News – Page 6 – DoGoodSoft's Official Blog

Why few hackers are lining up to help FBI crack iPhone encryption

When the FBI said it couldn’t unlock the iPhone at the center of the San Bernardino shooting investigation without the help of Apple, the hackers at DriveSavers Data Recovery took it as a challenge.

Almost 200 man hours and one destroyed iPhone later, the Bay Area company has yet to prove the FBI wrong. But an Israeli digital forensics firm reportedly has, and the FBI is testing the method.

Finding a solution to such a high-profile problem would be a major feat — with publicity, job offers and a big payday on the line. But, in fact, the specialists at DriveSavers are among only a few U.S. hackers trying to solve it. Wary of the stigma of working with the FBI, many established hackers, who can be paid handsomely by tech firms for identifying flaws, say assisting the investigation would violate their industry’s core principles.

Some American security experts say they would never help the FBI, others waver in their willingness to do so. And not all of those who would consider helping want their involvement publicized for risk of being labeled the hacker who unhinged a backdoor to millions of iPhones.

“The FBI has done such a horrible job of managing this process that anybody in the hacking community, the security community or the general public who would openly work with them would be viewed as helping the bad guys,” said Adriel Desautels, chief executive of cybersecurity testing company Netragard. “It would very likely be a serious PR nightmare.”

Much of the security industry’s frustration with the FBI stems from the agency’s insistence that Apple compromise its own security. The fact that the FBI is now leaning on outside help bolsters the security industry’s belief that, given enough time and funding, investigators could find a workaround — suggesting the agency’s legal tactics had more to do with setting a precedent than cracking the iPhone 5c owned by gunman Syed Rizwan Farook.

Some like Mike Cobb, the director of engineering at DriveSavers in Novato, Calif., wanted to be the first to find a way in. Doing so could bring rewards, including new contracts and, if desired, free marketing.

“The bragging rights, the technical prowess, are going to be considerable and enhanced by the fact that it’s a very powerful case in the press,” said Shane McGee, chief privacy officer for cybersecurity software maker FireEye Inc.

Altruism could motivate others. Helping the FBI could further an inquiry into how a husband-and-wife couple managed to gun down 14 people, wound many others and briefly get away.

Another positive, McGee said, is that legal liability is low: While unauthorized tampering with gadgets has led to prison time, it’s legal as long as people meddle with iPhones they own — and the court order helps too.

But top security experts doubt the benefits are worth the risk of being seen as a black sheep within their community.

Hackers have said they don’t want to touch the San Bernardino case “with a 10-foot pole because the FBI doesn’t look the like good guy and frankly isn’t in the right asking Apple to put a back door into their program,” Desautels said. The assisting party, if ever identified, could face backlash from privacy advocates and civil liberties activists.

“They’d be tainted,” Desautels said.

The unease in the hacker community can be seen through Nicholas Allegra, a well-known iPhone hacker who most recently worked for Citrix.

Concerned an FBI victory in its legal fight with Apple would embolden authorities to force more companies to develop software at the government’s behest, Allegra had dabbled in finding a crack in iPhone 5c security. If successful, he hoped his findings would lead the FBI to drop the Apple dispute.

But he has left the project on the back burner, concerned that if he found a solution, law enforcement would use it beyond the San Bernardino case.

“I put in some work. I could have put more in,” he said. But “I wasn’t sure if I even wanted to.”

Companies including Microsoft, United Airlines and Uber encourage researchers and even hackers to target them and report problems by dangling cash rewards.

HackerOne, an intermediary for many of the companies, has collectively paid $6 million to more than 2,300 people since 2013. Boutique firms and freelancers can earn a living between such bounties and occasionally selling newly discovered hacking tools to governments or malicious hackers.

But Apple doesn’t have a bounty program, removing another incentive for tinkering with the iPhone 5c.

Still, Israeli firm Cellebrite is said to have attempted and succeeded at defeating the device’s security measures.

The company, whose technology is heavily used by law enforcement agencies worldwide to extract and analyze data from phones, declined to comment. The FBI has said only that an “outside party” presented a new idea Sunday night that will take about two weeks to verify. Apple officials said they aren’t aware of the details.

Going to the FBI before going to the company would violate standard practice in the hacking community. Security researchers almost always warn manufacturers about problems in their products and services before sharing details with anyone else. It provides time for a issuing a fix before a malicious party can exploit it.

“We’ve never disclosed something to the government ahead of the company that distributed the hardware or software,” McGee said. “There could be far-reaching consequences.”

Another drawback is that an iPhone 5c vulnerability isn’t considered a hot commodity in the minds of many hackers, who seek to one-up each other by attacking newer, more widely used products. The 5c model went on sale in 2013 and lacks a fingerprint sensor. Newer iPhones are more powerful and have different security built into them. Only if the hack could be applied to contemporary iPhones would it be worth a rare $1-million bounty, experts say.

