How to Crack Android Full Disk Encryption on Qualcomm Devices →

July 25, 2016 · 09:39

Mohit Kumar:

Android users are at severe risk when it comes to encryption of their personal and sensitive data.

Android’s full-disk encryption can be cracked much more easily than expected with brute force attack and some patience, affecting potentially hundreds of millions of mobile devices.

And the worst part: There may not be a full fix available for current Android handsets in the market.


32 Million Twitter Passwords Leaked →

June 9, 2016 · 15:37

LeakedSource:

This data set contains 32,888,300 records. Each record may contain an email address, a username, sometimes a second email and a visible password. We have very strong evidence that Twitter was not hacked, rather the consumer was. These credentials however are real and valid. Out of 15 users we asked, all 15 verified their passwords.

Change your password.


How iMessage Distributes Security to Block “Phantom Devices” →

April 22, 2016 · 12:39

Securosis:

Overall it’s a solid balance of convenience and security. Especially when you consider there are a billion Apple devices out there. iMessage doesn’t eliminate the need for true zero-knowledge messaging systems, but it is extremely secure, especially when you consider that it’s basically a transparent replacement for text messaging.

This is a good read if you’re interested in the security of iMessage. It’s basically very secure, but I’m sure Apple will continue improving their standards.


New Bill Would Require Companies to Decrypt Data on Demand →

April 10, 2016 · 13:00

Russell Brandom:

If the bill becomes law, Apple and other companies will have a much harder time resisting similar legal demands. Essentially any hard encryption — that is, encryption that cannot be broken by the company providing it — would be in violation of the proposed measures, presenting a massive problem for a broad range of tech companies.

I did not expect to see a bill this quickly. Quite frankly, I expected people to be intelligent and not even try to pass this sort of garbage.

My bad.


WhatsApp Just Switched on Encryption →

April 6, 2016 · 21:24

Cade Metz:

This means that if any group of people uses the latest version of WhatsApp—whether that group spans two people or ten—the service will encrypt all messages, phone calls, photos, and videos moving among them. And that’s true on any phone that runs the app, from iPhones to Android phones to Windows phones to old school Nokia flip phones. With end-to-end encryption in place, not even WhatsApp’s employees can read the data that’s sent across its network. In other words, WhatsApp has no way of complying with a court order demanding access to the content of any message, phone call, photo, or video traveling through its service. Like Apple, WhatsApp is, in practice, stonewalling the federal government, but it’s doing so on a larger front—one that spans roughly a billion devices.

I can’t help but wonder if/when encryption will be illegal in the United States, UK, and France — these three countries seem to be the ones who want it gone most. It should of course never come to that. And I truly hope it doesn’t.

Also: Wired’s title is completely baffling. We should never forget about the Apple vs. FBI kerfuffle.


Apple’s Statement on Closing of the San Bernardino Case →

March 29, 2016 · 07:20

Rene Ritchie posted Apple’s statement on iMore:

From the beginning, we objected to the FBI’s demand that Apple build a backdoor into the iPhone because we believed it was wrong and would set a dangerous precedent. As a result of the government’s dismissal, neither of these occurred. This case should never have been brought.

We will continue to help law enforcement with their investigations, as we have done all along, and we will continue to increase the security of our products as the threats and attacks on our data become more frequent and more sophisticated.

Apple believes deeply that people in the United States and around the world deserve data protection, security and privacy. Sacrificing one for the other only puts people and countries at greater risk.

This case raised issues which deserve a national conversation about our civil liberties, and our collective security and privacy. Apple remains committed to participating in that discussion.

Though this particular case is over, the war goes on, and I’m certain this issue will appear in the news sooner or later.


