Menu
  • Home
  • Brett's Blog
  • My Books
  • Courses
  • About Me
  • Contact
  • Home
  • Brett's Blog
  • My Books
  • Courses
  • About Me
  • Contact

Brett Shavers | Ramblings

Brett's Ramblings

Subscribe to blog
Unsubscribe from blog
Settings
Sign In
If you are new here, Register
  • Forget Username
  • Reset Password

surveillance

Subscribe to this list via RSS
MAR
21
0

Barking up the Encryption Tree. You're doing it wrong.

Posted by Brett Shavers
in  Privacy

There always comes a time when an obscure, yet important concept, leaves the technical world and enters the main stream.  Recovering deleted files was one of those where we pretty much knew all along not only that it can be done, but that we have been doing it all along. The Snowden releases were another aspect of ‘yeah, we knew this all along, but the GFP (general f’ing public) was oblivious.

Encryption is just the most current ‘old’ thing to make the limelight.  Whenever something like this happens, there are ton of people ringing the end-of-the-world bells, clamoring that national security will be lost, and personal freedoms take a back seat to everything.  It happens all the time and when it happens, there is a fire to make new laws on top of thousands of other laws, in which the promise of better safety and security is as strong as a wet paper bag holding your groceries on a windy and rainy day.

b2ap3_thumbnail_bancalifornia.JPG

Legally, it is super easy to ban, control, and/or regulate encryption. A stroke of the pen with or without citizen oversight can make it happen quickly and painlessly.  One signature on the last page of a law that is a ream in size is all it takes.

Practically, it is impossible to completely eliminate or control or regulate encryption.  The only thing laws will do is restrict the sale of encryption products by corporations.  Encryption exists in the minds of mathematical practitioners and can be recreated over and over again. You can't blank out someone’s brain (I hope not…).  Encryption is available everywhere on the Internet, from software programs that are FREE and OPEN SOURCE to download and even in TOYS that can be bought off Amazon.com.  These 'toys' work by the way.

b2ap3_thumbnail_engima.JPG
Enigma encryption...for sale on Amazon.com

Go ahead and ban encryption and people will just buy a $10 toy to create cipher text for emails.  Tor use will skyrocket as will third party online privacy providers operating in safe harbors overseas.  Banning encryption or breaking the trust of companies like Apple will only result in loss of business for corporations and (more) loss of trust by consumers of both corporations and government.  Even if encryption is not banned, but under the complete control of any government, that particular piece of technology won’t be used for anything other than entertainment. No business is going to transmit sensitive intellectual property data through an insecure system.  No government is going to use a system that can be more easily compromised by enemies or hackers.

b2ap3_thumbnail_veracrypt.JPG
Free encryption software: https://sourceforge.net/projects/veracrypt/

The end result of banning encryption is creating a whole new class of “criminals” who just want to protect their private communications.  “Private” does not mean “illegal”.  Controlling the source code of Apple is only going to cause Apple to end up with 3 employees who will their only customers.  Not even the government will use Apple if they know the source code has been compromised...especially if compromised by the government itself.

Not long ago, I gave a presentation on Internet investigations to a group of law enforcement investigators.  One of the first questions I asked was 'Given authority and ability, what would like to see done in regards to the Internet?".  Most answers were to 'lock it down', 'watch everything', 'control it all', and "give government complete control".  At the end of the presentation, no one felt that way after I explained how that will negatively affect everyone down to the individual person business, including the government.  Ignorance may be bliss, but that doesn't make ignorance a good idea.

If this 'ban encryption bandwagon' keeps going, the next thing we will see is envelope regulations requiring the paper to be transparent, just in case the government needs to read your mail without opening it.

b2ap3_thumbnail_envelope.JPGI also do not believe that there is any one 'thing' that can prevent the apprehension of criminals, prevention of terrorist attacks, or investigation of a crime.  If encryption can do all of those, we need better investigative training for our detectives and case officers.
0
  3926 Hits
Tags:
privacy tor browser surveillance
Tweet
Share on Pinterest
3926 Hits
MAR
18
0

The four corners of the Apple v FBI encryption debacle

Posted by Brett Shavers
in  Privacy

If only the FBI had picked a case where the issue was clear cut…that would make this encryption issue so much easier.

