Tag Archives: DoJ

The FBI is TRYING to Stem Cyber Badguyness

There is no easy answer, but I can tell you for sure that the FBI has been applying more and more resources to cybecrime every year.

Just this month they unsealed seven indictments charging 16 people from China, Russia, Iran and Malaysia with hacking crimes.

Treasury sanctioned 45 people associated with Iran and two people from Russia.

At the same time, DHS and the FBI have been flooding us techies with threat advisories.

While this is completely unlikely to stop crime, it does increase the risk for bad guys. I am always amazed when these folks travel to countries friendly to us and get arrested and extradited.

FBI Director Wray said last week at a CISA summit that the FBI’s plan is to increase risk for the bad guys.

They have also been working with companies like Microsoft to take down web servers hosted by the hackers.

But it turns out that none of these recent indictments went after government sponsored hackers. That may be a coincidence or it may be intentional.

In fairness to the FBI, these crimes are hard to solve. It is not like China is going to cooperate with us

Still, we have to acknowledge that the more pressure the FBI and other law enforcement puts on hackers, the better. And, we should not forget, there are a lot of hackers right here in the U.S. Those should be easier to apprehend.

I will say that I would not want their job. It is next to impossible to win. Most hackers think, correctly or not, that the odds of getting caught are very low.

The risk is low – if they remember one thing – one thing that hackers seem to forget regularly. Pigs get fat, hogs get slaughtered. If you are too greedy, you will paint a target on your back. And you will increase the odds of getting caught.

Credit: The Record

Microsoft Sues The Department Of Justice

In the turnabout is fair play department, Microsoft is now suing the Department of Justice.  Turns out that over the last 18 months, Microsoft has received about 5 orders a day for customer information which do not allow Microsoft to tell the customer that the government filched their data.  For the majority of them, that order is forever.

Microsoft thinks that is highly overplayed – that in many cases there is no reasonable need for long term security.

And, of course, it hurts Microsoft’s business.  If people think that if they store their data in Microsoft’s cloud that the government can grab their data – in many cases without even needing a warrant – they may be reluctant to use Microsoft’s services.

Some of you amateur cyber law geeks may remember ECPA – The Electronic Communications (non) Privacy Act.  Back in the 1980s when it was written, no one left stuff in the cloud.  After all, that would be really stupid.  So, as a result and for some bizarre logic that is only clear to Congress, ECPA says that if you store an email in the cloud for more than 180 days, they consider it unimportant or abandoned, so if law enforcement wants to see it, all they have to do is ask. No need for a warrant.

Congress has toyed with fixing this bit of stupidity, but has never actually gotten around to it.  They are talking about fixing it again this year.  One likely reason Congress has not changed the law is that the prosecutors like the status quo and have no interest in seeing the law changed.

If that same email is stored, instead, on your own server or on your PC, – same age, same content – then a prosecutor has to go before a judge and convince the judge to issue a warrant.  Then they have to present that warrant to you and you can choose to fight it.

If that email is stored in Google’s cloud or Microsoft’s cloud, then all that same prosecutor has to do is ask Microsoft or Google for a copy of it.

Needless to see, Microsoft likely thinks that this could have a negative impact on selling their services, hence the lawsuit.

This is especially a problem for non U.S. customers who might not be thrilled with American law enforcement rifling through their stuff.

This suit was just filed in the Western District of Washington.  Unless the government blinks, this could make it up to the Supreme Court – minus one justice  Stay tuned for details.

Information for this post came from Microsoft’s Blog.

Apple Fights DoJ On Privacy

Apple and the Department of Justice are not getting along these days.  The DoJ wants Apple to feed them real time iMessage traffic for someone the DoJ is quietly investigating.

Apple says that the way their system is designed, this is not possible.  If the user stores their messages in iCloud, they can give the DoJ those messages after the fact, but not in real time.

The FBI and DoJ advocate taking Apple to court, which apparently they have not done yet, to get Apple to insert a back door to allow them to feed messages to the DoJ in real time.

Tim Cook, head of Apple, said they “have to cart us out in a box before we would do that”.

Yahoo got into a similar fight with the DoJ and were subject to fines of $250,000 a day for refusing to turn over stuff that they had the ability to turn over.

What is much less clear is whether a court can compel Apple to add a security hole into their software because the government would like them to, absent some law that specifically requires that.

What probably has the DoJ pausing before clicking the court fight trigger is that if the court says NO to the DoJ they have created a precedent that will haunt the DoJ for a long time.

