Thursday, February 18, 2016

Backdoors do not increase security, but they destroy the confidence, so Apple has said no to the FBI – CheFuturo!

There are few things I’m sure, but among them there are definitely three: there are no missiles that do not kill civilians, there are not guns that kill only the bad and there is no backdoor that remain private and do not become public.

But what is a backdoor? According to Wikipedia a backdoor is defined as a mechanism to “ to overcome in part or in whole the security procedures implemented in a computer system “, then a system which, in whole or in part, forcibly lowers the security of a computer system to allow an individual or to an institution to obtain access to a system you are protecting this access.

 phone-lock

Credits: www.theregister.co.uk

And, in fact, this is precisely what has been asked by the FBI to Apple in the order the American judge who sparked the network, from the EFF to the CEO of Google until John McAfee, to support Apple’s position to oppose the order.

what do they want FBI and Federal Court by Apple

Yes, the ‘ FBI has not asked, as I often read online at this time, to “help them recover” from the iPhone killer data of San Bernardino and Syed Farook You do not even have “required to have a copy of the data” as other fanciful interpretations reported. He did not ask any of these things because it is physically impossible for Apple to do any of the two actions: Apple not only, in fact, does not hold any copy of the information that the FBI wants, but above all has no way to “break” the encryption key which protects them inside iPhone itself. The information is, in fact, encrypted and it is the same math behind the encryption used to protect them. And no, Apple does not hold any “master key” to open any iPhone, as they would rather force her to have a number of governments. (Read also “Secrets, sealed envelopes and encrypted codes, we need to encrypt”)

A concept, that of “master key”, thorny, behind which many educated thinkers (the same Savergnini today) there has been duped without really thinking about the actual consequences. What consequences? Well, for example, that

does not exist in human history and there has never been a key that has not been duplicated or disclosed sooner or later.

it happened with ciphers intellectual property and is successful, more recently, with one type of key “physical”: if in today Savergnini leads to shining example the “master key” keys (required by law) that the builders of locks for suitcases have to provide the TSA (the US Agency for Transport protection), well, it is these keys have been recently at the center of one of the large safety scandals in history. Maybe you do not know, in fact, that the lock on your suitcase is useless, because the master keys, the “master key” of the TSA are freely downloadable online and anyone can, to date, open your lock with the same keys that the government American spergiurava and swore that they would be the exclusive prerogative of its Department.

Needless to say how vain and vacuous are, with hindsight, those statements and how unnecessary (and dangerous) are these “master key.”

But back to the iPhone killer of San Bernardino: if the “master keys” do not speak, what prompted Apple to the FBI and the court?

it is ” simply “asked to help them” overcome in part the security procedures implemented in a computer system. ” Yeah, because the weakest link in the network is its encryption key, and Apple for years strives to make difficult those operations that try to “find” the key using thousands and thousands of attempts. And it does three ways: different

1. Using the limit of attempts : it is possible to limit the number of attempts available (usually 10) to “guess” the code, causing the tenth attempt failed the phone to erase their data “destroying themselves”. In this way groped at random it becomes impossible and counterproductive.

2. Through a timing of attempts : doing so, namely, that even without the presence of the limit of 10 attempts is necessary to wait longer and longer to “try again” to enter the code increasing attempts. It can also take hours before you can “groped” another code after missing yet again. In this way the strategy to try thousands of codes becomes unworkable.

3. By compelling to use the display : stupid method but functional, the display must necessarily be used to enter the code, making it impossible to use “automation mechanisms”, if still tied to a physical nature, for “groped” codes. In this way the practical possibility to groped thousands and thousands of codes per second becomes impossible and the time required to “guess” it becomes very long.



However, the request FBI is precise and accurate: Apple should, according to the court, creating a new version of the operating system

a software to be loaded inside the suspect’s phone, in order to:

1. Evade the limit of 10 attempts : Your phone must be able to delete the content with the arrival of the tenth wrong code entered but must leave free to make any number of attempts;

2. Circumvent the insertion delay mechanism : Your phone must be able to insert a “pause” compulsory between retries and another, but must leave free to make any number of attempts in the shortest time possible ;

3. Circumventing the need to use the display : Your phone must be able to require the inclusion via the display but must leave the FBI the ability to use digital input systems.



in other words prompted Apple to create an operating system version that can circumvent the three safety barriers put in place to avoid the “brute force” password.

that is, a then able to “system partly overcome the security procedures implemented in a computer system”, a system that, even for mere definition, is called Backdoor .