  1. The FBI doesn’t want Apple to simply “unlock” the phone.

Apple (and just about every other high tech company) has been unlocking devices and allowing access to data for law enforcement for decades.  That’s not the issue here.  The FBI wants the encryption to be broken. They want software to be rewritten or written that compromises security features. That’s a lot different than just unlocking a device.  That request breaks security.  Worse yet, it sets a precedent.  Law enforcement knows about precedent setting laws. Sometimes it is good, but sometimes it is not.

  1. It’s not the end of the world if encryption is broken.

Our lights will still turn on. Cars will still run.  Kids will still be able to go to school.  However, online payment systems will be as protected as a wet paper bag, secure communications will be as secure as Windows 3.1, and anything you send electronically is fair game to hackers (and government).  But don’t worry. If encryption is banned or broken, there will still be those able to use encryption (hint: one is government and the other is not law-abiding citizens).

  1. “Terrorist will Go Dark” is the best marketing ever created by government. 

The only time terrorists are not operating in the dark is when they use social media in the open, print terrorism training manuals (which are then posted online), and killing people in the open.  Plus, they still have to drive, fly, walk, eat, sleep, talk, go to the doctor, read a book, watch TV, and surf the Internet.  Terrorist and criminals have all the faults of ‘regular’ folks like complacency, laziness, incompetence, and bad luck when they plan and commit terrorist acts.  I've published two books on catching criminals (and terrorists) with online and forensic investigations.  You can put both books in the hands of a terrorist and the methods to find and catch them will still work.  "Going dark"? If a criminal or terrorist can do all the things needed to carry out their devious plans in encrypted emails ONLY, their plans are going to stink.  Planning an attack or conspiring to commit a crime requires way more than sending encrypted emails.  Working undercover in criminal organizations did teach me a thing or two in how it really works and how they really think and plan.

  1. You have nothing to hide, so what’s the big deal?

The government claims that since you cannot build a house that is impenetrable, you should not have use of encryption that can’t be broken.  Well..if I could make my home impenetrable, you bet I would. If I could buy a safe that was unbreakable, I would.  They just don’t exist.  It’s not that I have anything illegal to hide in a safe, but I don’t want anyone to steal what I have.  It’s not that I have anything top secret in an email, but I just don’t want strangers reading what I am sending to a friend, or to a business colleague.  The point is NOT having something to hide, but rather, NOT hanging my underwear in the front yard on a clothesline for anyone to see or steal (that is, if they wanted to steal my undies…).

And of course, if Apple loses, or bows down to government pressure, I can think of at least one less customer who will buy a "secure" device from Apple since the definition of "secure" will change to "that which you can't break, but hackers and government can". 

0
  4034 Hits
Tags:
privacy surveillance
Tweet
Share on Pinterest
4034 Hits
FEB
20
0

Let's not go all Patriot Act on this Apple - FBI encryption thing.

Posted by Brett Shavers
in  Privacy

I’ve been involved in about a half dozen conversations, three different email threads, and twice as many emails with friends and clients about this Apple – FBI encryption issue.   It seems to be a divided opinion with no compromise, at least as far as I can see.

 

FBI's Fight With Apple Over Encryption May Erode European Trust in US - Newsweek

http://news.google.com Sat, 20 Feb 2016 19:24:00 GMT

NewsweekFBI's Fight With Apple Over Encryption May Erode European Trust in USNewsweekMax Schrems, the Austrian who brought the Safe Harbor case to the European Court of Justice and won, tells Newsweek that the FBI's possible victory over Apple isn't too concerning to Europeans because it is a targeted access to data—not the pre ...and moreᅠ»

Read more ...

Here is my opinion: “Let Apple develop their software as they see fit for business and consumer demand, as long as their actions do not violate law.” 

That means that I am in agreement with Apple choosing to not decrypt a dead terrorist's phone. I am not a pro-terrorist or pro-criminal person. In fact, in my previous law enforcement career, I arrested more criminals personally than the rest of my 100+ officer department did…combined.  Not once did I have to break the law, bend the law, or misinterpret the law to make any of my cases in patrol or as a detective. Not once did I ask for any leniency or looking the other way ‘just this one time’ to make a case or to gather evidence. Not once. Ever.