The limited scope of this case is why many hackers were taken back by a court order asking for what they consider broadly applicable software to switch off several security measures. Instead, experts wanted the FBI to invest in going after the gunman’s specific phone with more creativity. In other words, attack the problem with technology, not the courts.

“If you have access to the hardware and you have the ability to dismantle the phone, the methodology doesn’t seem like it would be all that complex,” Desautels said.

Two years ago, his team tried to extract data from an iPad at the request of a financial services company that wanted to test the security of the tablets before offering them to employees. Netragard’s researcher failed after almost a month; he accidentally triggered a date change within the software that rendered the iPad unusable. But Desautels said cracking the iPad would have been “possible and trivial” for someone with more time and a dozen iPads to mess with.

The same, he imagines, would be true for an iPhone. The FBI, though, has said it had exhausted all known possibilities.

Taking Apple to court generated attention about the problem and “stimulated creative people around the world to see what they might be able to do,” FBI Director James Comey said in a letter to the Wall Street Journal editorial board Wednesday. Not “all technical creativity” resides within government, he said.

The plea worked, grabbing the interest of companies like DriveSavers, which gets about 2,000 gigs a month to retrieve photos, videos and notes from phones that are damaged or belong to someone who died. But despite all of the enticements in the San Bernardino case, they’ve worked to unlock an iPhone 5c only intermittently.

They’ve made progress. Cobb’s team can spot the encrypted data on an iPhone 5c memory chip They’re exploring how to either alter that data or copy it to another chip. Both scenarios would allow them to reset software that tracks invalid password entries. Otherwise, 10 successive misfires would render the encrypted data permanently inaccessible.

Swapping chips requires soldering, which the iPhone isn’t built to undergo multiple times. They have an adapter that solves the issue, and about 300 old iPhones in their stockpile in case, as one already has, the device gets ruined.

Had they been first to devise a proposed solution, DriveSavers “absolutely” would have told the FBI because their method doesn’t present extraordinary security risks, Cobb said.

But whether it would want to be publicly known as the code cracker in the case, Cobb said that would be “a much bigger, wider conversation” to ponder.

Apple-FBI fight may be first salvo in encryption war

The Apple-FBI fight may just be the opening salvo in a broader war over encryption, as technology companies continue to lock up their users’ messages, photos and other data to shield them from thieves and spies — and, incidentally, criminal investigators.

WhatsApp, the globally popular messaging system owned by Facebook, has already run into trouble on this front in Brazil. WhatsApp encrypts all user messages in “end to end” fashion, meaning no one but the sender and recipient can read them. Brazilian authorities arrested a Facebook executive this month after the company said it couldn’t unscramble encrypted messages sought by police.

U.S. officials are debating how to enforce a similar wiretap order for WhatsApp communications in a U.S. criminal case, the New York Times reported. WhatsApp started as a way to exchange written messages over the Internet, but it has added services like photo-sharing and voice calling, while gradually building encryption into all those formats.

Spokesmen for WhatsApp and the Justice Department declined comment on the Times report, which said the wiretap order had been sealed to keep details secret. The Brazilian case is pending, although the Facebook executive was released from jail after a day.

For now, U.S. authorities and the tech industry are watching for the outcome of Apple’s legal battle with the FBI, which wants to force the company to help unlock an encrypted iPhone used by one of the San Bernardino mass shooters. But as more companies explore adding encryption, further confrontations are likely.

“I think we can say, without a doubt, there’s going to be more pressure on app-makers now,” said Nate Cardozo, staff attorney at the Electronic Frontier Foundation.

Cardozo said he’s aware of other recent cases in which U.S. authorities have approached individual companies (he wouldn’t name them) that use encryption and warned them that criminals or terrorists are using their services. Cardozo said authorities have urged those companies to redesign their apps or provide other technical solutions that would let agents read the encrypted messages.

Tech companies say they don’t want to interfere with legitimate criminal investigations or national security matters. Instead, they argue they’re concerned about hacking, privacy invasion and violations of civil rights.

“It’s the government’s job to protect public safety,” said Denelle Dixon-Thayer, chief legal and business officer at Mozilla, which makes the Firefox Web browser. “Our job in the tech sector is to support that goal by providing the best data security.”

While law enforcement authorities have chafed at tech companies’ use of encryption, national security officials have warned against weakening encryption. “We’re foursquare behind strong data security and encryption,” Defense Secretary Ash Carter told a tech audience this month.

Debate over tech tools’encryption

Before the San Bernardino terror attack, Syed Rizawan Farook’s iPhone was just one fancy Apple device among hundreds of millions worldwide.

But since the California government worker and his wife shot and killed 14 people on December 2, apparently inspired by extremist group IS, his iPhone 5c has become a key witness – and the government wants Apple to make it talk.

The iPhone, WhatsApp, even social media – government authorities say some of tech fans’ favourite playthings are also some of the most powerful, and problematic, weapons in the arsenals of violent extremists.

