What WikiLeaks’ CIA data dump tells us: Encryption works

“If the tech industry is drawing one lesson from the latest WikiLeaks disclosures, it’s that data-scrambling encryption works, and the industry should use more of it,” Anick Jesdanun and Michael Liedtke report for The Associated Press.

“Documents purportedly outlining a massive CIA surveillance program suggest that CIA agents must go to great lengths to circumvent encryption they can’t break. In many cases, physical presence is required to carry off these targeted attacks,” Jesdanun and Liedtke report. “‘We are in a world where if the U.S. government wants to get your data, they can’t hope to break the encryption,’ said Nicholas Weaver, who teaches networking and security at the University of California, Berkeley. ‘They have to resort to targeted attacks, and that is costly, risky and the kind of thing you do only on targets you care about. Seeing the CIA have to do stuff like this should reassure civil libertarians that the situation is better now than it was four years ago.'”

“Encryption has grown so strong that even the FBI had to seek Apple’s help last year in cracking the locked iPhone used by one of the San Bernardino attackers. Apple resisted what it considered an intrusive request, and the FBI ultimately broke into the phone by turning to an unidentified party for a hacking tool — presumably one similar to those the CIA allegedly had at its disposal,” Jesdanun and Liedtke report. “Government officials have long wanted to force tech companies to build ‘back doors’ into encrypted devices, so that the companies can help law enforcement descramble messages with a warrant. But security experts warn that doing so would undermine security and privacy for everyone. As Apple CEO Tim Cook pointed out last year, a back door for good guys can also be a back door for bad guys. So far, efforts to pass such a mandate have stalled.”

Read more in the full article here.

MacDailyNews Take: Plus, WikiLeaks data dump has identified unknown vulnerabilities that Apple can now fix and push out to end-users (something Google has difficulty doing with Android) and that will make iOS and macOS users even more secure!

SEE ALSO:
Julian Assange says WikiLeaks will share CIA hacking tools with tech companies – March 9, 2017
Apple working to close remaining CIA exploits exposed by WikiLeaks, but difficulties remain – March 9, 2017
WikiLeaks raises prospect of teaming with tech giants, including Apple, to thwart CIA hacker-spies – March 8, 2017
FBI’s James Comey: ‘There is no such thing as absolute privacy in America’ – March 8, 2017
WikiLeaks reveals CIA’s global covert hacking program targeting Apple iPhone, Google Android, Microsoft Windows and even Samsung TVs – March 7, 2017
Bad news for Fragmandroid: FCC and FTC launch inquiry over mobile security updates – May 10, 2016
Google’s flawed Android is essentially unfixable – May 2, 2016
Apple’s deep commitment to security – April 18, 2016
Apple: We have the ‘most effective security organization in the world’ – April 16, 2016
85% of mobile device failures occur on Android, with Samsung leading the way – February 23, 2016
More than 90% of Android devices are running out-dated, insecure operating system versions – January 27, 2016
Dangerous new zero-day flaw affects more than two-thirds of all Android devices – January 20, 2016
Android malware steals one-time passcodes, a crucial defense for online banking – January 14, 2016
New Android malware is so bad, you’d better off buying a new phone – November 6, 2015
Apple issues iPhone manifesto; blasts Android’s lack of updates, lack of privacy, rampant malware – August 10, 2015
New Android malware strains to top 2 million by end of 2015 – July 1, 2015
Symantec: 1 in 5 Android apps is malware – April 25, 2015
Kaspersky Lab Director: Over 98% of mobile malware targets Android because it’s much, much easier to exploit than iOS – January 15, 2015
Security experts: Malware spreading to millions on Android phones – November 21, 2014
There’s practically no iOS malware, thanks to Apple’s smart control over app distribution – June 13, 2014
F-Secure: Android accounted for 99% of new mobile malware in Q1 2014 – April 30, 2014
Google’s Sundar Pichai: Android not designed to be safe; if I wrote malware, I’d target Android, too – February 27, 2014
Cisco: Android the target of 99 percent of world’s mobile malware – January 17, 2014
U.S. DHS, FBI warn of malware threats to Android mobile devices – August 27, 2013

26 Comments

  1. What WikiLeaks’ CIA data dump tells us: Encryption works

    This does not help anyway if raw data is accessed before it is encrypted or after is decrypted (NSA’s PRISM program).

