Apple Aftermath: Senate Entertains A New Encryption Bill

If you recall, there was a recent standoff between Apple and the U. S. Government regarding unlocking an iPhone. Senators Richard Burr and Dianne Feinstein have a “discussion draft” of a bill that appears to require companies to allow the government to court order decryption.

Here at Hackaday, we aren’t lawyers, so maybe we aren’t the best source of legislative commentary. However, on the face of it, this seems a bit overreaching. The first part of the proposed bill is simple enough: any “covered entity” that receives a court order for information must provide it in intelligible form or provide the technical assistance necessary to get the information in intelligible form. The problem, of course, is what if you can’t? A covered entity, by the way, is anyone from a manufacturer, to a software developer, a communications service, or a provider of remote computing or storage.

There are dozens of services (backup comes to mind) where only you have the decryption keys and there is nothing reasonable the provider can do to get your data if you lose your keys. That’s actually a selling point for their service. You might not be anxious to backup your hard drive if you knew the vendor could browse your data when they wanted to do so.

The proposed bill has some other issues, too. One section states that nothing in the document is meant to require or prohibit a specific design or operating system. However, another clause requires that covered entities provide products and services that are capable of complying with the rule.

A broad reading of this is troubling. If this were law, entire systems that don’t allow the provider or vendor to decrypt your data could be illegal in the U. S. Whole classes of cybersecurity techniques could become illegal, too. For example, many cryptography systems use the property of forward secrecy by generating unrecorded session keys. For example, consider an SSH session. If someone learns your SSH key, they can listen in or interfere with your SSH sessions. However, they can’t take recordings of your previous sessions and decode them. The mechanism is a little different between SSHv1 (which you shouldn’t be using) and SSHv2. If you are interested in the gory details for SSHv2, have a look at section 9.3.7 of RFC 4251.

In all fairness, this isn’t a bill yet. It is a draft and given some of the definitions in section 4, perhaps they plan to expand it so that it makes more sense, or – at least – is more practical. If not, then it seems to be an indication that we need legislators that understand our increasingly technical world and have some understanding of how the new economy works. After all, we’ve seen this before, right? Many countries are all too happy to enact and enforce tight banking privacy laws to encourage deposits from people who want to hide their money. What makes you think that if the U. S. weakens the ability of domestic companies to make data private, that the business of concealing data won’t just move offshore, too?

If you were living under a rock and missed the whole Apple and FBI controversy, [Elliot] can catch you up. Or, you can see what [Brian] thought about Apple’s response to the FBI’s demand.

This is What A Real Bomb Looks Like

In 1980, Lake Tahoe, Nevada was a popular tourist spot. The area offered skiing, sailing, hiking in the mountains, and of course, gambling on the Nevada side of the lake. It was in this somewhat unlikely place where the authorities found the largest improvised bomb seen to that date in the USA.

Harvey’s casino was opened by former butcher Harvey Gross in 1944. In less than 20 years it grew to a 192 room, 11 story hotel casino. Thousands of people played Harvey’s slot machines and table games. Some were winners, but most were losers. John Birges was one of the latter. Formerly a successful landscaping company owner worth millions, he lost all of it to his gambling addiction.

Born in Hungary in 1922 as János Birges, John grew up in Budapest. When WWII hit, he flew an Me-109 for the Luftwaffe. He was arrested by the Gestapo for disobeying orders during the war, but was released. After the war, he again found himself in hot water – this time with the Russians. He was arrested in 1948 and charged with espionage. His sentence was 25 years of hard labor in the Gulag. The stories vary, but most agree that Birges was able to escape his work camp by detonating a bomb as a diversion.

In 1957 Birges and his wife Elizabeth immigrated to California. He changed his name from János to John to fit in. The couple had two sons, Johnny and Jimmy. John built up a successful landscaping business and bought a restaurant, working his way into the millionaires’ club. From the outside, they were the perfect example of the American dream.

