Apple – DoGoodSoft's Official Blog

Texas Church Shooting: More Calls for Encryption Backdoors

US Deputy Attorney General, Rod Rosenstein, has decided to use the recent mass shooting at a Texas church to reiterate calls for encryption backdoors to help law enforcers.

The incident took place at the First Baptist Church in Sutherland Springs, killing at least 26 people.

Deceased suspect Devin Kelley’s mobile phone is now in the hands of investigators, but they can’t access it — a similar situation to the one following the mass shooting in San Bernardino which resulted in a court room standoff between Apple and the FBI.

It’s now widely understood that there’s no way for an Apple, Facebook or other tech provider to engineer backdoors in encrypted systems that would allow only police to access content in cases such as these, without putting the security of millions of law-abiding customers at risk.

However, that hasn’t prevented Rosenstein becoming the latest senior US government official to call on technology companies to implement backdoors.

“As a matter of fact, no reasonable person questions our right to access the phone. But the company that built it claims that it purposely designed the operating system so that the company cannot open the phone even with an order from a federal judge,” he told a meeting of local business leaders in Maryland.

“Maybe we eventually will find a way to access the data. But it costs a great deal of time and money. In some cases, it surely costs lives. That is a very high price to pay.”

For its part, Apple has maintained that it works closely with law enforcement every day, even providing training so that police better understand the devices and know how to quickly request information.

However, it is standing firm on the matter of backdoors, aware that breaking its own encrypted systems for US police would likely lead to a stream of requests from other regions including China.

It’s also been suggested that cyber-criminals or nation state actors could eventually get their hands on any backdoors, which would be catastrophic for Apple and its users.

Top10VPN.com head of research, Simon Migliano, called for cool heads on the issue.

“The US Deputy Attorney General bemoans ‘warrant-proof encryption’ but fails to understand that there is no other type of encryption. As all privacy and security experts agree, to undermine encryption with ‘backdoors’ is to open a Pandora’s Box that puts at risk the entire online – and therefore real-world – economy.

“End-to-end encryption secures our banking, online shopping and sensitive business activities. Any kind of ‘backdoor’ would fatally undermine security in these areas. As we learned to our cost with the leak of CIA tools earlier this year, once an exploit exists, it’s only a matter of time until it leaks and cybercriminals have yet another tool at their disposal.”

FBI couldn’t retrieve data from nearly 7000 mobile phones due to encryption

FBI couldn't retrieve data from nearly 7000 mobile phones due to encryption

The head of the FBI has reignited the debate about technology companies continuing to protect customer privacy despite law enforcement having a search warrant.

The FBI says it hasn’t been able to retrieve data from nearly 7000 mobile phones in less than one year, as the US agency turns up the heat on the ongoing debate between tech companies and law enforcement officials.

FBI Director Christopher Wray says in the first 11 months of the fiscal year, US federal agents were blocked from accessing the content of 6900 mobile phones.

“To put it mildly, this is a huge, huge problem,” Wray said in a speech on Sunday at the International Association of Chiefs of Police conference in Philadelphia.

“It impacts investigations across the board – narcotics, human trafficking, counterterrorism, counterintelligence, gangs, organised crime, child exploitation.”

The FBI and other law enforcement officials have long complained about being unable to unlock and recover evidence from mobile phones and other devices seized from suspects even if they have a warrant. Tech firms maintain they must protect their customers’ privacy.

In 2016 the debate was on show when the Justice Department tried to force Apple to unlock an encrypted mobile phone used by a gunman in a terrorist attack in San Bernardino, California. The department eventually relented after the FBI said it paid an unidentified vendor who provided a tool to unlock the phone and no longer needed Apple’s assistance, avoiding a court showdown.

The Justice Department under US President Donald Trump has suggested it will be aggressive in seeking access to encrypted information from technology companies. But in a recent speech, Deputy Attorney General Rod Rosenstein stopped short of saying exactly what action it might take.

Apple to expand encryption on Macs

Apple is amping up its commitment to encryption.

The company is beginning the first major overhaul of the Mac filing system — the way it stores files on the hard drive — in more than 18 years. The move was quietly announced during a conference break out session after Apple’s blockbuster unveiling of its new operating system MacOS Sierra.

