Tag Archives: Encryption

FBI Says Tech Industry Should Follow Financial Services in Saving Messages

FBI Director Christopher Wray suggested that the tech industry follow the model of the financial services industry.  Some of the big banks have created a messaging app with delete capability so to keep the regulators happy, they agreed to save a copy of each message for 7 years.

Lets apply that to the tech industry

Whatsapp currently serves up 55 billion messages plus 4.5 billion photos plus 1 billion videos a day.

iMessage serves up 40 billion messages a day.

Lets assume a message, with overhead is 1,000 bytes, a photo is 3 megabytes and a video is 20 megabytes AND lets ignore every other secure messaging platform.  The math is:

(95 billion x 1kB + 4.5 billion x 3mB + 1 billion x 20mB ) x 365 x 7

That equals 33,595,000 Billion bytes per day or

12,262,175,000 billion bytes per year or

85,835, 225,000 billion bytes in 7 years.

That would be 85,000,000,000,000,000,000 characters, if I did the math right.  Lets ignore compression for the moment since videos and photos don’t compress and they are the bulk of the disk space.

Assuming a 5 TB disk drive, that would only require 17,167, 045 disk drives to hold the data.

Double that if you would like just one backup copy.

That assumes zero growth during that time, which, as we know, growth is in the double digits per year.

That is a lot of disk drives for someone to buy.  And maintain.  And pay for the electric and people to keep them running.  Roughly the size and cost of the NSA’s Utah data center, which cost about $4 billion to build, estimates say and probably, a hundred million dollars a year to run.

Scale IS a problem here.  A big problem.

Lets say you scale that back and say that you only keep messages for a year.  Now you only need two and a half million disk drives, assuming zero growth.

If we assume that people don’t keep all their messages, someone else is going to have to and that will be VERY expensive.  Even if you build a back door into phones, if people delete their messages, that back door doesn’t help you.

I’m not saying there is no answer, but there is no simple or inexpensive or privacy protecting way.

And, of course, if you force Apple to build a back door into iMessage, some dude in Pakistan will build his own app that doesn’t have a backdoor.  Now you have to police every phone on the planet for a long list of apps that changes daily.  Again, possible, but not cheap or inexpensive.

NOTE: These numbers are only for examples.  They could be off by a factor of 10 in either direction – or more.

Information for this post came from The Washington Post.


Facebooktwitterredditlinkedinmailby feather

More Data is Better – Or Is It?

Talk to Google or Facebook and they will tell you that they never met a piece of information that they did not want to add to their databases.  More information means better profiles;  better profiles mean that they can charge more for ads.

But some Silicon Valley firms are rethinking that idea.

Silicon Valley startup Envoy, for example has made a decision to keep as little customer information as possible.  That way if the government asks them for the data, they can say they don’t not have it.

Some large tech firms are beginning to offer services that rely far less on collecting user data.

Even early stage startups are beginning to realize that between government demands for data and hackers, that holding more data is a liability rather than an asset.

Startups are beginning to invest scarce resources to reduce the amount of data that they collect, even if it slows short term growth

Even Marc Andreessen, the prominent venture capitalist and cofounder of Netscape, said “Engineers are not inherently anti-government, but they are becoming radicalized, because they believe that the FBI, in  particular, and the U.S. government, more broadly, wants to outlaw encryption”.

Andreessen says that startups are “particularly wary” of Burr-Feinstein, the proposed legislation that would force vendors to add back doors to their encryption software.

For some tech vendors, it is not possible to follow this data minimization strategy since they are dependent on selling that data to make money.  For other vendors, they need to have access in order to deliver their service – web based email is an example of this.

Other vendors – Apple’s iMessage, Whatsapp, Signal and others – have added end to end encryption where the vendors do not have the keys.  If the FBI comes to them, they can say that they do not have access to the data.

Whatever the outcome, the government has certainly changed the conversation in Silicon Valley and that will influence the design of systems for a long time.  We will have to wait and see how this all plays out.

Information for this post came from the Washington Post.

Facebooktwitterredditlinkedinmailby feather

Court Can Compel You To Unlock Your Phone – If It Is Locked With Your Fingerprint

Authorities in L.A. obtained a search warrant compelling the girlfriend of an alleged gang member to press her finger on an iPhone to unlock it because they wanted to see what was in it.

Whether this violates the 5th amendment or not is in dispute and this was an L.A. court – likely a district court.  This  certainly is not the Supremes, but the Supreme Court has ruled in the past that the police can search phones with a warrant and compel someone to provide their fingerprints, but that does not mean that you can join the two.  They have also ruled, in 2000, that a person cannot be compelled to divulge the combination to a safe.

The process of unlocking the phone may say something about whether this person had control of the phone and therefore has some implications regarding crimes that may be revealed based on looking in the phone, but if this phone belonged to her boyfriend, by unlocking it, she might be contributing to convicting herself.

Other legal experts say that giving the police the finger is different than compelling testimony, so maybe it does not violate the 5th amendment.  This is going to take a lot more time to sort out.

One of the interesting parts of this is that an iPhone will lock after 48 hours so that even with a finger press, the phone won’t unlock without a password.  If the person refused and went to court to argue the point and that process exceeded the 48 hour window, I am not sure what would have happened.  I also don’t know if you can make that window, say, 1 hour instead of 48 hours.

IF this is worrisome for you, then there is a simple solution – don’t use your fingerprint to unlock your phone.