So for any law enforcement agency asking ‘just this once’ to do something does not mean ‘just this one time’. It means, “just this one time until we ask again.”  Technical issues aside, whether or not Apple can unlock the phone or just doesn’t want to unlock the phone, the bigger question is why should they?  If a landlord refuses to give a key to a residence that SWAT has a search warrant for, SWAT will just boot the door. They can't force the landlord to give up the key.  I know this analogy is weak in the key area since you can't break unbreakable encryption, but the concept holds true. You can't force the landlord to give up the key unless the key is some how evidence.

Yes, yes, yes, I know this is a terrorist case. I’ve been involved in terrorism cases before  and exactly know how important these cases are (as I have also investigated murders..they are also important). I have seen quite enough to know how important it is to catch pedophiles, murderers, and terrorists. None should be on the street.  But that doesn’t mean taking shortcuts, bypassing Constitutional Rights, or asking a corporation to bend the rules a little to make a case.  Investigators can do this in Hollywood films, but not in real life.  

And yes, I have had cases where evidence was so little that probable cause to arrest didn’t exist. But such is life in the USA. Get PC (probable cause) and make the case or go back to square one.

After 9/11 and we panicked as a country to capture every terrorist responsible, the PATRIOT Act was typed, printed, signed, sealed, delivered, and implemented in 60 seconds flat. I was a federal task force officer at the time the PATRIOT when into effect. I have never seen such authority given to federal law enforcement in such short order without hardly a concern by the citizens the PATRIOT Act targeted (as in, it targets everyone's communications).  We do not need to continue along the lines of granting more authority to do what can already be done under the authority that already exists which is restricted to protect individual rights.  I’ve seen it misused before and it ain’t pretty. It's wrong.

As far as encryption goes, when any encryption is broken or perceived to broken, no one should use it. When TrueCrypt was reported to be flawed, it practically died, as it should.  Broken encryption is like a wet paper bag. It looks like it will hold your groceries until you actually put groceries in it.

Former NSA Chief Michael Hayden Sides With Apple, Though Admits 'No Encryption Is Unbreakable' - Billboard

http://news.google.com Thu, 18 Feb 2016 15:38:22 GMT

The Week MagazineFormer NSA Chief Michael Hayden Sides With Apple, Though Admits 'No Encryption Is Unbreakable'BillboardTim Cook's opinion that Apple should not develop a way to hack into the encrypted phone belonging to one of the San Bernardino shooters has earned an endorsement from an unlikely source, though it comes with a big "but." Michael Hayden, the former NSAᅠ...Ex-NSA, CIA chief Michael Hayden sides with Apple in FBI iPhone encryption fightThe Week MagazineFormer Director of CIA and N ...

Read more ...

As for me, any software provider (or secure device provider) that tries to sell me encryption that is so good that no one, including the NSA, can get into it, they better mean it. A disclaimer of, “well, sometimes we might let the FBI access our encryption” means that I am going somewhere else. I have nothing to hide, but I also am not going to cut a hole in my bedroom wall for anyone to peer in and look whenever they want.

For those who fall back on the ‘if you have nothing to hide, you have nothing to worry about’, I fully support your beliefs in waiving your protections. After all, I have given Miranda warnings more times that I can remember and I always asked the suspects if they wanted to waive their rights. Most said yes. It’s their right to waive their rights.  But for me, I’m not waiving anything and I’m not in agreement that the choice to waive or exercise my rights can be taken away because a case agent can’t get enough evidence without resorting to bending the rules ‘just this one time’.

I mean, really. Would you buy a safe to hold your most prized and valuable possessions  knowing that a master key exists? That's like trusting the safe in your hotel closet....

0
  4595 Hits
Tags:
surveillance privacy wiretap
Tweet
Share on Pinterest
4595 Hits
    Previous     Next
1 2 3

DFIR Training

Be sure to check out my DFIR Training website for practically the best resources for all things Digital Forensics/Incident Response related.


Brett's blog

© 2023 Brett Shavers