Amidst other new features, including the ability to place timestamps on files accurate to fractional seconds and a more efficient mechanism to clone files, the new Apple File System (APFS) updates file encryption.
The new system allows files to be encrypted with multiple keys, providing an extra layer of security against attackers or, to the FBI’s recent chagrin, law enforcement agencies.

The shift comes after Apple faced vocal criticism for its commitment to encrypted data after refusing to unlock an iPhone used by one of the shooters in the San Bernardino, Calif, terrorist attack.

Currently, on computers using OSX’s encryption, files are encrypted using the same key. The operating system unlocks the files on computers where a user has logged in. If an attacker compromises the key or attacks the computer when a user has logged in, the files are no longer encrypted.

On APFS, users will have the option to encrypt different segments of the file storage system with different keys. Access to one file wouldn’t mean access to all of them.

APFS will also encrypt the metadata contained in each file.

The new file system will released in 2017, months after Sierra’s release.

Apple Echoes Commitment to Encryption after Orlando Shooting

Apple used the kickoff of its Worldwide Developers Conference Monday to reaffirm the company’s stance on encryption and data monetization, one day after the most deadly mass shooting in U.S. history threatened to rekindle the debate surrounding the use of the technology.

“In every feature that we do, we carefully consider how to protect your privacy,” Apple senior vice president of software engineering Craig Federighi told conference attendees in San Francisco Monday.

Federighi said that includes the Cupertino-based company’s commitment “to use end-to-end encryption by default,” and described a new policy at Apple known as “differential privacy,” which incorporates using machines to learn how users use Apple products via crowdsourced data, while not tracking specific data back to individual users.

Federighi’s keynote came one day after 29-year-old Omar Mateen shot and killed 49 people at a gay nightclub in Orlando early Sunday, and who authorities later said pledged allegiance to ISIS during the attack.

The scenario echoes last year’s shooting in San Bernardino, where two attackers later found to have made a similar pledge to the Islamic extremist terror group were found in possession of an iPhone after a shootout with police that left both dead. The FBI asked Apple to bypass the device’s encryption as part of their investigation — a request Apple refused, prompting a court battle that ended prematurely after the FBI found a third-party to crack the phone’s encryption.

Investigators recovered a phone from Mateen after he died in Sunday’s attack, but have declined to identify its make. Regardless of whether the device is an Apple product, the shooting could easily become fodder for those in government pushing for a back door into encrypted communication platforms like Apple’s, especially given the increasing number and popularity of encryption applications like Telegram of the Facebook-owned WhatsApp.

“We are going through the killer’s life — especially his electronics — to understand as much as we can about his path and whether there was anyone else involved, either in directing him or in assisting him,” FBI Director James Comey said Monday.

The FBI director said investigators are confident Mateen was self-radicalized online.

Comey has repeatedly testified before Congress on the emerging issue of terrorists and criminals “going dark” online as a result of their use of communication platforms with end-to-end encryption, which in Apple’s case, not even the company itself can access without a user’s PIN.

The tug of war between privacy and security has spread from cases still pending in court against Apple and others to Congress, where lawmakers have offered several legislative proposals to discuss or even mandate law enforcement cooperation, all the way up to the 2016 presidential election, with Donald Trump calling for a “boycott” of Apple products.

Apple CEO Tim Cook opened the conference Monday by leading the crowd in a moment of silence for the victims of Sunday’s shooting.

“The Apple community is made up of people from all around the world, all different backgrounds, all different points of view,” said Cook, who came out as gay in 2014. “We celebrate our diversity.”

“We offer our deepest sympathies to everyone whose lives were touched by this violence,” he continued, “this senseless, unconscionable act of terrorism, of hate aimed at dividing and destroying.”

Cook wrote an open letter earlier this year in the wake of the San Bernardino debate pushing back against the FBI’s attempt to force the company into cooperating.

Amazon is going to remove encryption capabilities of its Kindle Fire, Rumours says Apple & FBI Case is reason – Lansing Technology Time

According to Amazon, Removing Kindle Fire,Fire OS 5’s onboard encryption is not a new development, and it’s not related to the iPhone fight

Amazon said that the Fire OS 5 update removed local device encryption support for the Kindle Fire, Fire Phone, Amazon Fire HD, or Amazon Fire TV Stick was because the feature simply wasn’t being used.

Privacy advocates and some users criticized the move, which came to light on Thursday even as Apple Inc was waging an unprecedented legal battle over U.S. government demands that the iPhone maker help unlock an encrypted phone used by San Bernardino shooter Rizwan Farook.