Apple’s San Bernardino Fight Is Over as FBI Gains Access to iPhone →

March 29, 2016 · 05:52

Russell Brandom:

After months of work, the FBI finally has a way into the San Bernardino iPhone. In a court filing today, prosecutors told the court the new method for breaking into the phone is sound, and Apple’s assistance is no longer required. “The government has now successfully accessed the data stored on Farook’s iPhone,” the filing reads, “and therefore no longer requires assistance from Apple.” The filing provides no further details on the nature of the new method. Still, the result effectively finishes the court fight that has consumed Apple since February.

Question is: will they now go after Congress to ban encryption, or try to weaken it by law?


Apple to Hand iCloud Encryption Keys to Users →

March 18, 2016 · 19:12

Wayne Rash:

According to a number of press reports, Apple is in the process of revamping its iCloud storage service to increase security by divesting itself of the task of keeping users’ encryption keys.

Currently Apple keeps the keys to access iCloud accounts, which means, among other things, that Apple can provide information to authorities when presented with a warrant. The company provided such information from the iCloud account of Sayed Farook, the terrorist who killed 14 county employees late last year in in San Bernardino, Calif. Apparently that’s now about to change. If the reports are correct, Apple is planning to offload the storage of encryption keys so that users control their keys, and they’re accessible only through a password.

This way, even Apple cannot gain access to your encrypted data, no matter how much it may want to and no matter how many government subpoenas it receives. It can’t honor court orders to provide the data because the company has no way to decrypt it.

This is to be expected. I’d like to think that Apple would have gone down this route without the current FBI fiasco taking place, but perhaps the latest events have just accelerated their plans.


Apple Encryption Engineers, if Ordered to Unlock iPhone, Might Resist →

March 18, 2016 · 19:07

John Markoff, Katie Benner & Brian X. Chen:

Apple employees are already discussing what they will do if ordered to help law enforcement authorities. Some say they may balk at the work, while others may even quit their high-paying jobs rather than undermine the security of the software they have already created, according to more than a half-dozen current and former Apple employees.

Among those interviewed were Apple engineers who are involved in the development of mobile products and security, as well as former security engineers and executives.

I can’t help but wonder how far this will go.


Facebook, Google and WhatsApp Plan to Increase Encryption of User Data →

March 14, 2016 · 20:38

Danny Yadron:

Silicon Valley’s leading companies – including Facebook, Google and Snapchat – are working on their own increased privacy technology as Apple fights the US government over encryption, the Guardian has learned.

The projects could antagonize authorities just as much as Apple’s more secure iPhones, which are currently at the center of the San Bernardino shooting investigation. They also indicate the industry may be willing to back up their public support for Apple with concrete action.

Within weeks, Facebook’s messaging service WhatsApp plans to expand its secure messaging service so that voice calls are also encrypted, in addition to its existing privacy features. The service has some one billion monthly users. Facebook is also considering beefing up security of its own Messenger tool.

Snapchat, the popular ephemeral messaging service, is also working on a secure messaging system and Google is exploring extra uses for the technology behind a long-in-the-works encrypted email project.

At this point in time I would like to see more action from the other tech companies — this is obviously a delicate situation, but too much is at stake.


The Sequel to the Crypto Wars →

March 14, 2016 · 20:13

Steven Levy:

As with the first round of the crypto wars, the stakes could not be higher. Once again, the government is seeking to control that genie first released by Diffie and Hellman. But the physics of computer security have not changed. Last July, a panel of fifteen eminent security specialists and cryptographers — many of whom are veterans of the first crypto war — released a report confirming there was no way for the government to demand a means of bypassing encryption without a dire compromise of security. It just doesn’t work.

There is no middle ground.


Barack Obama: ‘Smartphones Can’t Be Allowed to Be Black Boxes’ →

March 13, 2016 · 10:38

Justin Sink:

President Barack Obama said Friday that smartphones — like the iPhone the FBI is trying to force Apple Inc. to help it hack — can’t be allowed to be “black boxes,” inaccessible to the government. The technology industry, he said, should work with the government instead of leaving the issue to Congress.

