BakingPixel

Baked Fresh. Served In Pixels.

Tim Cook’s speech on encryption and privacy

by Leave a Comment

Matthew Panzarino wrote on TechCrunch about [Tim Cook’s blistering speech on encryption and privacy]((http://techcrunch.com/2015/06/02/apples-tim-cook-delivers-blistering-speech-on-encryption-privacy/) at EPIC’s Champions of Freedom event.

Cook lost no time in directing comments at companies (obviously, though not explicitly) like Facebook and Google, which rely on advertising to users based on the data they collect from them for a portion, if not a majority, of their income.

“I’m speaking to you from Silicon Valley, where some of the most prominent and successful companies have built their businesses by lulling their customers into complacency about their personal information,” said Cook. “They’re gobbling up everything they can learn about you and trying to monetize it. We think that’s wrong. And it’s not the kind of company that Apple wants to be.” […]

“We shouldn’t ask our customers to make a tradeoff between privacy and security. We need to offer them the best of both,” Cook wrapped up. “Ultimately, protecting someone else’s data protects all of us.”

Google backtracks from Android Lollipop encryption

by Leave a Comment

Ars Technica reported on Google backtracking from compulsory encryption for Android Lollipop devices.

Last year, Google made headlines when it revealed that its next version of Android would require full-disk encryption on all new phones. Older versions of Android had supported optional disk encryption, but Android 5.0 Lollipop would make it a standard feature.

But we’re starting to see new Lollipop phones from Google’s partners, and they aren’t encrypted by default, contradicting Google’s previous statements. At some point between the original announcement in September of 2014 and the publication of the Android 5.0 hardware requirements in January of 2015, Google apparently decided to relax the requirement, pushing it off to some future version of Android. Here’s the timeline of events.

So why the change of heart after the fanfare in announcing the feature?

Here’s what we think is most likely. Lollipop’s encryption requirement made headlines again in November, this time because it had a huge impact on the new Nexus 6’s performance. Our review of the Nexus 6 showed that the new phone could be slower than the old Nexus 5 in certain tasks, and AnandTech supplied additional numbers that showed just how severe the performance impact was.

Meanwhile, iOS users continue enjoy encryption with no impact on their phone performance.

FBI is wrong about Apple’s encryption

by Leave a Comment

Ken Gude wrote on WIRED about Apple’s encryption of data on iOS 8.

Apple’s new operating system, iOS 8, makes two changes to the encryption of data on the device that dramatically increases the security of those data. First, it now encrypts and passcode protects virtually all data on the device—such as text messages, photos, contacts, and notes—unlike previous versions of iOS. Secondly, and most importantly, it virtually eliminates the possibility that the encrypted data can be unlocked without the passcode. Earlier operating systems allowed Apple to unlock any device with a key that it controlled. But in iOS 8, Apple has essentially thrown away the key so it can’t access the data anymore. Hackers, cyber criminals, and thieves can’t access it. And governments, foreign and domestic, can’t access it either.

The only key you can’t steal is one that doesn’t exist. Having a golden key that certain authorised parties can use means that the key can be stolen.

The elimination of the key is the crucial element of Apple’s improved security systems and the crux of Comey’s criticism. The existence of the key allowed Apple to unlock individual devices and gain full access to the data on the device, sometimes in response to a request from the government, but far more often from device owners who had either lost it or had it stolen. Since it is impossible to create a back door into an operating system that eliminates the possibility that other unauthorized access will occur, the key also created a vulnerability that could be exploited by hackers, cyber criminals, or foreign intelligence services. This vulnerability could have opened the door to a much larger data breach than those at Target or JP Morgan, affecting tens of millions of Americans and hundreds of millions more worldwide.

Comey wants us to believe that the elimination of the key could allow violent criminals to “go dark”—thus evading detection and arrest. It is possible to construct a hypothetical scenario in which the only evidence of criminal activity is stored on a suspect’s personal device, consists only of data not backed up in cloud storage, and is not in the possession of third parties like telecommunications carriers or app developers. But none of the criminal cases cited by Comey meet that hypothetical because in real life those instances would be extremely rare and far outweighed by the clear public benefit of preventing the very real threat of a large-scale data breach that could affect millions of Americans.