On-device encryption scrambles data so that the device can only be accessed if the user enters the correct password. Cryptologist Bruce Schneier said Amazon’s move to remove the feature was “stupid” and called on the company to restore it.

Amazon’s move is a bad one. But it’s not a retreat in the face of Apple-FBI pressures

One of the features removed includes one that allowed owners to encrypt their device with a pin which, if entered incorrectly 30 times in a row, deletes all the data stored on it. The feature is similar to the safety feature found on the iPhone at the center of the San Berardino shooter trial, which erases all the device data if the passcode is entered incorrectly ten times.

Amazon joined other major technology companies in filing an amicus brief supporting Apple on Thursday, asking a federal judge to overturn a court order requiring Apple to create software tools to unlock Farook’s phone.

Amazon spokeswoman Robin Handaly said in an email that the company had removed the encryption feature for Kindle Fire tablets in the fall when it launched Fire OS 5, a new version of its tablet operating system.

“It was a feature few customers were actually using,” she said, adding that Kindle Fire tablets’ communication with the company’s cloud meets its “high standards for privacy and security including appropriate use of encryption.”

Encryption expert Dan Guido said that Amazon may have eliminated the feature to cut component costs for tablets that sell for as low as $50.

But digital privacy advocates and customers said those arguments were not good enough reasons for discontinuing the feature.

“Removing device encryption due to lack of customer use is an incredibly poor excuse for weakening the security of those customers that did use the feature,” said Jeremy Gillula, staff technologist with the Electronic Frontier Foundation.

“Given that the information stored on a tablet can be just as sensitive as that stored on a phone or on a computer, Amazon should instead be pushing to make device encryption the default – not removing it,” Gillula said.

David Scovetta, a security analyst who owns two Kindle e-readers as well as Amazon’s TV set-top box, said he is now wary of buying new gadgets from the company.

“Amazon could just as easily be encouraging its users to adopt it rather than remove it as a feature. That’s a massive step backwards,” he said.

Fire OS 5 is the first release to use the Android 5.0 “Lollipop” codebase, and as such it is possible that this removal is down to a technical issue (such as battery life or performance). Last year Google reported that it would allow hardware makers to decide whether or not to enable encryption-by-default because of performance issues on older devices.

People are talking about the lack of encryption today because the OS update is only now hitting older devices, like the fourth-generation Fire HD and Fire HDX 8.9. Despite how neatly the sudden forfeiture of encryption by a tech giant fits the Apple-FBI narrative, this encryption deprecation isn’t related to that battle. Instead, Amazon appears to have given up onboard encryption without any public fight at all.

UK’s lower house eases up on encryption

The United Kingdom’s House of Commons approved far-reaching authority for spy agencies to access cyber data Tuesday, but pulled back some restrictions on encryption opposed by Apple and Facebook.

The so-called “snooper’s charter,” officially the Investigatory Power Act, codifies intelligence agencies’ use of metadata analysis and malware to hack computers that has been ongoing in the U.K. It requires communications companies to maintain records of customers’ web browsing for a full year to assist investigations.
But the final version eased up on restrictions on encryption. Early drafts of the law mandated encryption include backdoor access – an issue that recently sparked a battle between Apple and the FBI in the U.S. The version passed Tuesday requires only that companies help break encryption if it is reasonable in terms of cost and technology.

That would keep the kinds of encryption used on Apple phones and Facebook’s newly announced end-to-end encrypted messaging service off the table. When properly implemented, neither would be technologically possible to crack.

The changes to encryption were one of a few amendments meant to assuage concerns about the law’s effect on privacy. Civil liberties groups are still unhappy with the complete product, though interior minister Theresa May called the safeguards “world leading.”

The final vote on the IPA was 444-69. It now heads to the House of Lords for their approval.

Customer Headaches Could Curtail Apple’s Encryption Push

At an event held during Apple’s fight with the FBI over whether it should help unlock a dead terrorist’s iPhone, CEO Tim Cook promised “We will not shrink” from the responsibility of protecting customer data —including from government overreach.

Yet the obvious next step for the company could be hard to take without inconveniencing customers.

Apple is currently able to read the contents of data stored in its iCloud backup service, something at odds with Cook’s claims that he doesn’t want his company to be capable of accessing customer data such as mobile messages.