“You cannot take an absolutist view on this,” Obama said at the South by Southwest festival in Austin, Texas. “If your argument is strong encryption no matter what, and we can and should create black boxes, that I think does not strike the kind of balance we have lived with for 200, 300 years, and it’s fetishizing our phones above every other value.”

I’m disappointed in Obama. I also don’t think he knows exactly what he’s talking about.


WhatsApp Encryption Targeted by DOJ →

March 13, 2016 · 10:35

Matt Apuzzo:

But in late 2014, the company said that it would begin adding sophisticated encoding, known as end-to-end encryption, to its systems. Only the intended recipients would be able to read the messages.

“WhatsApp cannot provide information we do not have,” the company said this month when Brazilian police arrested a Facebook executive after the company failed to turn over information about a customer who was the subject of a drug trafficking investigation.

The iPhone case, which revolves around whether Apple can be forced to help the F.B.I. unlock a phone used by one of the killers in last year’s San Bernardino, Calif., massacre, has received worldwide attention for the precedent it might set. But to many in law enforcement, disputes like the one with WhatsApp are of far greater concern.

For more than a half-century, the Justice Department has relied on wiretaps as a fundamental crime-fighting tool. To some in law enforcement, if companies like WhatsApp, Signal and Telegram can design unbreakable encryption, then the future of wiretapping is in doubt.


Warrant-Proof Places →

March 13, 2016 · 10:13

Jonathan Zdziarski:

We, as everyday Americans, should also encourage the idea of warrant proof places. The DOJ believes, quite erroneously, that the Fourth Amendment gives them the right to any evidence or information they desire with a warrant. The Bill of Rights did not grant rights to the government; it protected the rights of Americans from the overreach that was expected to come from government. Our most intimate thoughts, our private conversations, our ideas, our -intent- are all things our phone tracks. These are concepts that must remain private (if we choose to protect them) for any functioning free society. In today’s technological landscape, we are no longer giving up just our current or future activity under warrant, but for the first time in history, making potentially years of our life retroactively searchable by law enforcement. Things are recorded in ways today that no one would have imagined, even when CALEA was passed. The capability that DOJ is asserting is that our very lives and identities – going back across years – are subject to search. The Constitution never permitted this.


Craig Federighi on iOS Security for the Washington Post →

March 7, 2016 · 09:57

Craig Federighi:

Security is an endless race — one that you can lead but never decisively win. Yesterday’s best defenses cannot fend off the attacks of today or tomorrow. Software innovations of the future will depend on the foundation of strong device security. We cannot afford to fall behind those who would exploit technology in order to cause chaos. To slow our pace, or reverse our progress, puts everyone at risk.

This is not just about protecting the data on our phones. This is about keeping all of our lives and data private, which we store on miniature computers in our pockets.


FBI & DA Misleading Courts and Public for their Own Agenda →

March 6, 2016 · 10:53

Brandon Bailey:

But the idea that Farook might have used the phone to transmit a “lying-dormant cyber pathogen” into county data systems is a new one. Ramos’ office, however, cited it in a court filing Thursday among several other reasons to support the government’s position.

“This was a county employee that murdered 14 people and injured 22,” Ramos said. “Did he use the county’s infrastructure? Did he hack into that infrastructure? I don’t know. In order for me to really put that issue to rest, there is one piece of evidence that would absolutely let us know that, and that would be the iPhone.”

The argument drew condemnation from one software expert who has signed a brief in support of Apple’s position.

“Ramos’s statements are not only misleading to the court, but amount to blatant fear mongering,” independent software researcher Jonathan Zdziarski wrote in a post on his personal blog .

Other security experts who haven’t taken sides also discounted the scenario. “It’s definitely possible, technically, but it doesn’t seem to me at first glance to be likely,” said David Meltzer, a computer security expert and chief research officer at Tripwire, a commercial IT security firm. He said Apple’s iPhone operating system is a relatively closed environment that’s designed so users can’t easily introduce their own programs.