    I wish Internet services companies, including Apple, would offer option where they do not store keys for data. This would make your data unrecoverable if you would forget your password, but would guarantee that Big Brother apparatus will have to spend thousands of years trying to decrypt it.

    1. Encryption works, but you can be forced by agencies with unlimited budgets to spend every dime you have defending your “rights.”

      Personal secrecy of the location of your hard drives/tapes outside of your home & business is the ONLY way to have half a chance if you engage in activities the government might want to examine.

      Any online source might be compromised by any number of faults on your part or man-in-the-middle or keyboard video shots in Starbucks of your access, etc.

      I’ld hate to live like that, but if you are in a job with secret data the government might want, you have no choice.

    2. I’m glad you made this point. I used to teach graduate courses in database management, data communications, and networking. I taught data encryption in the context of these courses. My students were frequently surprised to learn that one way encryption eliminated the need to store unsecured passwords.

      1. I should clarify my comment. When a user sets up a password, the password is encrypted and stored in cyphertext. When they access their account they enter their password to be encrypted before comparison. If they enter the correct password, the two encrypted versions match. If someone enters the encrypted version, it is reencrypted and thus doesn’t match. Stealing the encrypted versions of passwords gets you nothing.

        1. I found that concept very useful in my programming career. The only problem I encountered with it was when I had to also add a system to reset a forgotten password. The weak point becomes the authentication of the user in order to create that new password. If the ‘intruder’ is able to provide the relevant information required of authentication, the original user unfortunately will ‘lose’ access to his/her account.

    3. 1. Apple is NOT an internet serivice provider. Time warner is, and even the carriers count as data providers.
      2. Apple does not store any passcode key or the likes. Apple can only access your iCloud data if that is requested by a judge. But no texts or calls live there.

      1. 1. I wrote Apple as Internet service company, not internet access company. iCloud is an Internet service.

        2. Apple stores the key to your data and this is how they can provide you with “restore/reset your password” feature of their service in case if you forgot your password. I am talking about an option where they would not have key for data and the only way to decrypt it would be you knowing password. This would make password recovery/reset feature impossible, though.

    1. I’m sure that if we shut down all our intelligence and counterintelligence agencies, botvinnik’s comrades in Moscow and Beijing will do the same. He apparently believes that if we take the guns away from the good guys, all the bad hombres will immediately turn in theirs.

      Besides, it is so much more fun to react to a surprise attack than to find out about it in advance so it can be stopped. Not that there would be a surprise attack. Putin loves us, this we know, because his stooges tell us so.

      1. All intelligence services should be military and never civilian. The military is bound by courts-martial and a chain of command whose commander is the president.

        Harry Truman reminisced that the creation of the CIA was the greatest mistake of his political career…he was right.

        …and you are wrong.

        1. “The military is bound by courts-martial and a chain of command whose commander is the president.”

          And when you have an insane president with no intent to maintain freedoms or rights…?

            1. No, the insanity continues every time you open your pie hole. Go blog at Breibart you annoying political twit. This used to be a forum about Macs.

        2. The problem – the CIA, or a subset of the CIA, and perhaps elements of the MI folks (military intel) became aligned with the criminal international corporate and banking elements – recall United Fruit and the wonderful help they had from the CIA back in the 1950s to assure big ROI to the corporate bottom line.

          Don’t forget the drug running that would help fuel yet MORE uncontested, unaccounted for and extra-constitutional activities, done nominally under the aegis of the U.S.A., and completely out of control/knowledge of elected U.S. officials/executive, and the American citizen taxpayers – a self-licking ice-cream cone, if there ever was one.

          Yep – THAT MUST HAVE intelligence capability . . .