In the 1990s, the DoJ got a very different Congress to agree to make telephone companies add back doors for wiretaps.  The trade was that the government would pay the phone companies to do that.  At the time there were a handful of phone companies and the gov spent several billion dollars.

The DoJ has been lobbying Congress hard to pass a law like that today.  Congress has had no stomach to do that, I suspect for several reasons.  First, both liberals and conservatives would have to explain to their believers why they voted for such an invasive law.  Both groups would be scared that they would likely get booted out of office at the next election.

Second, if it cost say $2 billion in the 1990s for a handful of phone companies, it would like cost a thousand times that much or more for a thousand times as many software companies.  Who is going to vote to add that much to the federal deficit and stay in office.

Finally, the phone companies kept CALEA (the 1990s era wiretap law) tied up in court for a decade.  I suspect that the likes of Google, Microsoft and Apple, in a partnership might be able to keep it tied up in court for at least that long and probably get an injunction to force the government not to enforce it until the courts resolve it.

One simple thing that Apple could do – and I have no clue if they are considering this – is completely kill iMessage.

At the same time give a grant to a company in the Caymans or some other haven to create a product that does the same thing.  They need to have ZERO ownership interest in that company.

Then Apple could legitimately say that it is not our software, we don’t have any control over it, but you can certainly sue that company in the Caymans court if you like (or some other similar scenario).

It turns out that iMessage has a security flaw that a lot of software has.  It is one reason why my former company, Absio, is adding the ability to do offline key exchange into their product.

The feds could try and force Apple to add an additional public key to your account like would happen if you had an extra device.  Except that this “device” belongs to the feds.

And since Apple, in it’s quest to simplify things, does not show the user what keys exist for each account, the user would be none the wiser if they did that.

This is about as certain as tomorrow’s weather – but it could be an interesting battle.  Picking a fight with a company with $200 billion in cash in the bank and who’s products are probably used by almost every lawmaker and judge in the country might not make the DoJ very popular – and may not be a fight the DoJ is willing to take on.

Stay tuned!

 

Information for this article came from ZDNet.

Justice Department Continues Push To Get Rid Of Encryption

The Justice Department continues to push for the ability to bypass encryption (see here). Leslie Caldwell, one of the assistant AGs said that the DoJ is very concerned that Apple and Google have turned on encryption by default.  I guess that must point to the fact that if people have to do something to turn it on, they won’t, which makes eavesdropping that much easier for them.

FBI Director Comey has said before that he wants to push Congress to make automatic encryption illegal – again pointing to the fact that many people won’t bother to encrypt if it requires an extra click or two.

On the other hand, the government is saying that we have to be more concerned about cyber security – it seems like they are trying to have it both ways.  Encryption is one of the easiest and simplest ways to make it harder for the bad guys to do you in.  It also makes it harder for the FBI and NSA to vacuum up massive amounts of data to look for the needle that they want to find in the data haystack.

Caldwell actually said that encryption makes data too safe.  Really?  Too safe?  Isn’t that kind of like being too rich?  Or too happy?  Seems a bit self serving.

Caldwell also said that she hopes that companies will build a back door (‘cuz if they do, certainly the Chinese won’t figure that out) so that the FBI can mail the phone to Apple or Google to decrypt.  Really.  MAIL THE PHONE.  I think she is a bit out of touch with the digital age.

Some people have gotten hung up on the term back door, meaning an intentionally introduced mechanism that allows someone who knows about it to compromise the encryption.  Lets assume that what they really mean is that they want a copy of your encryption keys and they promise to keep them safe.  Is that really possible for them to keep safe?  And what about the data vacuuming that the agencies are doing – doesn’t that require them to use those keys every time you get online?  How, exactly, do you keep that secure.

If I have the key and they want it, then they have to go to a judge and get a warrant and I can disagree and try to convince the judge that they shouldn’t get it.  And, I can change the key so that sharing that key won’t compromise my future conversations.  Key escrow or back doors don’t allow any of that to occur.

The DoJ is also not happy with the TOR network.  They say they are making some progress at hacking it, but I *think* mostly they are taking advantage of people’s poor personal security hygiene (people make mistakes and the feds capitalize on that).

Clearly, encryption and TOR and similar tools can be used for bad purposes, but so can hammers and I don’t see a demand to outlaw hammers.