This sums up the situation pretty well. Are we going to make millions of phones vulnerable based on the hypothesis of being able to catch a few criminals?

US law enforcement seeks to halt Apple-Google encryption of mobile data

by Leave a Comment

Bloomberg reported on US law enforcement officials seeking to halt smartphone encryption.

“This is a very bad idea,” said Cathy Lanier, chief of the Washington Metropolitan Police Department, in an interview. Smartphone communication is “going to be the preferred method of the pedophile and the criminal. We are going to lose a lot of investigative opportunities.”

There are many other forms of data available for the police even if they are locked out of accessing your mobile phones. And if they really want to, they could brute force and the passcodes. Before making such a fuss about encryption, they should make do something about NSA surveillance, something they seem to be dragging their feet to deal with.

Compromise needed on smartphone encryption?

by 2 Comments

Washington Post wrote about the need for a compromise on smartphone encryption.

How to resolve this? A police “back door” for all smartphones is undesirable — a back door can and will be exploited by bad guys, too. However, with all their wizardry, perhaps Apple and Google could invent a kind of secure golden key they would retain and use only when a court has approved a search warrant. Ultimately, Congress could act and force the issue, but we’d rather see it resolved in law enforcement collaboration with the manufacturers and in a way that protects all three of the forces at work: technology, privacy and rule of law.

Whoever wrote this piece probably doesn’t grasp cryptography. And believes that chaos will reign if smartphones are encrypted.

The assumption that smartphone makers should provide a back door is flawed. If the police has a warrant to search the house, who should be responsible to unlock the house: the house owner or the company that built the house? Should builders leave a secret door, opened only with a golden key, in every house they construct? Or should the owner be the one who locks the house and chooses whether to open it to the police?

FBI says iPhone encryption will help kidnappers

by 1 Comment

Trevor Timm wrote for The Guardian about the misleading information FBI is disseminating regarding phone encryption.

FBI director James Comey:

I am a huge believer in the rule of law, but I also believe that no one in this country is beyond the law. … What concerns me about this is companies marketing something expressly to allow people to place themselves beyond the law.

Encrypting your files doesn’t put you beyond the law. Are you beyond the law if you locked your houses to keep out intruders and police?

Comey:

I get that the post-Snowden world has started an understandable pendulum swing. … What I’m worried about is, this is an indication to us as a country and as a people that, boy, maybe that pendulum swung too far.

Timm makes a very good point:

This might be a good time to point out that Congress has not changed surveillance law at all in the the nearly 16 months since Edward Snowden’s disclosures began, mostly because of the vociferous opposition from intelligence agencies and cops. The pendulum is still permanently lodged squarely on law enforcement’s side.

Android L will have built-in encryption, just like iOS

by 1 Comment

Digital Trends reported on built-in encryption for Andriod L.

The next major version of Android is going to come with one feature that will please the security-conscious: built-in encryption. It means anyone who grabs hold of your mobile device—from petty thief to law enforcement officer—will find it much more difficult to extract data from it. The same level of advanced encryption is also available in iOS 8.

Android users have had the option to encrypt their phones and tablets since 2011, but the setup process for Android L will switch it on by default. iOS has always encrypted data on devices automatically — there’s no option to enable it as there is on current versions of Android — but the protection has been reworked and improved in iOS 8.

Let’s not talk about why it’s always on for iOS while Android makes it turned off by default. Given how Android updates are rolled out, it will be years before this is widely adopted.

Did the RSA collaborate with the NSA for just $10 million?

by Leave a Comment

There are always two sides to a coin, but at this point, the RSA’s image is definitely going to take a beating. Whether it entered into such an agreement willingly or not doesn’t take away the fact that there are vulnerabilities in some of the current encryption standards.

This is very disturbing indeed.