Now, in a series of quiet negotiations and noisy legal battles, they’re trying to disarm them, as tech companies and civil liberties groups fight back.

The public debate started with a court order that Apple hack a standard encryption protocol to get at data on Farook’s iPhone, but its repercussions are being felt beyond the tech and law enforcement worlds.

“This is one of the harder questions that we will ever have to deal with,” said Albert Gidari, director of privacy at Stanford Law School’s Centre for Internet and Society.

“How far are we going to go? Where does the government power end to collect all evidence that might exist, and whether it infringes on basic rights? There’s no simple answer,” he told DPA.

It’s not new that terrorists and criminals use mainstream technology to plan and co-ordinate, or that law enforcement breaks into it to catch them. Think of criminals planning a robbery by phone, foiled by police listening in.

But as encryption technology and other next-generation data security move conversations beyond the reach of a conventional wiretap or physical search, law enforcement has demanded the industry provide “back-door” technology to access it too.

At the centre of the fray are otherwise mainstream gadgets and platforms that make private, secure and even anonymous data storage and communication commonplace.

Hundreds of millions of iPhones running iOS 8 or higher are programmed with the same auto-encryption protocol that has stymied investigators in the San Bernardino attack and elsewhere.

US authorities are struggling with how to execute a wiretap order on Facebook-owned WhatsApp’s encrypted messaging platform, used by 1 billion people, the New York Times reported.

In a similar case earlier this month, Brazilian authorities arrested a company executive for not providing WhatsApp data the company said it itself could not access.

Belgium’s interior minister Jan Jambon said in November he believed terrorists were using Sony’s PlayStation 4 gaming network to communicate, Politico reported, although media reports dispute his assertions.

In a world where much of social interaction has moved online, it’s only natural that violent extremism has made the move too.

ISIS, in particular, has integrated its real-world operations with the virtual world, using social media like Twitter and YouTube for recruitment and propaganda and end-to-end encryption for secure communication, authorities say.

Law enforcement authorities and government-aligned terror experts call it the “digital jihad”.

Under pressure from governments, social media providers have cracked down on accounts linked to extremists. Twitter reported it had closed 125,000 ISIS-linked accounts since mid-2015.

Most in the industry have drawn the line at any compromise on encryption, however, saying the benefits of secure data outweigh the costs of its abuse by criminals – leaving authorities wringing their hands.

“Something like San Bernardino” or the November 13 terror attack in Paris “can occur with virtually no indications it was about to happen,” retired general and former Obama anti-terror envoy John Allen warned an audience of techies at the South by Southwest digital conference.

Just a day before, US President Barack Obama had made an unprecedented appearance there, calling for compromise in the showdown between government and tech.

Citing examples of child pornographers, airline security and Swiss bank accounts, Obama said authorities must have the ability to search mobile devices, encrypted or not.

But Gidari called it a “Pandora’s box” too dangerous to open.

Take a stand against the Obama/FBI anti-encryption charm offensive

It has been frustrating to watch as the horrific San Bernardino terrorist killing spree has been used as a cover by the FBI to achieve the anti-encryption goals they’ve been working towards for years. Much of that frustration stems from the fact that the American media has so poorly reported the facts in this case.

The real issue in play is that the FBI wants backdoor access to any and all forms of encryption and is willing to demonize Apple in order to establish an initial precedent it can then use against all other software and hardware makers, all of whom are smaller and are far less likely to even attempt to stand up against government overreach.

However, the media has constantly echoed the FBI’s blatantly false claims that it “does not really want a backdoor,” that only cares about “just this one” phone, that all that’s really involved is “Apple’s failure to cooperate in unlocking” this single device, and that there “isn’t really any precedent that would be set.” Every thread of that tapestry is completely untrue, and even the government has now admitted this repeatedly.

Representative democracy doesn’t work if the population only gets worthless information from the fourth estate.

However, in case after case journalists have penned entertainment posing as news, including a bizarre fantasy written up by Mark Sullivan for Fast Company detailing “How Apple Could Be Punished For Defying FBI.”

A purportedly respectable polling company asked the population whether Apple should cooperate with the police in a terrorism case. But that wasn’t the issue at hand. The real issue is whether the U.S. Federal Government should act to make real encryption illegal by mandating that companies break their own security so the FBI doesn’t have to on its own.

The Government’s Anti-Encryption Charm Offensive

Last Friday, U.S. Attorney General Loretta Lynch made an appearance on The Late Show with Stephen Colbert to again insist that this is a limited case of a single device that has nothing to do with a backdoor, and that it was really an issue of the County-owned phone asking Apple for assistance in a normal customer service call.

Over the weekend, President Obama appeared at SXSW to gain support for the FBI’s case, stating outright that citizens’ expectation that encryption should actually work is “incorrect” and “absolutist.”

