Why you should side with Apple, not the FBI, in the San Bernardino iPhone case - The Washington Post

Source:  Why you should side with Apple, not the FBI, in the San Bernardino iPhone case - The Washington Post

Either everyone gets security, or no one does.

Earlier this week, a federal magistrate ordered Apple to assist the FBI in hacking into the iPhone used by one of the San Bernardino shooters. Applewill fight this order in court.

The policy implications are complicated. The FBI wants to set a precedent that tech companies will assist law enforcement in breaking their users’ security, and the technology community is afraid that the precedent will limit what sorts of security features it can offer customers. The FBI sees this as a privacy vs. security debate, while the tech community sees it as a security vs. surveillance debate.

The technology considerations are more straightforward, and shine a light on the policy questions.

Apple iOS Security - iOS 9.0 or later - September 2015

Source: iOS_Security_Guide.pdf



Apple iOS Security - iOS 9.0 or later - September 2015 



Apple designed the iOS platform with security at its core. When we set out to create
the best possible mobile platform, we drew from decades of experience to build an
entirely new architecture. We thought about the security hazards of the desktop
environment, and established a new approach to security in the design of iOS. We
developed and incorporated innovative features that tighten mobile security and
protect the entire system by default. As a result, iOS is a major leap forward in security
for mobile devices. 



Every iOS device combines software, hardware, and services designed to work
together for maximum security and a transparent user experience. iOS protects not
only the device and its data at rest, but the entire ecosystem, including everything
users do locally, on networks, and with key Internet services. 



iOS and iOS devices provide advanced security features, and yet they’re also easy
to use. Many of these features are enabled by default, so IT departments don’t need
to perform extensive configurations. And key security features like device encryption
are not configurable, so users can’t disable them by mistake. Other features, such as
Touch ID, enhance the user experience by making it simpler and more intuitive to
secure the device. 



This document provides details about how security technology and features are
implemented within the iOS platform. It will also help organizations combine iOS
platform security technology and features with their own policies and procedures
to meet their specific security needs. 



This document is organized into the following topic areas:

•  System security: The integrated and secure software and hardware that are the platform
  for iPhone, iPad, and iPod touch. 
• Encryption and data protection: The architecture and design that protects user data if
  the device is lost or stolen, or if an unauthorized person attempts to use or modify it. 
• App security: The systems that enable apps to run securely and without compromising
  platform integrity. 
• Network security: Industry-standard networking protocols that provide secure
  authentication and encryption of data in transmission. 
• Apple Pay: Apple’s implementation of secure payments. 
• Internet services: Apple’s network-based infrastructure for messaging, syncing,
  and backup. 
• Device controls: Methods that prevent unauthorized use of the device and enable
  it to be remotely wiped if lost or stolen. 
• Privacy controls: Capabilities of iOS that can be used to control access to Location
  Services and user data.

FBI — FBI Director Comments on San Bernardino Matter

Source: FBI — FBI Director Comments on San Bernardino Matter

Customer Letter - Apple

Source:  Customer Letter - Apple



Apple's letter to customers regarding privacy & security issues if they unlock iPhone 5c


February 16, 2016

A Message to Our Customers

The United States government has demanded that Apple take an unprecedented step which threatens the security of our customers. We oppose this order, which has implications far beyond the legal case at hand.

This moment calls for public discussion, and we want our customers and people around the country to understand what is at stake.

Answers to your questions about privacy and security

The Need for Encryption

Smartphones, led by iPhone, have become an essential part of our lives. People use them to store an incredible amount of personal information, from our private conversations to our photos, our music, our notes, our calendars and contacts, our financial information and health data, even where we have been and where we are going.

All that information needs to be protected from hackers and criminals who want to access it, steal it, and use it without our knowledge or permission. Customers expect Apple and other technology companies to do everything in our power to protect their personal information, and at Apple we are deeply committed to safeguarding their data.

Compromising the security of our personal information can ultimately put our personal safety at risk. That is why encryption has become so important to all of us.

For many years, we have used encryption to protect our customers’ personal data because we believe it’s the only way to keep their information safe. We have even put that data out of our own reach, because we believe the contents of your iPhone are none of our business.

The San Bernardino Case

We were shocked and outraged by the deadly act of terrorism in San Bernardino last December. We mourn the loss of life and want justice for all those whose lives were affected. The FBI asked us for help in the days following the attack, and we have worked hard to support the government’s efforts to solve this horrible crime. We have no sympathy for terrorists.

