Apple, FBI, and the Burden of Forensic Methodology

The best overview of the technical aspects of what the FBI is asking Apple to do is at Zdziarski’s blog starting on his February 18 post “Apple, FBI, and the Burden of Forensic Methodology” (linked above) and subsequent follow-up posts. The most frightening section there was:

FBI has asked to do this wirelessly (possibly remotely), which also means transit encryption, validation, certificate revocation, and so on.

I have seen virtually no commentary about this point, which I think is a big, big issue. With previous data extraction cases, Apple took extensive precautions, including requiring investigators to physically transport the iPhone to the Apple facility, and isolating the unit within a faraday cage. In other words, law enforcement had to have physical possession of the device. As many security researchers have pointed out in the past, with physical access it is almost guaranteed that the attacker will find some way to read some or all of the data stored on a device.

With an over-the-air attack tool, anyone who finds a way to bypass the supposed safeguards of the tool could target anyone at any time; they would not need physical access to the device. That makes it significantly easier for an attacker to bypass the security features and unlock the targeted iPhone. And once that happens they can do just about anything they want, including load malware, wipe the device, or do a data dump. With a sufficiently sophisticated tool paired with an over-the-air attack, the person might not even know that their iPhone has been hacked.

We Could Not Look the Survivors in the Eye if We Did Not Follow this Lead

FBI Director James Comey’s post on the oddly-named Lawfare blog:

The San Bernardino litigation isn’t about trying to set a precedent or send any kind of message.

This is disingenuous at best. Given that Tim Cook directly addressed the issue in his open letter, “Rather than asking for legislative action through Congress, the FBI is proposing an unprecedented use of the All Writs Act of 1789 to justify an expansion of its authority,” and the New York Times reported that Apple had initially requested that the request be kept under seal, it seems pretty clear that FBI Director Comey is deliberately picking a public fight.

The whole piece is an appeal to emotion, starting from the second sentence:

It is about the victims and justice. Fourteen people were slaughtered and many more had their lives and bodies ruined.

And nothing in the remainder is more honest or less manipulative than the opening lines.

You could see this coming years ago. He and other authorities have just been looking for an excuse, choosing the time and battleground for the confrontation.

One of the FBI’s Major Claims in the iPhone Case Is Fraudulent

The ACLU on the FBI vs Apple encryption backdoor:

If this generally useful security feature is actually no threat to the FBI, why is it painting it in such a scary light that some commentators have even called it a “doomsday mechanism”? The FBI wants us to think that this case is about a single phone, used by a terrorist. But it's a power grab: law enforcement has dozens of other cases where they would love to be able to compel software and hardware providers to build, provide, and vouch for deliberately weakened code. The FBI wants to weaken the ecosystem we all depend on for maintenance of our all-too-vulnerable devices. If they win, future software updates will present users with a troubling dilemma. When we're asked to install a software update, we won’t know whether it was compelled by a government agency (foreign or domestic), or whether it truly represents the best engineering our chosen platform has to offer.

In short, they're asking the public to grant them significant new powers that could put all of our communications infrastructure at risk, and to trust them to not misuse these powers. But they're deliberately misleading the public (and the judiciary) to try to gain these powers. This is not how a trustworthy agency operates. We should not be fooled.

Possibly the most worrying thing about this mess is how blatant the FBI and other law enforcement agencies have been about trying to set this precedent. They almost aren’t even bothering to pretend that it is, indeed, about all phones, not just this one.

And again, use my Worst Enemy Test: If you had to permit your worst enemy access to these powers, would you still support the legislation?

I suspect Director Comey wouldn’t be okay with his political opponents being able to compel Apple or Google to create their own backdoors to bypass the encryption on his phone. Would anyone be happy about President Trump having “sooper sekrit” access to anyone’s information?

Everything Old is New Again

No one seems to have learned anything from history, even recent history. Back in 1993 (a.k.a: The Dark Ages in internet years) the NSA’s baby, the Clipper chip, was meant to provide a back door to any system it was installed on. At the same time, the US government classified strong encryption as a munition, and investigated the creator of PGP, Phil Zimmermann, for violating the export ban.

The Clipper chip program died in just a couple of years, and restrictions on encryption were relaxed in a similarly short time span. Why? Back doors are inherently insecure and technically untenable. The restriction of a technology, like encryption, only works if you can actually keep it from being disseminated. The only reliable way to do that is to cut yourself off from the outside world and impose draconian central-authoritarian rules on your citizens.

Japan kept weapons under the exclusive control of the military by shutting its borders, confiscating weapons, and keeping those with the knowledge to create weapons under central authority. In the early days of firearms, the Japanese were actually more heavily armed than anywhere else, and with the improvements Japanese smiths wrought on the samples traded from the Dutch and Portuguese, their weapons were probably the most technically advanced as well.

In Europe, those measures wouldn’t work because any one nation that tried to hunker down and disarm its populace would place itself at a strategic disadvantage to its neighbors. The end result of isolation and technical control was that Japan was at a severe disadvantage when on the receiving end of some “friendly” gunboat diplomacy from the good ol’ US of A back in the 1800s.