Exclusive: Secret contract tied NSA and security industry pioneer

Documents leaked by former NSA contractor Edward Snowden show that the NSA created and promulgated a flawed formula for generating random numbers to create a “back door” in encryption products, the New York Times reported in September. Reuters later reported that RSA became the most important distributor of that formula by rolling it into a software tool called Bsafe that is used to enhance security in personal computers and many other products.

Undisclosed until now was that RSA received $10 million in a deal that set the NSA formula as the preferred, or default, method for number generation in the BSafe software, according to two sources familiar with the contract. Although that sum might seem paltry, it represented more than a third of the revenue that the relevant division at RSA had taken in during the entire previous year, securities filings show.

CyanogenMod defaults to encrypted text messaging

by Leave a Comment

Thanks to Edward Snowden, encrypted messaging has been increasingly in demand. While there are already solutions out there like iMessage, the effectiveness of it is still debatable. There are also other independant solutions being developed, such as Hemlis.

Now CyanogenMod is going to give users a hand too. It has teamed up with Open Whisper Systems to integrate encryption directly into the firmware. What this means is that text messages between CyanogenMod users will be automatically encrypted. Your initial thought might be that since it requires both parties to be running CyanogenMod, there aren’t that many instances where this would work, but there are already 10 million known users of CyanogenMod, and after taking into account that users have an option to not be counted, that figure could rise by several million.

This update will be rolled out to version 10.2 of CyanogenMod first, then added to earlier versions. As of now, there are over 670,000 CyanogenMod users on 10.2.

CyanogenMod rolls out encrypted text messaging by default

Cyanogen teamed up with Open Whisper Systems, which makes open source apps for secure texting and phone calls, in order to integrate encryption seamlessly into a phone’s firmware. Install CyanogenMod, and your texts to other users of CyanogenMod and Open Whisper System’s TextSecure will automatically be encrypted. You can still use whatever SMS app you like.

How Apple’s Touch ID works

by Leave a Comment

WIRED.com writes about Apple’s Touch ID fingerprint reader.

Fingerprint reading is accomplished through a complex method.

Touch ID is composed of an 8 x 8 millimeter, 170-micron-thick capacitive sensor located just beneath the home button on the 5s. This is used to capture a 500-pixel-per-inch (ppi) resolution image of your fingerprint. The sensor can read pores, ridges, and valleys. It can identify arches, loops, and whorls. It can even recognize fingerprints oriented in any direction.

When you place your finger or thumb on the sensor, it looks at the fingerprint pattern on the conductive sub-dermis layer of skin located underneath the dermis layer. It also measures the differences in conductivity between the tops of the ridges and the bottoms of the valleys in your prints in this layer. This is more accurate than looking at the dead surface of the skin alone, which is constantly changing and isn’t conductive.

Touch ID needs a good database of fingerprint records to ensure that the fingerprint is quickly recognised.

Apple partially gets around the small sensor issue using the enrollment process, which includes rolling your finger around to try to capture every microscopic nook and cranny on your finger. Then, at least, it has a large source to pull from, even if it’s only scanning a section of that each time you tap your finger.

It doesn’t stop learning.

Apple’s Touch ID algorithm is designed to learn and improve over time — with each scan, it checks if it is a better reading than what is stored, and can update the master data for your print this way. This algorithm could certainly be changed or improved through iOS updates, as well.

So what can go wrong when you use Touch ID?

There are a variety of small things that could be going on to interrupt a successful Touch ID experience. First, for it to work properly, your finger needs to make contact not just with the sapphire of the home button, but also the stainless steel ring surrounding it. Next, the sensor itself works by measuring electrical differences between the ridges and valleys of your fingerprints. If your hands are too dry, it’s going to be difficult for your print to be recognized (this could be a growing problem in the dry winter months ahead). Conversely, if your fingers are too moist or oily, recognition can also fail, as those valleys get filled. If the button gets dirty, as it likely will over time, you’ll also want to clean it to keep Touch ID working properly. Apple suggests using a clean, lint-free cloth.

I was barely a few days into using Touch ID and I found myself wondering how I ever lived without it. Unlocking my phone is now quick and intuitive. To quote Steve Jobs, “It just works.”