights management to control any payload delivered onto the device. Where the DOJ’s argument falls into error is that their focus is too much on this leash, and too little on the payload itself. The payload in this scenario is a modified version of iOS that has a direct line into a device’s security mechanisms to both disable them and manipulate them to rapidly brute force a passcode (remotely, mind you). It’s the electronic equivalent of an explosive for an iPhone that will blow the safe open (FBI’s analogy, not mine). What Apple is being forced to design, develop, test, validate, and protect is essentially a bomb on a leash.

Continue reading “A Bomb on a Leash”

Posted on

Apple Should Own The Term “Warrant Proof”

The Department of Justice, in a March 10 filing, accused Apple of outrightly making “warrant proof” devices, and accused Apple of obstruction of justice by making these devices so secure that they could not be searched, even with a warrant. While these words belonged to DOJ, I think Apple should own them. If you study our state laws, federal laws, and international treaties, you’ll see many examples of intellectual property that actually are protected against warrants. Yes, there are things in this country that are deemed warrant proof.

As per The State Department, Article 27.3 of the Vienna Convention on Diplomatic Relations states, a diplomatic pouch “shall not be opened or detained”. In other words, it’s warrant proof. No law enforcement agency in our country is permitted – under international treaty – to open a diplomatic pouch, and any warrants issued are null and void. Guidelines even permit for unaccompanied diplomatic pouches that are traveling without a diplomat or courier, which even further emphasizes the impetus for security of such pouches: they should have locks, and strong ones at that. Do we still have spying? Absolutely, and it’s illegal. It is not only reasonable then, but important to have a device like the iPhone – secure against illegal search and seizure.

Continue reading “Apple Should Own The Term “Warrant Proof””

Posted on

An Example of “Warrant-Friendly Security”

The encryption on the iPhone is clearly doing its job. Good encryption doesn’t discriminate between attackers, it simply protects data – that’s its job, and it’s frustrating both criminals and law enforcement. The government has recently made arguments insisting that we must find a “balance” between protecting your privacy and providing a method for law enforcement to procure evidence with a warrant. If we don’t, the Department of Justice and the President himself have made it clear that such privacy could easily be legislated out of our products. Some think having a law enforcement backdoor is a good idea. Here, I present an example of what “warrant friendly” security looks like. It already exists. Apple has been using it for some time. It’s integrated into iCloud’s design.

Unlike the desktop backups that your iPhone makes, which can be encrypted with a backup password, the backups sent to iCloud are not encrypted this way. They are absolutely encrypted, but differently, in a way that allows Apple to provide iCloud data to law enforcement with a subpoena.  Apple had advertised iCloud as “encrypted” (which is true) and secure. It still does advertise this today, in fact, the same way it has for the past few years:

“Apple takes data security and the privacy of your personal information very seriously. iCloud is built with industry-standard security practices and employs strict policies to protect your data.”

So with all of this security, it sure sounds like your iCloud data should be secure, and also warrant friendly – on the surface, this sounds like a great “balance between privacy and security”. Then, the unthinkable happened.

Continue reading “An Example of “Warrant-Friendly Security””

Posted on

On Dormant Cyber Pathogens and Unicorns

Gary Fagan, the Chief Deputy District Attorney for San Bernardino County, filed an amicus brief to the court in defense of the FBI compelling Apple to backdoor Farook’s iPhone. In this brief, DA Michael Ramos made the outrageous statement that Farook’s phone might contain a “lying dormant cyber pathogen”, a term that doesn’t actually exist in computer science, let alone in information security.

Screen Shot 2016-03-03 at 9.37.00 PM

Continue reading “On Dormant Cyber Pathogens and Unicorns”