<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=ISO-8859-1">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<font size="-1">
<div class="entry-date">
Weekend Edition Oct 31-Nov 02, 2014<br>
<a class="moz-txt-link-freetext" href="http://www.counterpunch.org/2014/10/31/the-fbi-can-bypass-encryption/">http://www.counterpunch.org/2014/10/31/the-fbi-can-bypass-encryption/</a><br>
<b><big><big><br>
</big></big></b>
<div style="float:right;"><b><big><big><br>
</big></big></b>
<div id="_atssh" style="visibility: hidden; height: 1px;
width: 1px; position: absolute; z-index: 100000;"><b><big><big><iframe
src="http://ct1.addthis.com/static/r07/sh177.html#"
style="height: 1px; width: 1px; position: absolute;
z-index: 100000; border: 0px none; left: 0px; top:
0px;" title="AddThis utility frame" id="_atssh704"></iframe></big></big></b></div>
<b><big><big>
</big></big></b></div>
</div>
<b><big><big> </big></big></b>
<div class="subheadlinestyle"><b><big><big>Why Cyber Security is a
Magic Act</big></big></b></div>
<h1 class="article-title">The FBI Can Bypass Encryption</h1>
<div class="mainauthorstyle">by BILL BLUNDEN </div>
<div class="main-text">
<p>Encryption has gained the attention of actors on both sides
of the mass surveillance debate. For example in a speech at
the Brookings Institution FBI Director James Comey complained
that strong encryption was causing U.S. security services to
“go dark.” Comey described encrypted data as follows:</p>
<blockquote>
<p>“It’s the equivalent of a closet that can’t be opened, a
safe deposit box that can’t be opened, a safe that can’t
ever be cracked.”</p>
</blockquote>
<p>Got that? Comey essentially says that encryption is a sure
bet. Likewise during an interview with James Bamford
whistleblower Ed Snowden confidently announced that:</p>
<blockquote>
<p>“We have the means and we have the technology to end mass
surveillance without any legislative action at all, without
any policy changes… By basically adopting changes like
making encryption a universal standard—where all
communications are encrypted by default—we can end mass
surveillance not just in the United States but around the
world.”</p>
</blockquote>
<p>If you glanced over the above excerpts and took them at face
value you’d probably come away thinking that all you needed to
protect your civil liberties is the latest encryption widget.
Right? Wow, let me get my check book out! Paging Mr. Omidyar…</p>
<p>Not so fast bucko. There’s an important caveat, some fine
print that Ed himself spelled out when he initially contacted
film director Laura Poitras. In particular Snowden qualified
that:</p>
<blockquote>
<p>“If the device you store the private key and enter your
passphrase on has been hacked, it is trivial to decrypt our
communications.”</p>
</blockquote>
<p>This corollary underscores the reality that, despite the high
profile sales pitch that’s being repeated endlessly, strong
encryption alone isn’t enough. Hi-tech subversion is a trump
card as the Heartbleed bug graphically illustrated. In light
of the NSA’s mass subversion programs it would be naïve to
think that there aren’t other critical bugs like Heartbleed,
subtle intentional flaws, out in the wild being leveraged by
spies.</p>
<p><strong>The FBI’s Tell</strong></p>
<p>James Comey’s performance at Brookings was an impressive
public relations stunt. Yet recent history is chock full of
instances where the FBI employed malware like Magic Lantern
and CIPAV to foil encryption and identify people using
encryption-based anonymity software like Tor. If it’s
expedient the FBI will go so far as to impersonate a media
outlet to fool suspects into infecting their own machines. It
would seem that crooks aren’t the only attackers who wield
social engineering techniques.</p>
<p>In fact the FBI has gotten so adept at hacking computers,
utilizing what are referred to internally as Network
Investigative Techniques, that the FBI wants to change the law
to reflect this. <em>The Guardian</em> reports on how the FBI
is asking the U.S. Advisory Committee on Rules and Criminal
Procedure to move the legal goal posts, so to speak:</p>
<blockquote>
<p>“The amendment [proposed by the FBI] inserts a clause that
would allow a judge to issue warrants to gain ‘remote
access’ to computers ‘located within or outside that
district’ (emphasis added) in cases in which the ‘district
where the media or information is located has been concealed
through technological means’. The expanded powers to stray
across district boundaries would apply to any criminal
investigation, not just to terrorist cases as at present.”</p>
</blockquote>
<p>In other words the FBI wants to be able to hack into a
computer when its exact location is shrouded by anonymity
software. Once they compromise the targeted machine it’s
pretty straightforward to install a software implant (i.e.
malware) and exfiltrate whatever user data they want,
including encryption passwords.</p>
<p>If encryption is really the impediment that director Comey
makes it out to be then why is the FBI so keen to amend the
rules in a manner which implies that they can sidestep it? In
the parlance of poker this is a “tell.”</p>
<p><strong>Denouement</strong></p>
<p>As a developer who has built malicious software designed to
undermine security tools I can attest that there is a whole
burgeoning industry which prays on naïve illusions of
security. Companies like Hacking Team have found a lucrative
niche offering products to the highest bidder that compromise
security and… a drumroll please… defeat encryption.</p>
<p>There’s a moral to this story. Cryptome’s John Young
prudently observes:</p>
<blockquote>
<p>“Protections of promises of encryption, proxy use, Tor-like
anonymity and ‘military-grade’ comsec technology are magic
acts — ELINT, SIGINT and COMINT always prevail over comsec.
The most widely trusted and promoted systems are the most
likely to be penetrated, exploited, spied upon, successfully
attacked, covertly compromised with faults hidden by
promoters, operators, competitors, compromisers and
attackers all of whom warn against the others while mutually
benefiting from continuous alarms about security and
privacy.”</p>
</blockquote>
<p>When someone promises you turnkey anonymity and failsafe
protection from spies, make like that guy on The Walking Dead
and reach for your crossbow. Mass surveillance is a vivid
expression of raw power and control. Hence what ails society
is fundamentally a political problem, with economic and
technical facets, such that safeguarding civil liberties on
the Internet will take a lot more than just the right app.</p>
<p><b><em>Bill Blunden</em><em> </em></b><em>is an independent
investigator whose current areas of inquiry include
information security, anti-forensics, and institutional
analysis. He is the author of several books, including </em><em><a
href="http://www.amazon.com/exec/obidos/ASIN/144962636X/counterpunchmaga"
onclick="javascript:_gaq.push(['_trackEvent','outbound-article','http://www.amazon.com']);">The
Rootkit Arsenal</a> , and <a
href="http://www.amazon.com/exec/obidos/ASIN/1937584801/counterpunchmaga"
onclick="javascript:_gaq.push(['_trackEvent','outbound-article','http://www.amazon.com']);">Behold
a Pale Farce: Cyberwar, Threat Inflation, and the
Malware-Industrial Complex</a>. Bill is the lead
investigator at Below Gotham Labs.</em></p>
</div>
</font>
<div class="moz-signature">-- <br>
Freedom Archives
522 Valencia Street
San Francisco, CA 94110
415 863.9977
<a class="moz-txt-link-abbreviated" href="http://www.freedomarchives.org">www.freedomarchives.org</a>
</div>
</body>
</html>