I am quite sure that encryption makes it harder for the government to do massive data collection and correlation, but we managed to track down criminals before and we can continue to track down criminals after.

Three thoughts and I will allow you to draw your own conclusion –

1. Are bad guys likely to use encryption software that has a back door vs. software that is available for free on the black market that does not have a back door?  Or software that is created by developers in any other country that doesn’t require them to add a back door.  Surely the dumb ones will and you may therefore catch them, but what about the really dangerous ones?

2. What is the financial impact on the U.S. economy if the rest of the world (RoW) knows that the U.S. government can look at their stuff without them knowing about it.  eWeek reported that U.S. Cloud providers said their business could shrink by 25 percent as a result of the NSA data collection. That could be a direct loss to the U.S. economy of $25-$100 billion over three years depending on who you believe.  That doesn’t include secondary effects (if the providers sell less services, they will buy less computers and hire fewer people, for example).  If the RoW thinks that the U.S. has a crypto back door, how many U.S. jobs will that cost and how many billions in business will we lose.

3. A lot of the crypto is controlled by service providers (like SSL and Facebook), but much more of it is controlled by the end users.  If Joe and I are talking to each other, we share a secret that only we know and that is used as the key.  The fact that the key is secret is what makes it secure.  If that key gets out, then all traffic past, present and future, that was protected with that key, is compromised.  And the feds would like businesses to give that to them freely.  I don’t think that is going to happen.  I have been known to be wrong before.  I think I was once in 1997.  Or maybe 1998.

The government has been trying to build back doors into encryption since at least 1993 when they came out with the idea of the Clipper chip.  It didn’t sell then and it is not likely to sell now.  My two cents.

Mitch

Microsoft, Amazon and Apple fighting together for privacy

The Department of Justice appears to be doing its best to kill off the cloud – at least in the U.S.

Microsoft has been fighting, for months, a DoJ search warrant to provide emails and address book information for a customer who’s data is stored in an Irish data center.

Microsoft has been fighting this search warrant at least since April when a New York judge ordered Microsoft to turn over the emails, but also suspended that order pending appeal.  This week Microsoft filed an appeal of the order and included Amicus briefs from Amazon, Apple, AT&T, eBay, Verizon and dozens of other organizations.

Assuming those emails were stored on the user’s PC in Ireland, it would be clear that the DoJ would need to get the Irish courts involved.  They could do a black bag job, but then the U.S. courts would never admit the evidence.

The reason, at least in part, for why there were over 40 amicus filings with this appeal is that part of the DoJ’s claim is that when personal emails and other documents are stored in the cloud they are no longer personal property, but rather business records, owned in part by the cloud providers.

While the records for this case are sealed, it appears to be part of a drug investigation and what is not clear is whether this person is a U.S. Citizen living in the US.

Microsoft is arguing that this data is being held by an Irish company (the Irish subsidiary of Microsoft) and if you want the data, you need to do so in Irish courts according to Irish law.  Assuming that this person they are going after is not an American, this makes perfect sense.

Microsoft argues that the U.S. would  not be fond of say, the Russian government ordering the Russian subsidiary of Microsoft to hand over information held in the U.S.  based on a Russian search warrant and Russian law — and that is hard to argue.

In another article,  Microsoft EVP and general counsel Brad Smith, when asked if users should encrypt their email in the cloud, said that encryption is important and protects data in many circumstances, but said that it would make it hard for Microsoft to hand over your stuff to the feds if it was encrypted.  Duh!  And your point is?  I am not sure what the downside to Microsoft is if they were to say yes to that question.  I don’t get their hedging.  Obviously, if they did that, like Apple and Google are doing with their smartphones, it would make the feds upset, but is that their logic?

Remember – and this is very important – that any form of transparent encryption where Microsoft or any other cloud provider holds the encryption keys, DOES NOT STOP THE PROVIDER FROM TURNING OVER YOUR DATA IF THEY WANT TO.  In fact, Smith specifically said that if the cloud provider does not hold the encryption keys, things get problematic for them (Microsoft).

If after all the appeals, the courts hold that YOUR data stored in the cloud is no longer personal property and is owned, at least in part, by the service provider, that will have a huge negative impact on U.S. cloud providers like Amazon, Google and Microsoft.  Constitutionally, the protection of your stuff, if it is ruled to be a business record of the cloud provider you are using, is dramatically less than if it is your personal property.

I assume this is likely to be appealed all the way up the the Supreme Court, so stay tuned.