When the FBI has requested data that’s in our possession, we have provided it. Apple complies with valid subpoenas and search warrants, as we have in the San Bernardino case. We have also made Apple engineers available to advise the FBI, and we’ve offered our best ideas on a number of investigative options at their disposal.

We have great respect for the professionals at the FBI, and we believe their intentions are good. Up to this point, we have done everything that is both within our power and within the law to help them. But now the U.S. government has asked us for something we simply do not have, and something we consider too dangerous to create. They have asked us to build a backdoor to the iPhone.

Specifically, the FBI wants us to make a new version of the iPhone operating system, circumventing several important security features, and install it on an iPhone recovered during the investigation. In the wrong hands, this software — which does not exist today — would have the potential to unlock any iPhone in someone’s physical possession.

The FBI may use different words to describe this tool, but make no mistake: Building a version of iOS that bypasses security in this way would undeniably create a backdoor. And while the government may argue that its use would be limited to this case, there is no way to guarantee such control.

The Threat to Data Security

Some would argue that building a backdoor for just one iPhone is a simple, clean-cut solution. But it ignores both the basics of digital security and the significance of what the government is demanding in this case.

In today’s digital world, the “key” to an encrypted system is a piece of information that unlocks the data, and it is only as secure as the protections around it. Once the information is known, or a way to bypass the code is revealed, the encryption can be defeated by anyone with that knowledge.

The government suggests this tool could only be used once, on one phone. But that’s simply not true. Once created, the technique could be used over and over again, on any number of devices. In the physical world, it would be the equivalent of a master key, capable of opening hundreds of millions of locks — from restaurants and banks to stores and homes. No reasonable person would find that acceptable.

The government is asking Apple to hack our own users and undermine decades of security advancements that protect our customers — including tens of millions of American citizens — from sophisticated hackers and cybercriminals. The same engineers who built strong encryption into the iPhone to protect our users would, ironically, be ordered to weaken those protections and make our users less safe.

We can find no precedent for an American company being forced to expose its customers to a greater risk of attack. For years, cryptologists and national security experts have been warning against weakening encryption. Doing so would hurt only the well-meaning and law-abiding citizens who rely on companies like Apple to protect their data. Criminals and bad actors will still encrypt, using tools that are readily available to them.

A Dangerous Precedent

Rather than asking for legislative action through Congress, the FBI is proposing an unprecedented use of the All Writs Act of 1789 to justify an expansion of its authority.

The government would have us remove security features and add new capabilities to the operating system, allowing a passcode to be input electronically. This would make it easier to unlock an iPhone by “brute force,” trying thousands or millions of combinations with the speed of a modern computer.

The implications of the government’s demands are chilling. If the government can use the All Writs Act to make it easier to unlock your iPhone, it would have the power to reach into anyone’s device to capture their data. The government could extend this breach of privacy and demand that Apple build surveillance software to intercept your messages, access your health records or financial data, track your location, or even access your phone’s microphone or camera without your knowledge.

Opposing this order is not something we take lightly. We feel we must speak up in the face of what we see as an overreach by the U.S. government.

We are challenging the FBI’s demands with the deepest respect for American democracy and a love of our country. We believe it would be in the best interest of everyone to step back and consider the implications.

While we believe the FBI’s intentions are good, it would be wrong for the government to force us to build a backdoor into our products. And ultimately, we fear that this demand would undermine the very freedoms and liberty our government is meant to protect.


Tim Cook

The Seeds Of Apple's Standoff With DOJ May Have Been Sown In Brooklyn : NPR

Source:  The Seeds Of Apple's Standoff With DOJ May Have Been Sown In Brooklyn : NPR

Source - IRS: 390K More Victims of IRS.Gov Weakness — Krebs on Security

IRS: 390K More Victims of IRS.Gov Weakness — Krebs on Security



The U.S. Internal Revenue Service (IRS) today sharply revised previous estimates on the number of citizens that were hit by tax refund fraud since 2014 thanks to a security weakness in the IRS’s own Web site. According to the IRS, at least 724,000 citizens were victims of refund fraud after crooks figured out how to abuse a (now defunct) IRS Web site feature called “Get Transcript” to steal victim’s prior tax data.