          Niffy

      2. The United States has a very long history of civilian control over the military. That’s why we went 60 years between having recently-retired generals acting as Defense Secretary. The Joint Chiefs of Staff have no command authority; they are essentially just advisers to the President and DefSec. The unified combat commands report to the President through civilians in the Defense Department, not through the service chiefs.

        To a man with a hammer, every problem looks like a nail. To the military, every problem is a military problem with a military solution. If all our foreign intelligence data were filtered through the military, you can bet that cultural, political, and economic issues would get short shrift.

        To top that off, there is the issue that considerable intelligence data (and even more counterintelligence) needs to be gathered within the U.S. There is not only a tradition forbidding the military from taking a role in domestic peacekeeping; there is a law, the Posse Comitatus Act.

  2. Some related points:

    • The CIA only conducts its surveillance on overseas communication and non-USA citizens. The NSA is the equivalent group that conducts the same within the USA of USA citizens. There is crossover when USA citizens intentionally or unintentionally communicate overseas. This includes when an Internet data path jumps the ocean to an overseas server and back again.

    • Not all encryption systems are alike. Nor are encryption services and encryption apps. If you’re serious about privacy, you MUST explore the encryption system being used and verify that it is safe.

    Here’s this week’s example of a crap encryption app: Confide.

    Dear Confide: “We would never” isn’t the same as “we can’t”
    Confidential messenger service provides no authentication or integrity assurances.

    A pair of damning advisories independently published Wednesday raise serious questions about the security assurances of Confide, a messaging app that’s billed as providing “battle tested, military grade” end-to-end encryption and is reportedly being used by individuals inside the US government. . . .

    Quarkslab researcher Jean-Baptiste Bédrune tested Confide and found that the main encryption layer protecting messages in transit is transport layer security (TLS), a protocol that’s trivial for authorized people inside Confide to turn off. . . .

    “The end-to-end encryption used in Confide is far from reaching the state of the art. Building a secure instant messaging is not easy, but when claiming it, some strong mechanisms should really be enforced since the beginning.
    The confidentiality of the exchanged messages depends on the robustness of TLS. Confide can technically read all the messages that pass through its servers. End-to-end encryption, as it is implemented, solely relies on the server through which the messages pass.”

        1. I’ve been waiting all day for somebody to point out that Colby’s testimony before the Church Committee was almost 42 years ago (so I wouldn’t have to). While a lot of really horrible things about CIA ops were revealed, most of the invasions of privacy directed at U.S. citizens were conducted by Hoover’s FBI, not the foreign intelligence services.

          Things have changed substantially since then. As a result of the Church Committee hearings, both the House and Senate set up Select Committees on Intelligence to provide the Congressional oversight that had long been lacking. Also as a result of the hearings, the Foreign Intelligence Surveillance Act sharply limited the ability of the government to conduct surveillance on U.S. citizens without a judicial warrant. I would guess that at least half the current employees at the CIA weren’t even born before the hearings were held.

          One of the purposes of the division of responsibilities between the CIA and FBI (like the division between MI-5 and MI-6) is for the domestic service to keep the foreign service honest. If the CIA tried to conduct an operation inside the U.S. it would have to keep it secret not only from its target, but also from the FBI, which would love to slap the spooks down.

          Richard Nixon was a conspiracy theorist who maintained an enemies list and did not feel constrained by either Constitution or statutes in paying them back. Surely we don’t have that situation now, do we, botvinnik?

    1. Derek, you make it sound like the NSA is a domestic version of the CIA. But both are concerned with foreign intelligence. The NSA was formed to conduct signals intelligence, the CIA human intelligence. There is a big difference between code-breaking and qubits, and boots on the ground. The NSA charter has recently expanded to include cyberwarfare, but they still stay put in Fort Meade while CIA agents are running around training guerillas and infiltrating the governments of our allies.

  3. That said, our government is working hard to develop tech to break strong encryption. It could take years, it could take decades, but at some point effective encryption breaking tech will exist and be used by our government. Relying on strong encryption is the best we can do for the moment, but what we really need legal and cultural advancement regarding privacy rights to protect them in long run.

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.