He actually stated that, “If your argument is ‘strong encryption no matter what, and we can and should in fact create black boxes,’ that I think does not strike the kind of balance we have lived with for 200, 300 years. And it’s fetishizing our phone above every other value, and that can’t be the right answer.”

That’s simply technically incorrect. There’s no “balance” possible in the debate on encryption. Either we have access to real encryption or we don’t. It very much is an issue of absolutes. Real encryption means that the data is absolutely scrambled, the same way that a paper shredder absolutely obliterates documents. If you have a route to defeat encryption on a device or between two devices, it’s a backdoor, whether the government wants to play a deceptive word game or not.

If the government obtains a warrant, that means its has the legal authority to seize evidence. It does not mean that the agencies involved have unbridled rights to conscript unrelated parties into working on their behalf to decipher, translate or recreate any bits of data that are discovered.

If companies like Apple are forced to build security backdoors by the government to get around encryption, then those backdoors will also be available to criminals, to terrorists, to repressive regimes and to our own government agencies that have an atrocious record of protecting the security of data they collect, and in deciding what information they should be collecting in the first place.

For every example of a terrorist with collaborator contacts on his phone, or a criminal with photos of their crimes on their phone, or a child pornographer with smut on their computer, there are thousands of individuals who can be hurt by terrorists plotting an attack using backdoors to cover their tracks, or criminals stalking their victims’ actions and locations via backdoor exploits of their devices’ security, or criminal gangs distributing illicit content that steps around security barriers the same way that the police hope to step around encryption on devices.

Security is an absolutist position. You either have it or you don’t.

Obama was right in one respect. He noted that in a world with “strong, perfect encryption,” it could be that “what you’ll find is that after something really bad happens the politics of this will swing and it will become sloppy and rushed. And it will go through Congress in ways that have not been thought through. And then you really will have a danger to our civil liberties because the disengaged or taken a position that is not sustainable.”

However, the real answer to avoiding “sloppy, rushed” panic-driven legislation is to instead establish clear rights for citizens and their companies to create and use secure tools, even if there is some fear that secure devices may be used in a way that prevents police from gaining access to some the evidence they might like to access in certain cases.

The United States makes no effort to abridge the use of weapons like those used in San Bernardino to actually commit the atrocity. It should similarly not insist that American encryption should only work with a backdoor open on the side, giving police full access to any data they might want.

It’s not just a bad idea, it’s one that will accomplish nothing because anyone nefarious who wants to hide their data from the police can simply use non-American encryption products that the FBI, the president and the U.S. Congress have no ability to weaken, regardless of how much easier it would make things for police.

Obama: ‘Absolutist view’ on encryption not answer

President Barack Obama said Friday that the encryption versus national security debate, currently being played out in Apple’s legal fight against the federal government, won’t be settled by taking an “absolutist view.”

Addressing an audience of tech enthusiasts meeting in the Texas capital, Obama said both values are important.

He restated his commitment to strong encryption, but also asked how will government catch child pornographers or disrupt terrorist plots if smartphones and other electronic devices are made ways that keep law enforcement from accessing the data stored on them.

“My conclusion, so far, is you cannot take an absolutist view on this,” Obama said at the South by Southwest Interactive festival.

During a question-and-answer session with Evan Smith, CEO and editor in chief of The Texas Tribune, Smith asked Obama “where do you come down” on the question of balancing law enforcement’s needs with an individual’s right to privacy.

Obama said government shouldn’t be able to “just willy nilly” get into smartphones that are full of very personal data. But at the same time, while asserting he’s “way on the civil liberties side,” Obama said “there has to be some concession” to be able to get to the information in certain cases.

The president was not asked to comment on the litigation between Apple and the FBI. He also said he couldn’t discuss specifics.

Apple and the federal government are embroiled in a legal fight over Apple’s refusal to help the FBI access an iPhone used in last year’s terrorist attack San Bernardino, California, in which 14 people were killed. The FBI wants Apple to create a program specifically for that particular phone to help the bureau review the data on it. Apple has refused, and says to do what the government is asking would set a terrible precedent.

Rep. Darrell Issa, R-Calif., who has sharply questioned FBI Director James Comey during congressional hearings on the matter, released a statement in which he said Obama’s comments showed his “fundamental lack of understanding of the tech community, the complexities of encryption and the importance of privacy to our safety in an increasingly digital world.”

“There’s just no way to create a special key for government that couldn’t also be taken advantage of by the Russians, the Chinese or others who want access to the sensitive information we all carry in our pockets every day,” Issa said.

Obama used his appearance at the decades-old festival to encourage the audience of tech enthusiasts to use their skills and imagination to “tackle big problems in new ways.” He said the administration already is using technology to make people’s lives better, and cited as an example the streamlining of federal applications. But he urged industry leaders and entrepreneurs to use technology to help increase voter participation.

“The reason I’m here, really, is to recruit all of you. It’s to say to you, as I’m about to leave office, how can we start coming up with new platforms and new ideas, new approaches across disciplines and across skill sets, to solve some of the big problems that we’re facing today.”