Apple has not denied reports it is working to change that. And the company is expected to make some mention of its security technology at its World Wide Developers Conference next week, as it did at March’s iPhone event in March.

But redesigning iCloud so that only a customer can unlock his data would increase the risk of people irrevocably losing access to precious photos and messages when they lose their passwords. Apple would not be able to reset a customer’s password for them.

“That’s a really tough call for a company that says its products ‘Just work,’” says Chris Soghoian, a principal technologist with the American Civil Liberties Union—referring to a favorite line of Apple’s founder, Steve Jobs.

Cook has boasted of how the encryption built into Apple’s iPhones and iMessage system keeps people safe by ensuring that only they can access their data. FBI director James Comey has complained about it.

But the design of iCloud means that Apple can read much of its customers’ data, and help the government do so, too. The service is enabled by default (although you can opt out), and automatically backs up messages, photos, and more to the company’s servers. There the data is protected by encryption, which Apple has the key to unlock. The company’s standoff with the FBI happened only because the backups Apple handed the agency from San Bernardino shooter Syed Farook’s iPhone ended six weeks before the shooting, because he had turned them off.

Apple could lock itself and law enforcement out of iCloud data by encrypting each person’s iCloud backups using a password under his control, perhaps the same one that locks his iPhone.

The company has not denied reports from the Financial Times and Wall Street Journal that it is working on such a design. Passwords and credit card details stored using an iCloud feature called Keychain are already protected in this way. But taking this approach would prevent Apple from being able to reset a person’s password if he forgets it. The data would be effectively gone forever.
It is probably impractical for Apple to roll out that approach for everyone’s data, as the company did for the security protections built into the iPhone, says Vic Hyder, chief strategy officer with Silent Circle, which offers secure messaging, calls, and data sharing for corporations.

“It puts control on the customer but also responsibility on the customer,” he says. “This will likely be an option, not the default.”

Soghoian of the ACLU agrees. “I think they will probably offer it as an option, but be reluctant to advertise that feature much,” he says. “More people forget their passwords than get investigated by the FBI.”

Bryan Ford, an associate professor at the Swiss Federal Institute of Technology in Lausanne, says Apple could take steps to reduce the risk of accidental data loss.

The company’s FileVault disk encryption feature for PCs offers the option to print out a recovery key. A similar process could be used for iCloud encryption, says Ford.

Apple could also implement other safeguards, he says. For example, people could have the option of distributing extra encryption keys or passwords to several “trustees,” who could help recover data if the original password was lost. To prevent abuse it could be required that a certain number of trustees, say, three of five, came forward to unlock the data.

The cryptography needed for such a design is well understood, says Ford. He recently designed a similar but more complex system intended to help companies such as Apple prevent their software updates from being abused (see “How Apple Could Fed-Proof Its Software Update System”).

Alan Fairless, cofounder and CEO of SpiderOak, which offers companies fully encrypted data storage, says he thinks companies like Apple will eventually make truly secure cloud storage accessible to consumers.

Encrypted messaging was clunky and hard to use until recently, but is now widespread thanks to Apple and WhatsApp, he points out. Encrypting stored data is more challenging, but Apple has shown itself willing to spend significantly on encryption technology, for example by adding new chips to the iPhone, says Fairless.
However, he also thinks Apple and its customers aren’t yet ready for encrypted iCloud backups to be the default. “It’ll take consumer technology a while to catch up,” says Fairless.

How Apple makes encryption easy and invisible

Do you know how many times a day you unlock your iPhone? Every time you do, you’re participating in Apple’s user-friendly encryption scheme.

Friday, the company hosted a security “deep dive” at which it shared some interesting numbers about its security measures and philosophy as well as user habits. To be honest, we’re less concerned with how Apple’s standards work than the fact that they do and will continue to. But that’s kind of the point behind the whole system — Apple designed its encryption system so that we don’t even have to think about it.

Apple’s encryption and security protocols have faced a ton of scrutiny during its recent showdown with the government. And if anything, that debate has gotten more people thinking seriously about how data can and should be secured. And the topic is not going away for a while.

We weren’t there Friday, but Ben Bajarin from Techpinions offers some great analysis, and his piece includes some really cool stats. For one, Apple says that the average user unlocks their phone 80 times a day. We don’t know if that’s across all platforms or just iOS. It sounds a little low in my case, however, because I’m generally pretty fidgety.