Ramos, meanwhile, said he’d heard about social media posts that mocked the term “cyber pathogen,” which is not generally used by tech experts. “When they do that,” he said, “they’re mocking the victims of this crime, of this horrible terrorist attack.”

Using the victims of a terrorist attack to further their own agenda however, that’s much worse.


Amazon Removes Encryption From Fire Tablets →

March 3, 2016 · 22:52

Patrick Howell O’Neill:

While Apple continues to resist a court order requiring it to help the FBI access a terrorist’s phone, another major tech company just took a strange and unexpected step away from encryption.

Amazon has removed enterprise-level device encryption from its Fire Tablet devices. While Amazon’s Kindle Fire, Fire Phone, and Fire TV devices run the same operating system—called Fire OS—the update only applies to the company’s tablets, although this still affects millions of users.


The UK’s Proposed Spy Law Would Force Apple to Secretly Hack Its Phones Too →

February 26, 2016 · 14:50

Danny O’Brien:

You don’t need to look to Beijing—or even the future—to find the answer to that question. The newly proposed British spying law, the  Investigatory Powers Bill (IPB), already includes methods that would permit the British government to order companies like Apple to re-engineer their own technology, just as the FBI is demanding. Worse, if the law passes, each of these methods would be accompanied by a gag order. Not only would Apple be expected to comply, but the IPB would insist that Tim Cook could not tell the public what was going on without breaking UK law. At least in the current fight between Apple and the US government, we’re having the debate out loud and in public.

I’m always reminded of ‘V for Vendetta’ when I read about the absurdity of UK laws, and little to no public outcry.


Apple Files Motion to Vacate the Court Order to Force It to Unlock iPhone →

February 26, 2016 · 01:04

Matthew Panzarino:

Apple’s reasoning in the brief rests on three pillars. First, that forcing Apple to write code that weakens its devices and the security of its customers constitutes a violation of free speech as protected by the Constitution.

Second, that the burden the FBI is putting on it by requesting that Apple write the software and assist in unlocking the device is too large. Apple argues that it would have to create the new version of iOS, called GovtOS, which requires coding, signing, verification and testing. It would then have to create an FBI forensics laboratory on site at its headquarters and staff it. The burden would then extend to what Apple views is the inevitable onslaught of additional devices that would follow after the precedent was set.

In addition to free speech, Apple argues that the Fifth Amendment’s Due Process clause prohibits the government from compelling Apple to create the new version of iOS. Apple argues that there is no court precedent for forcing a company to create something new, like GovtOS.

“But compelling minimal assistance to surveil or apprehend a criminal (as in most of the cases the government cites), or demanding testimony or production of things that already exist (akin to exercising subpoena power), is vastly different, and significantly less intrusive, than conscripting a private company to create something entirely new and dangerous. There is simply no parallel or precedent for it,” reads the filing.


Kevin Roose Dared Two Hackers to Destroy His Life — Here’s What Happened

February 25, 2016 · 16:00

Kevin Roose:

Several months ago, while I was typing a few e-mails at my dining room table, my laptop spoke to me.

“You…look…bored,” it said in a robotic monotone, out of nowhere.

Startled, I checked my browser tabs and my list of open applications to see if anything had been making noise. Nothing had. I hadn’t been watching any YouTube videos, browsing any pages with autoplay ads, or listening to any podcasts when the voice appeared.

Then I realized: this was the hacker. The same hacker who, for the prior two weeks, had been making my life a nightmare hellscape — breaking into my email accounts, stealing my bank and credit card information, gaining access to my home security camera, spying on my Slack chats with co-workers, and—the coup de grâce—installing a piece of malware on my laptop that hijacked my webcam and used it to take photos of me every two minutes, then uploaded those photos to a server owned by the hacker.

Hence the robot voice. From his computer on the other side of the country, the hacker spied on me through my webcam, saw that I was unenthused, and used my laptop’s text-to-speech function to tell me “you look bored.”

I had to admit, it was a pretty good troll.