Apple’s refusal to provide backdoor

But because Apple refuses? We clear the uncertainty range: Apple is certainly capable, money and time apart, to create this system and create it exactly as requested by the FBI, but Apple decides not to do so for three reasons: the earlier, the worldwide spread and market confidence.

Perhaps the most important reason is the first of three, the fear of the “previous” : Yeah, because if it is absolutely true that the ordinance would allow to create this system also forcibly causing “revolutions” only on the specific phone, and above all do it “turn” only in the Apple headquarters, history teaches that no key exists that has not been revealed. Apple not only would thus create a “digital weapons” did not exist before the world, but such “digital weapons” certainly would be a risk once created to be widespread: there are surely governments and other entities that would pay considerevolissime sums for a technology of this type (a vulnerability iPhone also worth a million euro, let alone this type of software) and Apple has shown several times as even the super-secret models of the new iPhone have managed to “sneak” out of the Cupertino headquarters.

But it is also a purely legal question: based on what excuse could ever Apple, in the future, refrain in any way from the same application on another phone, made at a later time from any other police force?

And here comes the second problem: Apple’s spread around the world . Yes, because even if the headquarters is located in Cupertino, Apple is a reality found throughout the world, in democratic countries, unlike Democrats and “creatively” and democratic, it should be noted, the definition of a terrorist is certainly fluid within various regimes, and it tends to simply outline who is to exercise a violent opposition to a status here: it is certainly not the case of San Bernardino, but in many parts of the world, what are called terrorists by the country’s government are defined by the rest of the world “freedom fighters.”

How to deal with, in these cases, the requests coming from these states to recover the data from these individuals? While refusing to perform an action for which there is no procedure and no software exists is definitely possible,

once the backdoor created, based on what legislation one would oppose to a request of this type?

And, remember, we’re talking about a company that increasingly cast his eyes on a major world economy that appears to be at least lukewarm with regard to safeguarding the rights of citizens that live …

and in fact this refusal is, perhaps first of all, or perhaps in the queue at all, or even a particularly obvious commercial choice position: if Apple were to fall to the lure or the threats of the FBI, in a world post-Snowden a special attention to the confidentiality of information, the damage even just the image of security and impenetrability of Cupertino systems would be destroyed in the space of a few lines of code: as a world government, for example, would trust the fact that Apple does not fit the “backdoor” to the state government in which he resides?

a choice, to defend the privacy of individuals, so much more complex than a mere skirmish with a Court, much more important, perhaps, than any other business decision.

a choice that is part of a much larger scenario, that of Western governments that seem increasingly inclined to want to force the world’s great companies to limit privacy for “encryption castrated” to allow investigators a “privileged” access to unspecified requirements of “national security” (Read also “So governments and companies steal our privacy (in the name of security)”

Yes, because in the end, do not forget that in the terrorist attacks of recent years technology and encryption have had no role or only a very peripheral role: investigators fact (as in France) have not even been able to intercept calls it perfectly clear available …

But even if it was “necessary “and implemented a” master key “in communications, we never asked ourselves what would happen in reality? Maybe we should, because thinking just a second we would understand a shocking truth: would not change absolutely NOTHING.

Yes, because the law prohibiting killing civilians has never stopped the killer (who simply have ignored) and limitations on trade in arms have never stopped terrorists (which are supplied to other sources). And if a recent study by Bruce Schneier has shown that 34% of encryption systems is open source, it would ban the terrorists to ignore the iPhone’s encryption and use encryption to any other OpenSource software retrieved from the network and properly completed? What would prevent you? Nothing.

Unless you think, then, to be able to prevent encryption in every product available online and to kill any open source code line this online and be able to prevent anyone programs (with public algorithms) a new system, then the contribution to the fight against terrorism is an obligation to Apple and Google to provide “master key” would be invalid. The terrorists would use other software and the only ones to be impacted by this issue would only be ordinary citizens.

So momentary security crumbs (up to a new open source software) in exchange for his privacy. And, in the words Benjamin Franklin in 1750: “Who is willing to sacrifice their freedom for temporary security crumbs, deserve neither liberty nor safety. He will lose them both. “

LikeTweet

No comments:

Post a Comment