In more modern times, North Korea has done pretty much the same thing over the last 60 years with regard to communications and commerce, with the result that much of its post-industrial technology, particularly its computer technology, is laughably outdated.

If FBI Director Comey gets his way, and Apple is forced to either create a tool for the government to use to unlock devices or compromise its security to provide a back door into the system software, Americans are facing not just the loss of privacy, but a loss of competitiveness in the world market. Communication and device encryption is the backbone of internet commerce.

While it may start with Apple, it won’t end there. Any technology created by American companies will be regarded with suspicion because of the precedent set. Other countries where multinational corporations do business, knowing that a US-based company will be compelled to create skeleton keys for its devices, will make providing them with the same tools a prerequisite for doing business there.

Congratulations, you’ve just given every repressive regime in the world tools to break into anyone’s phones, and not just their citizens’ either. It’s actually worse if the US tries to keep the key to itself because its very existence makes it much more likely that a foreign power or even criminal elements will find a way to steal or co-opt it and use it to break into the phones of US citizens exclusively if it is only installed American versions of the phones. If that happens, the responsible parties would have made the entire US into every nefarious agent’s online ass-bitch.

As we’ve seen with “secret” backdoor technology before, like the TSA keys, it will leak eventually. And when it does, someone will eventually exploit that security weakness to commit a serious crime or act of terrorism. The best way to protect people is to make security better to make it harder for anyone to break in — be it the FBI, terrorists, or criminals. Deliberately weakening security does not benefit either the public or, in the long run, the government.

NSA could crack the San Bernadino shooter’s phone

Clarke added that if he was still at the White House, he would have told FBI Director James Comey to "call Ft. Meade, and the NSA would have solved this problem…Every expert I know believes that NSA can crack this phone." But the FBI wasn't seeking that help, he said, because "they just want the precedent."

Yep, it's pretty obvious that what FBI Director Comey is really going for is the legal precedent, not the information.

Tech giants don’t want Obama to give police access to encrypted phone data

In a Washington Post article from last year:

Tech behemoths including Apple and Google and leading cryptologists are urging President Obama to reject any government proposal that alters the security of smartphones and other communications devices so that law enforcement can view decrypted data…

The letter is signed by three of the five members of a presidential review group appointed by Obama in 2013 to assess technology policies in the wake of leaks by former intelligence contractor Edward Snowden. The signatories urge Obama to follow the group’s unanimous recommendation that the government should “fully support and not undermine efforts to create encryption standards” and not “in any way subvert, undermine, weaken or make vulnerable” commercial software.

I've said before that it's a bad idea to weaken encryption for the sake of law enforcement. This current confrontation between the FBI and Apple has been years in the making.

What is the Internet?

Leo Mirani for Quartz: Millions of Facebook users have no idea they’re using the internet

Remember this, from earlier this year?

AOL still makes most of its money off millions of dial-up subscribers

In light of the number of people who are still using dial-up access through AOL, even though there are almost certainly better alternatives available1, the lack of awareness many people worldwide show about what constitutes “the internet” should probably not be surprising.

For millions of Americans in the 90s, AOL was the internet, and considering the subscription numbers reported in that article from early 2015, it is almost certainly still considered the internet by those users. And this is in a first-world country with relatively affordable access to data and at least some formal education about technology. In parts of the world with less access to data, where Facebook actively subsidizes internet access through their portal, it should not be shocking that many people don’t draw a distinction, because for them there may not be one.

Facebook’s strategy is surprisingly similar to AOL’s, but much larger in scope. AOL sent CDs with free software and trial codes to everyone in the US. Facebook is doing the contemporary equivalent by subsidizing data on mobile in developing countries. Facebook stands to gain a huge audience worldwide for generations of user adoptions. It’s a very smart strategic use of resources, and seems to be beneficial for everyone involved.

At least for right now. Unlike Google, Facebook has never adopted an aspirational mantra, and we see how well that whole “don’t be evil” thing has been working for Google. Even the best of intentions erode over time.

  1. Maybe not surprising at all, considering how hard it seems to be to cancel an account

Reddit — Hate Speech or Free Speech?

Adi Robertson for The Verge

Committing to absolute, hands-off openness will eventually mean defending speech that is truly worthless and harmful.

The problem Reddit faces isn’t necessarily allowing hate speech, it’s in hosting a forum for it.

I have used these words in defense of controversial speech before:

“I disapprove of what you say, but I will defend to the death your right to say it” Evelyn Beatrice Hall[1]

… because in general I agree with the sentiment.

No one should be arbitrarily silenced, no matter what they say, even if those words are “truly worthless and harmful”. Yes, KKK members should have the same right to say what they want in public that I do, for exactly the same reason, even though the beliefs of a Klan member and mine could not be more divergent.

It goes back to my Worst Enemy Test: Could you trust your own worst enemy with this power? If not, you need to build in sufficient protections that you could. You should always build laws and societal mores with the idea that someone ideologically opposed to you might end up in power, or someday you will be oppressed using tools you created. It doesn’t matter how pure your intentions and how worthy the cause, if you create a tool that can be misused, it will be.

