Your life is on that phone, and the lives of your loved ones

I keep coming back to this Apple vs. FBI case because of how important it is. I apologize if people (both of you) are getting tired of reading about.

Daniel Gerstien wrote a piece about the “false dichotomy of Apple vs. FBI” and then makes the dubious statement that “because 90% of all cyber attacks are spear fishing you don’t really need encryption to protect you.”

The problem with this schtick is that it sounds reasonable at first glance. The reason why most cyber attacks are of the “social engineering” variety is because tech companies and individuals have been exposing vulnerabilities and hardening devices and software for
decades now. This means that for the vast majority of attacks are aimed at the weakest link, the user. It is a testament to the efforts of security professionals

Imagine how stupid the biological analogy to this goes. “You shouldn’t wear a condom because 90% of sexually transmitted diseases aren’t HIV.” That’s really the level of stupidity for arguing against strong encryption at the device level.

One of the things that we learn as information security professionals is that you either have to accept risk or mitigate risk. If you live in an urban area, and you use your smartphone like the average person does, and it gets stolen then the only thing standing between your bank accounts, social media accounts, amazon account, etc is the
encryption on your smartphone. Once a criminal has physical access to a device then it is only a matter of time before the criminal can get to the data inside.

If Mr. Gerstein thinks that he has nothing to hide, all he needs to do to prove it is to send his email accounts, bank accounts, and passwords to Mr. Glenn Greenwald and see how long it takes for him to begin valuing his privacy. The point that in two years since issuing
the challenge, no takers have come up to prove that they really have nothing to hide sends a pretty powerful statement that people do in fact value their privacy and security.

But even then, encryption is not the end all of security. What encryption buys you is time, and raises the bar for the amount of cost and effort needed to get to the data inside. A few years ago a major credit card company was hacked, and the hackers were able to get to
download user data, but the credit card company publically stated that there had been no compromise. Why is this? Because the file was encrypted, and unless the hackers have access to a super computer that they can dedicate to decrypting the file, it is not feasible to get the data inside the file before the usable lifespan of that data has exceeded. It doesn’t do a hacker much good to get credit card data that is a decade out of date, does it.

So that is where the FBI is against Apple, they have the ability to pull the NAND chip and image it to a file and then make enough copies of the image to brute force through every image until they unlock it. But they don’t want to do that because they want the legal precedent of making Apple unlock the phone for them. This is quite petty in my
opinion because as every hacker knows, once you get hands on a device it only takes time before you can make it give up its secrets.

There is no false dichotomy here, the FBI has within its current abilities the skills needed to unlock the phone and Apple is correct in telling the FBI to use an alternate means to get the data they want instead of forcing Apple to create a vulnerability for the FBI to
spread to other law enforcement agencies, and from there to hackers across the world which would increase the threat surface for every iPhone user everywhere.

And since I don’t recommend people practice unprotected sex, I also don’t recommend against not hardening your cyber life to the extent possible.

This entry was posted in Uncategorized. Bookmark the permalink.

2 Responses to Your life is on that phone, and the lives of your loved ones

  1. B says:

    Point taken, I’ll be using the lock screen password on my phone now…


  2. roger says:

    It annoys me that the reporting fails to remind us that it wasn’t his phone, he and his partner destroyed their personal phones and hard drives. This was the county’s phone and managed by the county IT people. Who, at the FBI’s request, changed the cloud password breaking the link that may have made recovery possible. Given the destruction of their own devices, I would be very surprised if anything incriminating is on the work phone much like the case of the Paris attackers.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s