Source: Asus settles charges over insecure routers and cloud services | Computerworld

Asus settles charges over insecure routers and cloud services | Computerworld

Source: Jersey man gets 30 months for sabotaging former employer's servers - SC Magazine

Jersey man gets 30 months for sabotaging former employer's servers - SC Magazine

Source: Google Wants to Save News Sites From Cyberattacks—For Free | WIRED

Google Wants to Save News Sites From Cyberattacks—For Free | WIRED

Source: Nissan’s connected car app offline after shocking vulnerability revealed | Ars Technica

Nissan’s connected car app offline after shocking vulnerability revealed | Ars Technica

Source: Cybersecurity: Boards still happy to pass the buck to the IT department | ZDNet

Cybersecurity: Boards still happy to pass the buck to the IT department | ZDNet

Source: German police can now use spyware to monitor suspects | Ars Technica

German police can now use spyware to monitor suspects | Ars Technica

Source: Judge confirms what many suspected: Feds hired CMU to break Tor | Ars Technica

Judge confirms what many suspected: Feds hired CMU to break Tor | Ars Technica

Source: Got an ASUS router at home? Read this. | OnGuard Online

Got an ASUS router at home? Read this. | OnGuard Online

February 23, 2016

by 

Aditi Jhaveri

Consumer Education Specialist, FTC

Many of us don’t think twice about our home wireless router after setting it up. And it might be tempting to rush through the set-up process. Here’s why you should pay close attention while setting up your router, and afterwards.

Heard of ASUSTeK? Among other things, they sell ASUS-branded wireless routers for home use. Some of their routers come with features — called AiCloud and AiDisk — that allow people to attach a hard drive to their routers and create their own “cloud” storage. According to the FTC’s complaint, ASUS routers had major security flaws that allowed hackers to harm consumers in several ways,  including getting access to sensitive personal information — like tax documents — that people stored through these “cloud” services.

If you have an ASUS router at home, take these steps right away:

• Download the latest security updates for your router. According to the FTC, the ASUS router update tool often indicated that software was current when it wasn’t, putting people’s home networks at risk. Moving forward, ASUS is required to provide accurate information about software updates. So check the router’s software update tool and the ASUS support site again for the newest security updates.
• Check if access to your network storage is limited. Make sure access to AiCloud and AiDisk is limited to what you want. The FTC took issue with the default option during AiDisk’s set-up, which gave anyone on the Internet access to your storage. For more privacy, choose “limited” or “admin rights” access instead of “limitless.”
• Change pre-set passwords. According to the FTC, ASUS pre-set weak default passwords on every router. So create new passwords that are strong and unique for both your router and any “cloud” services — something only you know. This can help prevent hackers from getting easy access to your network. 

And for anyone with a router at home — or getting ready to set one up — here’s how you can take charge of your router’s security:

• Be cautious when setting up “cloud” features. Before enabling any sharing or storage features, research what those features mean and who will have access. Make sure access is limited to what you’re comfortable with.
• Don’t just click “next” during the set-up process. Review the default settings carefully before making a selection.
• Check out more tips on securing your wireless network, including how to create a strong password and username for your router, and how to check for security updates.

Tagged with: network, router, security software, wireless

Blog Topic: Be Smart Online, Secure Your Computer

Source: A Worldwide Survey of Encryption Products

worldwide-survey-of-encryption-products.pdf



A Worldwide Survey of Encryption Products



Bruce Schneier Berkman Center for Internet & Society Harvard University

schneier@schneier.com



Kathleen Seidel Independent Researcher

kathleenseidel55@gmail.com



Saranya Vijayakumar Harvard College

svijayakumar@college.harvard.edu



Data security is a worldwide problem, and there is a wide world of encryption solutions available to help solve this problem. Most
of these products are developed and sold by for-profit entities, although some are created as free open-source projects. They are
available, either for sale or free download, all over the world. 



In 1999, a group of researchers from George Washington University attempted to survey the worldwide market for encryption
products [HB+99]. The impetus for their survey was the ongoing debate about US encryption export controls. By collecting
information about 805 hardware and software encryption products from 35 countries outside the US, the researchers showed
that restricting the export of encryption products did nothing to reduce their availability around the world, while at the same time
putting US companies at a competitive disadvantage in the information security market. 



Seventeen years later, we have tried to replicate this survey. 

Source: CRAY | Barchart Opinion for Cray Inc

CRAY | Barchart Opinion for Cray Inc

Source: Mr. Breakout's Market Call.

Mr. Breakout's Market Call. 


Updated after the close on Fri 02/05/16: Market In Correction - Current Call since the close on 02/03/16.