South by Southwest Interactive is part of South by Southwest, a movie, music and interactive media festival that had been held in Austin for the past 30 years. Obama’s appearance was the first by a sitting U.S. president.

After the festival, which also is known as SXSW, Obama helped raise money for Democrats at a pair of fundraisers in Austin.

Government says Apple arguments in encryption case a “diversion”, presents point-by-point rebuttal

As the Apple vs. FBI encryption debate heats up in California, the U.S. government on Thursday fired back at Apple’s oppositions to a court order compelling its assistance in an FBI investigation, and in a new motion discounted a number of arguments related to supposed backdoors, “master keys,” the All Writs Act and more.

In its letter in support of a federal magistrate judge’s original order to compel Apple’s help in unlocking an iPhone used by San Bernardino terror suspect Syed Rizwan Farook, federal prosecutors intimate the company is playing to the media in an attempt to protect its brand. The document was penned by U.S. Attorneys for the Central District of California Eileen M. Decker, Chief of the Cyber and intellectual Property Crimes Section Tracy L. Wilkison and Chief of the National Security Division Patricia A. Donahue.

“Apple and its amici try to alarm this Court with issues of network security, encryption, back doors, and privacy, invoking larger debates before Congress and in the news media. That is a diversion. Apple desperately wants—desperately needs—this case not to be ‘about one isolated iPhone,'” the letter reads. (Emphasis in original.)

The government argues Farook’s phone may contain actionable intelligence that could help shed light on last year’s terror attack. Investigators need Apple’s help in acquiring said information, if it exists, but instead of providing aid as it has done in the past, the company is waging a war of words both in court and publicly. Prosecutors classify Apple’s statements, including arguments that weakening the security of one iPhone is a slippery slope to a surveillance state, as “not only false, but also corrosive of the very institutions that are best able to safeguard our liberty and our rights.”

One of Apple’s main targets is the All Writs Act, a contingency that imbues courts with the power to issue orders if no other judicial tools are available. After being met with resistance to an initial warrant, the FBI leveraged AWA as a legal foundation to compel Apple’s assistance. If the DOJ is successful in its court action, it could pave the way for broader application of the statute in other investigations, Apple says. Indeed, the FBI is currently asserting AWA in at least nine other cases involving iOS devices.

In this case, however, the government argues its use of AWA is proper.

As for undue burden, the letter notes Apple grosses hundreds of billions of dollars each year. It would take as few as six employees plucked from Apple’s workforce of approximately 100,000 people as little as two weeks to create a workable solution to the FBI’s problem, the letter says, adding that the company is to blame for being in the position it currently finds itself.

“This burden, which is not unreasonable, is the direct result of Apple’s deliberate marketing decision to engineer its products so that the government cannot search them, even with a warrant,” according to the government.

A few interesting tidbits were also revealed in the course of dismantling Apple’s opposition, including a technical revelation that strikes at the heart of one of Apple’s key arguments. Apple has maintained that a forced iCloud backup, obtained by connecting Farook’s iPhone to a known Wi-Fi network, might contain information FBI agents are looking for. However, that option was rendered moot after the FBI ordered San Bernardino officials to reset Farook’s Apple ID password.

“The evidence on Farook’s iCloud account suggests that he had already changed his iCloud password himself on October 22, 2015—shortly after the last backup—and that the autobackup feature was disabled. A forced backup of Farook’s iPhone was never going to be successful, and the decision to obtain whatever iCloud evidence was immediately available via the password change was the reasoned decision of experienced FBI agents investigating a deadly terrorist conspiracy,” the government claims.

Finally, the letter takes issue with Apple’s assertions that the instant order violates its First and Fifth Amendment rights. Apple claims computer code should be covered by free speech protections, meaning DOJ requests to write code in an attempt to break into Farook’s iPhone amounts to forced speech. Nebulous legal footing aside, Apple’s claims are “particularly weak because it does not involve a person being compelled to speak publicly, but a for-profit corporation being asked to modify commercial software that will be seen only by Apple”

The idea of narrow investigation is mentioned multiple times. Apple is not being required to create a master key for all iOS devices, government representatives insist, but instead a piece of code applicable to one iPhone. Even if hackers or nefarious agents manage to steal said code, it would only be useful in unlocking Farook’s iPhone 5c, the government attests. This issue is under debate, however, as some experts say the flawed iOS version could be used on other devices. Creating a specialized forensics tool also acts as a proof-of-concept that iOS is vulnerable to attack.

Apple and the DOJ are set to meet in court over the matter in a hearing scheduled for March 22.

New FBI strategy wins back lost ground in encryption fight

By July 2015, FBI Director Jim Comey knew he was losing the battle against sophisticated technologies that allowed criminals to communicate without fear of government surveillance.