Maricopa County Attorney’s Office Will Discontinue Providing iPhones for Employees →

February 25, 2016 · 15:59

Maricopa County Attorney’s Office:

Effective immediately, the Maricopa County Attorney’s Office will discontinue providing iPhones as option for replacements or upgrades for existing employees. Maricopa County Attorney Bill Montgomery announced the decision today, first communicated to applicable staff on Sunday, February 21, citing Apple’s recent refusal to cooperate in unlocking an encrypted iPhone used by individuals involved in the recent San Bernardino shootings.

“Apple’s refusal to cooperate with a legitimate law enforcement investigation to unlock a phone used by terrorists puts Apple on the side of terrorists instead of on the side of public safety,” Montgomery said. “Positioning their refusal to cooperate as having anything to do with privacy interests is a corporate PR stunt and ignores the 4th Amendment protections afforded by our Constitution.”

There are currently 564 smartphones deployed throughout the office, 366 of which are iPhones.

This just gets better and better.


How Is the Public Supposed to Understand Apple’s Fight for Privacy
if the Reporters Themselves Don’t Have a Grasp on the Issue? →

February 23, 2016 · 15:37

William J. Bratton and John J. Miller:

The phone in the San Bernardino case stopped uploading data to the cloud about six weeks before the killings. That suggests there may be information inside the device that was deliberately concealed. That could include the identities of terrorists who influenced or directed the attack; such information, if pursued, could prevent future plots. Or the iPhone might contain nothing of value. It is Apple’s position that we should never know.

The phone could also contain the plans of the Death Star, but since the FBI screwed this up, we might not ever find out if they’re on there.


Justice Department Wants to Force Apple to Unlock a Dozen More iPhones →

February 23, 2016 · 15:29

Devlin Barrett:

The Justice Department is pursuing court orders to force Apple Inc. to help investigators extract data from iPhones in about a dozen undisclosed cases around the country, in disputes similar to the current battle over a terrorist’s locked phone, according to people familiar with the matter.

The other phones are at issue in cases where prosecutors have sought, as in the San Bernardino, Calif., terror case, to use an 18th-century law called the All Writs Act to compel the company to help them bypass the passcode security feature of phones that may hold evidence, these people said.

The specifics of the roughly dozen cases haven’t been disclosed publicly, but they don’t involve terrorism charges, these people said.

This is going to get a whole of a lot uglier before it gets better. If it gets better.


Pew Research Center Poll: 51% Say Apple Should Unlock iPhone →

February 23, 2016 · 01:45

Pew Research Center:

As the standoff between the Department of Justice and Apple Inc. continues over an iPhone used by one of the suspects in the San Bernardino terrorist attacks, 51% say Apple should unlock the iPhone to assist the ongoing FBI investigation. Fewer Americans (38%) say Apple should not unlock the phone to ensure the security of its other users’ information; 11% do not offer an opinion on the question.

I strongly believe that many of these people would change their mind if they knew more about the subject, and the potential consequences.

Among those who personally own an iPhone, views are about evenly divided: 47% say Apple should comply with the FBI demand to unlock the phone, while 43% say they should not do this out of concern it could compromise the security of other users’ information.

Among those who own a model of smartphone other than the iPhone, 53% say Apple should unlock the phone, compared with 38% who say they should not.

That second part is not surprising to me.


Pair-Lock Your Device With Apple’s Configurator to Effectively
Disable Every Logical Forensics Tool on the Market →

February 23, 2016 · 01:05

Jonathan Zdziarski:

This article is a brief how-to on using Apple’s Configurator utility to lock your device down so that no other devices can pair with it, even if you leave your device unlocked, or are compelled into unlocking it yourself with a passcode or a fingerprint. By pair-locking your device, you’re effectively disabling every logical forensics tool on the market by preventing it from talking to your iOS device, at least without first being able to undo this lock with pairing records from your desktop machine. This is a great technique for protecting your device from nosy coworkers, or cops in some states that have started grabbing your call history at traffic stops.