As a practical matter, it’s arguably better that horrible people feel safe enough to air their hate in public, so that everyone knows that they’re shitty excuses for human beings, rather than forcing them to conceal their beliefs in dark corners of society where they can gather together to fester in secret.

However, there is a difference between the principle of protecting everyone’s right to free speech and providing a pulpit for them. I would defend even the right of my worst enemy to continue to say what she or he wishes to say about me, but I would not provide a forum.[2]

Reddit may decide that they still wish to continue fostering hate under the aegis of what they consider to be neutrality. The repercussions of that decision will probably lead to the eventual death of Reddit as a useful forum for anything positive and productive. Even a fan and prominent user of Reddit, CGP Grey said in a recent podcast that he believes the problems are structural, which is a far more intractable situation than just dealing with a vocal and troublesome minority.

  1. Often, and erroneously attributed to Voltaire.  ↩

  2. There are many reasons I’ve never allowed comments on this blog. You can criticize me anywhere you like, but I’m not going to provide you a place for your criticism; that’s your responsibility.  ↩

Three takeaways for web developers after two weeks of painfully slow internet access

This writeup on Medium is a great article for app and website developers. Like designing for accessibility, considering and designing for slow data access can vastly improve user experience.

I had to use tethering to get work done over the last month due to a very flaky wi-fi access point at a work location. Because of that, I managed to hit my data cap before the end of the month, and spent over a week with horribly throttled access that rendered anything without an offline mode or a robust low-data mode basically useless. Most syncing worked — slowly; most browsing or even non-text Twitter didn’t.

Third-party apps fared the worst. I could get pages to load in Safari on my iPhone that Tweetbot was unable to display. This experience, not long after the announcement of Safari View Controller across apps in iOS 9, made me fully appreciate just how big of a change more open developer access to Safari will be. Developers won’t have to write their own browsers, and users will get access to all of the caching and performance tweaks implemented in the system browser. When you’re running at 0.12 Mb/s up and down, you really, really appreciate optimizations and performance fallback modes.

Facebook Instant Articles

From a NY Times article published in May:

Facebook’s long-rumored plan to directly host articles from news organizations will start on Wednesday, concluding months of delicate negotiations between the Internet giant and publishers that covet its huge audience but fear its growing power …

… Most important for impatient smartphone users, the company says, the so-called instant articles will load up to 10 times faster than they normally would since readers stay on Facebook rather than follow a link to another site.

The last thing I wanted in my Facebook feed was more news articles, so the technical improvement of faster load times does not benefit me in the slightest. The only reason I ever go to Facebook is to see what’s going on with family members. I already have to sort through the listicles, quizzes, and “surveys” that are shared on Facebook to get to their posts. Anything that makes it harder for me to see actual activity from the people I know is just more clutter.

Granted, given the quality of what is usually shared, it will probably be more interesting, higher-brow clutter, but still clutter. I had already started skipping over the regular timeline to exclusively check messages and alerts on the infrequent occasions I visited Facebook. Increasing clutter will make me less likely to bother looking through my timeline since I know it will be about as rewarding as looking though an email inbox with spam filtering disabled.

I can see the appeal for publishers, since most of the public is not as discerning jaded and cantankerous as me, and there are 1.25 billion active users on Facebook.

Let that sink in; that’s active users, as in people who actually log in and use Facebook on a monthly or more frequent basis. There must be many more registered users than 1.25 billion, since active use is typically much, much lower than registration.

That’s a metric asstonne[1] of people. The active users alone represent 17% of the current world population of 7.3 billion, so by the numbers, theoretically nearly 1 in 5 of people on the entire planet use Facebook right now. And it’s still growing.

The problem for publishers is that joining any social network is hazardous in the long term. Letting someone else publish your content means that you both relinquish control and eventually become a commodity on that platform. When you are one of several sources for a similar service, it becomes simple and easy to replace you if you decide not to participate anymore. Should Facebook later decide to play hardball, and The Times opt-out of publishing on Facebook’s platform, even they — with their strong reputation and mind-share in news — probably wouldn’t be particularly missed.

News publishing is in flux, and it’s increasingly clear that the older publishers are facing very difficult circumstances. Ironically, this consolidation approach was already tried on the internet in the past, and was generally resisted by the public.

Remember the buzz around web portals in the early days of the public internet? It’s one of the reasons AOL became infamous online, when their membership campaigns[2] resulted in floods of clueless “newbies” who knew naught of online etiquette honed on usenet in countless flamewars.

Becoming the latest implementation of a webportal is probably a good long-term strategy for Facebook, but it places it about a half-step in stodginess from “You’ve got mail!” territory. Hell, the only reason I got a Facebook account was due to social pressure from older family members. It was already losing enough social cachet a few years ago, when I finally caved, that a dude in his mid–30s didn’t think it was the cool new tech thing.

  1. Equal to 1.102 Imperial asstons, but substantially smaller than a Goatse.  ↩

  2. Kids: ask your parents to tell about the “free” frisbees and drink coasters AOL used to send to to everyone’s houses.  ↩