In back-to-back congressional hearings that month, Comey struggled to make the case that terrorists and crooks were routinely using such encryption systems to evade the authorities. He conceded that he had no real answer to the problem and agreed that all suggested remedies had major drawbacks. Pressed for specifics, he couldn’t even say how often bureau investigations had been stymied by what he called the “going dark” problem.

“We’re going to try and do that for you, but I’m not optimistic we’re going to be able to get you a great data set,” he told lawmakers.

This week, Comey was back before Congress with a retooled sales pitch. Gone were the vague allusions to ill-defined problems. In their place: a powerful tale of the FBI’s need to learn what is on an encrypted iPhone used by one of the terrorists who killed 14 people in California. “Maybe the phone holds the clue to finding more terrorists. Maybe it doesn’t,” Comey wrote shortly before testifying. “But we can’t look the survivors in the eye, or ourselves in the mirror, if we don’t follow this lead.”

The tactical shift has won Comey tangible gains. After more than a year of congressional inaction, two prominent lawmakers, Sen. Mark Warner (D-Va.) and House Homeland Security Chairman Michael McCaul (R-Texas), have proposed a federal commission that could lead to encryption legislation. Several key lawmakers, who previously hadn’t chosen sides over encryption, such as Rep. Jim Langevin (D-RI), are siding with the administration in its legal battle with Apple. Likewise, several former national security officials — such as former National Security Agency chief Gen. Michael Hayden and former Director of National Intelligence Mike McConnell — who lined up with privacy advocates in the past have returned to the government side in this case.

“The public debate was not going the FBI’s way and it appears there’s been a deliberate shift in strategy,” said Mike German, a former FBI special agent. “They realized…that the most politically tenable argument was going to be ‘we need access when we have a warrant and in a serious criminal case. All the better if it’s a terrorism case.’”

The catalyst for change has been a high-stakes legal fight in a central California courtroom where Apple seeks to overturn a judge’s order to write new software to help the FBI circumvent an iPhone passcode. Other technology companies such as Microsoft, Google, Facebook and Twitter this week rallied to Apple’s side. The Justice Department, meanwhile, has drawn supporting legal briefs from law enforcement associations as well as families of the San Bernardino victims.

Comey’s evolution may have been foreshadowed last summer. In an August email, Robert Litt, the intelligence community’s top lawyer, wrote colleagues that the mood on Capitol Hill “could turn in the event of a terrorist attack or criminal event where strong encryption can be shown to have hindered law enforcement,” according to The Washington Post.

The Dec. 2 San Bernardino attack, coming less than three weeks after a coordinated series of Islamic State shootings and bombing killed at least 130 people in Paris, reignited law enforcement concern about terrorists’ ability to shield their plotting via encryption. The San Bernardino killers, Syed Farook and his wife Tashfeen Malik, destroyed two cellphones before dying in a gun battle with police. Investigators discovered the iPhone at issue in the courtroom fight inside the Farook family’s black Lexus sedan.

To be sure, Comey’s new strategy thus far has paid only limited dividends. The Warner-McCaul commission, if it is ever formed, may or may not change U.S. encryption policy. Renewed support from former officials, such as Hayden and McConnell, extends only to the San Bernardino case.

Indeed, the FBI director’s hopes for an enduring solution to “the going dark” problem remain aspirational. The White House last fall abandoned plans to seek legislation mandating a technological fix for authorities’ encryption headaches. And since then, the Obama administration has confined itself to jawboning Silicon Valley.

But in choosing to make a fight over the iPhone used by one of the San Bernardino terrorists, Comey has selected an advantageous battlefield. Many encryption supporters say that the San Bernardino case isn’t really about encryption because the FBI is asking Apple to build custom software that bypasses the phone’s passcode, a separate though related security feature. That distinction, however, may be lost on the public and many members of Congress. Some have even speculated the FBI is using the San Bernardino massacre to revive an encryption debate that it appeared to have lost.

“It appears to me they’re using this case specifically to try to enact a policy proposal they could not get through Congress last year,” said Rep. Ted Lieu (D-Calif.), an encryption advocate. “It’s clear to me that the FBI is trying to use this case to influence the public.”

The fight with Apple not only carries the emotional heft of terrorism, but — thanks to the distinction between encryption backdoors and passcode subversion — has drawn many of Comey’s most vocal critics from the national security community back into the fold.

Hayden, the former NSA head, and McConnell, the nation’s ex-intelligence czar, opposed Congress mandating the creation of technological “back doors” for the government to exploit. Yet, on the Apple case, they side with Comey.

“The FBI made this a test case and that was very deliberate on their part, to refocus the conversation,” said Robert Cattanach, a former Justice Department prosecutor. “This is not some abstract principle of privacy versus government overreach. There are real impacts.”

The San Bernardino case could be a win-win for Comey. If Apple prevails in court, Congress might respond by intervening with legislation. Both the FBI and Apple have said Congress is better equipped to manage the issue than courts.