In another unrelated case, a man in Philadelphia has been in jail on contempt charges for the last 7 months for refusing to decrypt two disk drives that the cops think contain child porn, but other than they think it does, it does not appear that they have any actual evidence that it does.

This is another case, like the Apple-FBI case, where the judge invoked the 1789 All Writs Act to compel the person to assist the government with unlocking the drives.  The drives are protected by Apple’s FileVault software, but that is really not relevant.  Encryption is actually the issue.

The question at hand is whether (a) a person can be compelled to divulge his password and (b) whether a judge can use the All Writs Act to try and compel him to do so.  Given that he is willing to go to jail for at least 7 months, he is a stubborn fella – or there is child porn and he knows that if he decrypts the drives he will be in real trouble.  This person has never been charged with a crime – before or now – and the case is being appealed.

Who knows when this will be resolved – either by the courts or Congress.

Information for this post came from the L.A. Times.  The Philadelphia case can be found on Ars Technica.

Facebooktwitterredditlinkedinmailby feather

Paris Police Report Shows No Evidence Of Use Of Encryption

Over the weekend the New York Times ran a piece on the report created by the French anti terrorism police on the Paris attacks.  The report indicates that there is no evidence of use of encrypted email, devices or messaging solutions.

In fact, they used phones that they activated just before the attack (burner phones) and phones taken from the victims.  Since the phones were only active for a few minutes, they didn’t care if someone was able to track them.

The Times decided that since there was no evidence of encrypted email, the attackers must have used encrypted email.  That logic escapes me.  The Times figures that encrypted emails must be invisible.

Now this does not mean that future attackers won’t use encryption, but if they do, at least the smart ones will not use software from countries that require back doors.

Perhaps we need to ban cell phones.  After all, the root of all these issues is people using cell phones.  If we get rid of cell phones, then the attackers will be forced to meet with each other – a much riskier proposition.

There is no simple answer to these problems even though politicians will attempt to create a simplistic solution.

What is likely is that if U.S. companies are forced to put back doors in their software, companies in other countries will avoid buying U.S. technology products, costing profits and jobs.

Information for this post came from Techdirt.

Facebooktwitterredditlinkedinmailby feather

Bill Would Imprison Tech Execs For Not Unlocking Data

A bill being considered in the French Parliament would penalize tech executives that do not provide access to encrypted communications in terrorism related investigations.  5 years in jail and a 350,000 Euro fine.

The lower house of Parliament cleared the bill 474 to 32.

Parliament wants phone makers to unlock phones.  Period.

Of course, most legislators don’t understand tech, but that doesn’t stop them from creating laws regarding them.

Lawmakers said that it will be up to the manufacturer to use whatever technique is necessary to unlock the phone.

One technique is to write off France.  After all, in the grad scheme of things it is not a very large market.  Given Tim Cook’s attitude at the moment, I would not be completely surprised if he does just that if the bill passes.

The Senate still needs to approve it in the next few months.

There could be changes to the bill to make it compatible with the French penal code – so that it would not be challenged in constitutional grounds, but not to change the plan.

What the legislators don’t understand is that they cannot legislate math.  Math doesn’t care.

Riddle me this –

If Apple creates a back door to let French police into an iPhone but the data is encrypted by an app distributed by Daesh (the terrorist group also known as ISIS), will the police be able to figure out what is going on inside the phone?

The answer is no.  And I don’t think Daesh really cares that the French police will be upset.

What is unclear is whether Apple cares.  Stay tuned for that answer.

This genie can not be put back in the bottle.  Even if legislators think it can.

Information for this article came from IAPP.

Facebooktwitterredditlinkedinmailby feather

How The NSA Broke Trillions Of Encrypted Connections

Encryption can be very secure.  Or Not.  It depends on how it is implemented.  Apparently, at least according to some sources, most of the Internet has gotten it wrong.  That’s not very comforting.

The rules of who people are protecting themselves from has changed from just a few years ago.  Now we are talking about nation states and extremely well funded hackers.

Here is the flaw.  The most common form of encryption is what is behind HTTPS,  VPNs and SSH.  Part of that protocol is to exchange keys between the sender and the recipient and is called Diffie Hellman or DH.   Those keys secure the communications used in eCommerce (such as Amazon) or your bank (such as Chase or Citi).

Apparently, most common DH implementations use one of two 1,024 bit prime numbers as part of the process.

Cracking one of these numbers would allow the NSA to decrypt two thirds of the VPN connections and one quarter of the SSH sessions around the world.

Cracking the second of these numbers would give the NSA access to 20% of the top 1 million web site.

According to the article, it would likely have taken the NSA a year and a few hundred million dollars.  Given the payback, this is a no brainer.

Obviously, the NSA is not confirming this, but this is what researchers think.

The solution is either to increase the size of the numbers that the web site is using (from 1,024 bits to either 2,048 bits or 4,096 bits), which makes the computation required to crack the keys out of reach of the NSA or at least change the software to not use one of these standard primes.

Some web sites (I just checked Google and Facebook) have already upgraded to more secure solutions.  Hopefully, they are not using “standard” numbers, but that leaves tens of millions of web sites and VPNs still susceptible.  Hopefully, many of these are in the Mideast!

VPN and SSH administrators can control their key size, making the encryption much more difficult to crack – but they must do that;  the users usually cannot do that themselves.  For users of web sites, the web site has to make the change.  All the user can do is complain and hope they fix it.

Which is why security IMPLEMENTERs have to be so careful.

Information for this post came from Reddit and The Hacker News.

Facebooktwitterredditlinkedinmailby feather