Appearances can be deceiving. Behind closed doors, Birges was a right bastard to his family. He beat his wife and his children, even forcing them to kneel on gravel when they disobeyed him. Eventually, Johnny left home to escape his father’s fists. Elizabeth filed for divorce, and was later found dead under mysterious circumstances. Birges began gambling heavily, especially at Harvey’s Wagon Wheel casino in Lake Tahoe. He eventually burned through his personal savings, as well as the income from his businesses. The once millionaire was now penniless, but he had a plan. Just as a bomb had helped him escape the Gulag, he’d use a bomb to extort his money back from Harvey’s.

Continue reading “This is What A Real Bomb Looks Like”

FBI tracking device found; disassembled

[ifixit] has apparently grown tired of tearing apart Apple’s latest gizmos, and their latest display of un-engineering has a decidedly more federal flair. You may have heard about Yasir Afifi’s discovery of a FBI-installed tracking device on his car back in October of last year. Apparently, the feds abandoned a similar device with activist Kathy Thomas. Wired magazine managed to get their hands on it, and gave it to ifixit to take apart. There’ve even posted a video.

The hardware itself isn’t that remarkable, it’s essentially a GPS receiver designed before the turn of the century paired with a short range wireless transceiver. The whole device is powered by a set of D-sized lithium-thionyl chloride batteries which should be enough juice to run the whole setup for another few decades–long enough to outlast any reasonable expectations of privacy, with freedom and justice for all.

DoJ and FBI now issuing command to botnet malware

Looks like the FBI is starting to get pretty serious about fighting malware. Traditionally they have attacked the servers that activate and control botnets made up of infected computers. This time they’re going much further by taking control of and issuing commands to the botnets. In this instance it’s a nasty little bug called Coreflood, and they’ve been given permission to take the yet-unheard-of step by a federal judge.

An outside company called Internet Systems Consortium has been tapped to do the actual work. It will call upon the malware on infected computers and issue a command to shut it down. That falls short of fixing the problem as Coreflood will try to phone home again upon reboot. This gets back to the initial problem; we won’t ever be able to stop malware attacks as long as there are users who do not have the knowhow (or simply don’t care) to protect and disinfect their own computer systems.

How long do you think it will be before some black hat comes up with a countermeasure against this type of enforcement?

[via Gizmodo]

The phone phreaking files

[Jason Scott] curated a nice collection of links related to [Phil Lapsley]’s work on phone phreaking. [Lapsley]’s book, The History of Phone Phreaking, will be released in 2009. Meanwhile phone phreak enthusiasts can peruse his site and bone up on some interesting material, including documents that revealed the inner workings of the telephone switchboard(PDF), and the Youth International Party Line (YIPL)/Technological American Party (TAP) FBI files(PDF), which is really intriguing for the various doodles and conversations that were documented. If you have some spare time, we definitely recommend sifting through it.

[via Waxy]

MySpace cofounder Tom Anderson former hacker

MySpace users are very familiar with the visage of their first “friend” and MySpace cofounder [Tom Anderson], but did you ever wonder what he used to do before he became everyone’s friend? TechCrunch’s investigative reporting revealed that [Tom] was a hacker in the eighties who hacked into the Chase Manhattan Bank computer system, which attracted the attention of the FBI. Under the handle “Lord Flathead”, he became the leader of a black hat hacker group by the time he was fourteen. His activities (along with those of other hackers) led to one of the largest FBI raids in California history. Because he was a minor at the time, he was not arrested, but put on probation in exchange for an agreement to stop committing computer crimes. This definitely makes having [Tom Anderson] on your friends list just a bit more interesting, doesn’t it?

[via Digg]

Possible entrapment scenario in hacking case

[Brian Salcedo] made headlines a few years ago as a hacker who attempted to break into Lowe’s corporate network. He is currently serving a nine-year prison sentence, one of the longest sentences for a computer hacking offense. Recent events surrounding a different hacking case have revealed that the buyer he worked for, [Albert “Segvec” Gonzalez], was a Secret Service informant. [Salcedo] claims that were it not for [Gonzalez]’s threats, he would not have committed the hacking offense. While the Secret Service may not have even been aware of [Gonzalez’s] activity with other hackers, [Salcedo] could make a case of entrapment by arguing that [Gonzalez] threatened him as a government agent in order to make him plant the sniffer in Lowe’s network.