The legal battles also may discourage companies from building strong encryption given the risk of future legal showdowns, said German, who is now a fellow with the Brennan Center for Justice.

“This is less about Apple than about the developer who is sitting in his garage right now creating the next big thing,” he said. “The idea is to make that person realize that the stronger they build the security the harder it will be for them when they get that order to unlock it to do so. There’s an incentive to build a crack in the system.”

No room for compromise in Apple vs FBI iPhone encryption battle

As Apple’s legal battle with the FBI over encryption heads toward a showdown, there appears little hope for a compromise that would placate both sides and avert a divisive court decision.

The FBI is pressing Apple to develop a system that would allow the law enforcement agency to break into a locked iPhone used by one of the San Bernardino attackers, a demand the tech company claims would make all its devices vulnerable.

In an effort to break the deadlock, some US lawmakers are pushing for a panel of experts to study the issue of access to encrypted devices for law enforcement in order to find common ground.

Senator Mark Warner and Representative Mike McCaul on Monday proposed the creation of a 16-member “National Commission on Security and Technology Challenges.”

But digital rights activists warn that the issue provides little middle ground — that once law enforcement gains a “back door,” there would be no way to close it.

“We are concerned that the commission may focus on short-sighted solutions involving mandated or compelled back doors,” said Joseph Hall, chief technologist at the Center for Democracy & Technology.

“Make no mistake, there can be no compromise on back doors. Strong encryption makes anyone who has a cell phone or who uses the Internet far more secure.”

Kevin Bankston of the New America Foundation’s Open Technology Institute expressed similar concerns.

“We’ve already had a wide range of blue ribbon expert panels consider the issue,” he said.

“And all have concluded either that surveillance back doors are a dangerously bad idea, that law enforcement’s concerns about ‘going dark’ are overblown, or both.”

The debate had been simmering for years before the Apple-FBI row.

Last year, a panel led by Massachusetts Institute of Technology scientists warned against “special access” for law enforcement, saying they pose “grave security risks” and “imperil innovation.”

Opening up all data

“I’m not sure there is much room for compromise from a technical perspective,” said Stephen Wicker, a Cornell University professor of computer engineering who specializes in mobile computing security.

Opening the door to the FBI effectively makes any data on any mobile device available to the government, he said.

“This is data that was not available anywhere 10 years ago, it’s a function of the smartphone,” Wicker said.

“We as a country have to ask if we want to say that anything outside our personal human memory should be available to the federal government.”

Apple has indicated it is ready for a “conversation” with law enforcement on the matter.

But FBI Director James Comey told a congressional panel that some answers are needed because “there are times when law enforcement saves our lives, rescues our children.”

Asked about the rights envisioned by the framers of the US constitution, he said, “I also doubt that they imagined there would be any place in American life where law enforcement, with lawful authority, could not go.”

A brief filed on behalf of law enforcement associations argued that because of Apple’s new encryption, criminals “have now switched to the new iPhones as the device of choice for their criminal wrongdoing.”

Ed Black, president of the Computer & Communications Industry Association, which includes major technology firms but not Apple, said that although tech firms and law enforcement have had many battles, “there are many areas where we cooperate and where we find middle ground.”

But Black said the tech sector is largely united in this case because the FBI wants Apple to create weaker software or introduce “malware” to be able to crack the locked iPhone.

“On this narrow specific issue of ‘can companies be compelled to create malware,’ I think there may not be an answer,” he said.

‘Going dark’ fears

Law enforcement fears about “going dark” in the face of new technology have been largely exaggerated, Black said.

While access to encrypted apps and smartphones is difficult and traditional wiretaps don’t work on new technology, “there are a lot of other tools for law enforcement,” he said.

“There is more information available in 2016 than in any year since the founding of the country.”

Although law enforcement has growing expectations about using technology to thwart criminals, that type of power is too broad, Black added.

“If they are seeking a level of total surveillance capability, I don’t see a compromise available,” he said.

Wicker said that to give law enforcement access, Congress could in theory mandate that devices use automatic cloud backups that could not be disabled. But that would constitute a dramatic departure from current views about privacy.

“From an individual rights standpoint,” he said, “that would take away control by the user of their personal information.”

Amazon Dropping Fire Encryption Has Nothing to Do With Apple

Today, several reports pointed out that Amazon’s Fire OS 5 does not support device encryption, drawing a connection between the company’s encryption retreat and the current Apple-FBI iPhone unlocking fracas. But Amazon’s decision to remove Fire OS 5’s onboard encryption is not a new development, and it’s not related to the iPhone fight. The real question at hand is why Amazon decided to roll back encryption protection for consumers all on its own.

Introduced last fall, Amazon’s Fire OS 5 featured a refreshing redesign that added several usability features. But Fire OS 5 also took away device encryption support, while still maintaining security features for communication between devices and Amazon’s cloud.