But because people are checking their phones so often, it’s important for Apple developers to make encryption powerful without causing the end user frustration. Like if they could just plunk their thumb down, and their phone would unlock, for example.

89 percent of people who own Touch ID-enabled devices use the feature, Apple says. And that’s a really impressive adoption rate, but it makes sense when you think about how much easier the biometric system is to use than a passcode.

Passcodes are great, of course, and you have to have one. But as an experiment a while ago, I turned off Touch ID and went numbers-only to unlock my phone. And guess what? It was really annoying. I switched the feature back on by the end of the day.

Apple also talked up its so-called Secure Enclave, which is its slightly intimidating name for the single co-processor that has handled all encryption for its devices since the iPhone 5s. Each Enclave has its own, unique ID that it uses to scramble up all of the other data for safekeeping. And neither Apple nor other parts of your phone know what that UID is; it all just happens on its own. And that’s pretty much how we prefer it.

Apple, FBI set to resume encryption fight at House hearing

The encryption battle between Apple and the FBI is moving from the courtroom to Congress next week.

Representatives from the tech titan and the federal law enforcement agency are scheduled to testify Tuesday before the House Energy and Commerce Committee about the debate over how the use of encryption in tech products and services hampers law enforcement activities.

In February, Apple clashed with the FBI over whether the company would help investigators hack into the encrypted iPhone of San Bernardino shooter Syed Farook. That case ended when the FBI said it had found a way to unlock the phone without Apple’s help. The debate, however, is unresolved.

Technology companies and rights groups argue that strong encryption, which scrambles data so it can be read only by the right person, is needed to keep people safe and protect privacy. Law enforcement argues it can’t fight crimes unless it has access to information on mobile devices.

The hearing, called “Deciphering the Debate Over Encryption: Industry and Law Enforcement Perspectives,” will include two panels. The first features Amy Hess, executive assistant director for science and technology at the FBI, who will speak about law enforcement concerns along with other law enforcement officials from around the country. Apple general counsel Bruce Sewell will speak during a second panel, which will feature computer science and security professionals.

The FBI and Apple did not immediately respond to requests for comment on their testimony.

The hearing’s agenda comes just a day after a US Senate encryption bill was released that would give law enforcement and government investigators access to encrypted devices and communications. Authored by US Sens. Dianne Feinstein and Richard Burr, the bill furthers a fight that pits national security against cybersecurity.

Earlier this month, Facebook complicated things a bit further for the FBI when it announced that all communications sent on its popular WhatsApp messaging app are now encrypted.

Feinstein encryption bill sets off alarm bells

A draft version of a long-awaited encryption bill from Sens. Dianne Feinstein, D-Calif., and Richard Burr, R-N.C., was leaked online last week, and the technology industry is already calling foul.

The bill requires any company that receives a court order for information or data to “provide such information or data to such government in an intelligible format” or to “provide such technical assistance as is necessary to obtain such information or data in an intelligible format.” It doesn’t specify the terms under which a company would be forced to help, or what the parameters of “intelligible” are.

The lack of these boundaries is one of the reasons why the backlash to the bill — which isn’t even finished — has been so fast and overwhelming. Kevin Bankston, director of the Open Technology Institute, called it “easily the most ludicrous, dangerous, technically illiterate proposal I’ve ever seen.”

It’s disheartening that the senators intend to continue pressing on with this bill, especially in light of the FBI’s recent bullying of Apple. After the FBI bungled its handling of the San Bernardino shooter’s phone, it tried and failed to force Apple into creating a new program that would let it hack into not just the shooter’s phone but probably many other phones as well. When Apple resisted, the FBI mysteriously came up with a workaround. Small wonder other technology companies are reacting poorly to this Senate bill.

Feinstein’s staffers said that the issue is larger than one phone. That’s true — and it’s exactly why such a broad proposal should make everyone who uses a smartphone uneasy. Giving law enforcement such a broad mandate would inevitably lead to questionable decisions, and it would weaken Internet security for everyone.

Feinstein’s staff also said that the reason for the bill’s vagueness is that the goal is simply to clarify law, not to set a strict method for companies or to tell the court what the penalties should be should companies choose not to follow orders. That sounds good in theory. In practice, Feinstein and Burr would be well-advised to go back to the table with technology interests — and really listen to their concerns.