“In the fall when we released Fire OS 5, we removed some enterprise features that we found customers weren’t using,” Amazon spokesperson Robin Handaly told WIRED. “All Fire tablets’ communication with Amazon’s cloud meet our high standards for privacy and security, including appropriate use of encryption.”

We’ve reached out again for clarification as to what “appropriate use” of encryption entails in Amazon’s view.

To be clear, removing encryption protections of any kind from Fire tablets should be seen as a step back for consumers, and for security as a whole.

“Amazon’s decision is backward—it not only moves away from default device encryption, where other manufacturers are headed, but removes all choice by the end user to decide to encrypt it after purchase,” says Nathan White, Senior Legislative Manager at digital rights organization Access Now. “The devices themselves also become more attractive targets for thieves. Users should no longer trust these devices: If you wouldn’t post it to the internet publicly, don’t put it on a Fire Tablet.”

Further, Amazon’s insistence that it maintains a secure connection with the cloud doesn’t ease concerns over the data on the device itself that’s now vulnerable.

“Data encryption at rest and data encryption in motion are two completely different things,” says White. “They shouldn’t conflate two important issues by saying ‘we encrypt in motion, so data at rest doesn’t matter.’”

Even without the cloud connection, a device stores all sorts of personal information, from email credentials to credit card numbers to sensitive business information, if you happen to be an enterprise user. In fact, the lack of encryption means corporate customers aren’t able to use certain email clients on Fire tablets any longer.

Amazon’s move is a bad one. But it’s not a retreat in the face of Apple-FBI pressures. For better or worse (mostly worse), it’s been this way for months. As Handaly noted, Fire OS 5 came out last fall, on a suite of new Amazon devices. Amazon message board users have been commenting on, and complaining about, the absence of encryption since at least early January.

So why the sudden focus? Likely because of this tweet:

People are talking about the lack of encryption today because the OS update is only now hitting older devices, like the fourth-generation Fire HD and Fire HDX 8.9. Despite how neatly the sudden forfeiture of encryption by a tech giant fits the Apple-FBI narrative, this encryption deprecation isn’t related to that battle. Instead, Amazon appears to have given up onboard encryption without any public fight at all.

“This move does not help users. It does not help corporate image. And it does not fit into industry trends,” says Amie Stepanovich, US Policy Manager at Access Now.

U.S.Defense Secretary Ashton Cater Doesn’t Believe in Encryption Backdoors

Secretary of Defense Ashton Carter came out against supporting encryption back-doors at a conference panel on Wednesday.

At the RSA information security conference in San Francisco, Carter told a packed room that he supported strong encryption and thought back-door access to encrypted communication as unrealistic. During his talk on the Apple vs. FBI case, which he shied away from the details because it is a “law enforcement issue,” Carter received scattered applause from the crowd of security professionals after he said he supports strong encryption.

“I think first of all that for the Department of Defense, data security including encryption is absolutely essential to us. We are for strong encryption,” Carter says. “I’m not a believer in backdoors or a single technical approach. I don’t think it’s realistic.”

Carter joined Attorney General Loretta Lynch in supporting encryption at the RSA Conference this week. In a stage interview with Bloomberg at the Moscone Center on Tuesday, Lynch called for “a middle ground” between national security and privacy.

In the 50-odd minute talk with Ted Schlein, general partner for the influential venture capital firm Kleiner, Perkins, Caufield & Byers, Carter focused his talk on how to bridge the gap between the Pentagon and Silicon Valley.

Carter, who was appointed to the secretary position last February by President Barack Obama, spoke about two initiatives in particular: the Defense Innovation Unit-Experimental (DIUx) and the Defense Innovation Advisory Board. Both serve to make the department more agile and tech-savvy in the age of cyberwarfare with competitors like Russia and China, Carter says.

“DIUX is a place to connect. It is down the road [from Silicon Valley]. I’ve given it a very open charter,” Carter says. “We need to be very hawkish on the idea of reform.”

Earlier on Wednesday, the Defense Department announced that former Google CEO Eric Schmidt will chair the Defense Innovation Advisory Board. “There is going to be some technical minds who come in and giving me advice to be more innovative,” Carter says. “I am so grateful to Eric Schmidt for his willingness to do this. He’s the perfect chairman for this.”

He also announced a new competition called “Hack the Pentagon” where ethical, or white hat, hackers find vulnerabilities in the Pentagon’s systems and boost the overall cybersecurity of the department. “You would rather find the vulnerabilities in your networks that way than the other way of pilfering information,” Carter says. Hackers must be American citizens, Carter added.

While the Pentagon is bolstering its defenses in protecting its own data, it is also aggressively attacking ISIS, Carter says. Similar to the radio-jamming tactics during the Cold War, the Pentagon has been disrupting the terrorist group’s online channels of communications. “We will and must defeat ISIL. I’m looking for all the ways to accelerate that,” Carter says. “We are using cyber to disrupt communication and doubt the reliability of the comm. Now that enemies use cyber, that’s another way to shut them down.”