FREEZE! Busted by the Fridge. The ways that tech influences writing fiction, making movies, and busting criminals.

One interesting investigation I had was that of a murder-for-hire in one city that the suspect used a Google search to find the victim’s home address in another city.  Simple enough crime to plan.  Google the name, find the address, do the hit.  Except in this particular case, although the suspect Googled the correct name, there were two people with the same name in the same city and he picked the wrong one.  I called this case my “Sarah Connor” case.

Fortunately, we intercepted the hit before it happened and prevented a random murder on the wrong person (as well as preventing the murder of the ‘right’ person).  In a basic sense, the suspect used the technology of one of the most advanced computer systems in the world (Google….) to attempt a murder only to choose the wrong name in a Google search hit.  This type of criminal incompetence and carelessness is commonplace.  It is also the way that most get caught. 

On the other end of the spectrum, we have Hollywood’s version of high tech crime fighting.  Minority Report with Tom Cruise showed us that not only can crimes be solved with technology, but that crimes can also be prevented with technology.  As for the technology used in the movie, it could have only been more accurate had a predictive analysis computer system been used in place of the fortune-telling humans (“Precogs”) in a big bathtub.

In a turn-key surveillance system, no person is anonymous.  Whether it is a private business or government agency, no one is immune from potentially being watched, tracked, or reported.  Private businesses use facial recognition for both improving customer service by detecting your mood through facial expressions as well as preventing crime.

“…faces of individuals caught on camera are converted into a biometric template and cross-referenced with a database for a possible match with past shoplifters or known criminals.” https://www.theguardian.com/cities/2016/mar/03/revealed-facial-recognition-software-infiltrating-cities-saks-toronto  

Criminals who try to avoid using technology are severely limited on the type of crimes they can commit.  That’s a good thing.  A drug dealer without a cell phone is like a taxi cab driver without a taxi.  It is part of the business and can be tracked, traced, monitored, intercepted, and forensically examined.  Technology is a natural and required part of any criminal’s operations.  Criminals not using technology are ineffective as criminals, for the most part.

Criminals who try to avoid surveillance technology in public, such as license plate readers and facial recognition are also extremely limited in the crimes they can commit since they would have to remain in their homes to commit crimes outside of public surveillance methods.  Even then, committing a crime in a home is not without the risk of being monitored, either by a government agency, a private corporation, or an electronic device plugged into an outlet.  If you own a Vizio television, consider yourself tracked, hacked, and sold to the highest bidder. http://www.theverge.com/2017/2/7/14527360/vizio-smart-tv-tracking-settlement-disable-settings

From Amazon’s Echo to an Internet-connected fridge, data is collected as it happens, and stored either locally on the device or on a remote server (or both).  Depending on how ‘smart’ a home is, every drop of water usage can be tracked, every door opening logged, and every person entering and leaving the home gets recorded.  This does not even include cell phone use that is tracked within the home by providers.  And the computer use!  The things we do on the computer leave traces not only on the hard drive, but also on the servers we touch with every www typed.  Criminals in their home are no more protected from being discovered than on the street.  This is a good thing.

As to the significance of some of these high tech smart home devices, consider that water usage can give inferences as to what was done in a home, such as cleaning up a crime scene…

 

https://arstechnica.com/tech-policy/2016/12/police-ask-alexa-did-you-witness-a-murder/ 

During all the years of being a detective, I did trash runs.  Lots and lots of trash runs.  I hated the trash runs until I found good evidence.  Garbage smells really bad, especially during the summer.  Digging through garbage bags in a dumpster in the middle of a hot day can make the toughest person gag or puke.  But you can get some really good information on the criminals you seek. Did I mention it can smell really bad?

That is one of the reasons I really enjoyed moving into digital forensics.  Digging through the garbage of data on a hard drive is a lot easier on the nose than digging through a dumpster.  Plus, the information you get is sometimes a lot better than what you can find in a garbage can.  There are exceptions…you won’t find the murder weapon in a folder on the C:/ drive of a hard drive unless the murder weapon was a computer program. 

You would think that with the amount of technology available and already in place that police would be able to uncover more crimes, find more criminals, and be more effective.  When a smart home can email the home owner a photo of someone ringing the doorbell, newer cars come with pre-installed GPS tracking systems, and a fridge can record a live stream of residents in the kitchen, the ease of finding evidence should be easier…right?

Not quite.

That brings us to the biggest hurdle to crime fighting: incompetency and laziness.  Government agencies are not immune to the same human fallacies found elsewhere. There are hard workers in government just as there are hard workers in the private sector.  Same holds true for laziness and incompetence, which criminals take advantage.

In any case where electronic devices are not being seized for examination, evidence is intentionally being left behind.  I am not referring to the electronic devices that are difficult to find, like a camouflaged USB device hidden within a teddy bear. I’m talking about the cell phone sitting on the car seat of the suspect arrested for burglary.  Yes. I’ve seen it happen.  Part of the reason is that unless lead is flying, most criminal cases and dispatched calls are boring to the responding officer.  As an example, with a residential burglary, the suspect is usually gone and the victim is lucky if the officer even tries to recover prints from the scene.  Stolen car?  Oh well. Fill out the report and call your insurance company.

I have been out of police work for about 10 years and I had hoped this lack of urgency in police work has changed.  But apparently not.  I recently helped someone with their stolen purse from a gym.  I got the call first instead of 911, but that’s another story.  Anyway, I showed up to give some guidance and eventually the district officers arrived.  Even after being told that video cameras faced the parking lot, and that the suspect/s went inside another victim’s car, the officers said, “The cameras probably didn’t get it”. The manager of the gym even offered up the video and said the cameras face the victim’s car... but the officers they left without even asking to see the video.  After telling the officers that the suspect/s just used the stolen credit cards in a store less than 5 miles away and that the store surely must have cameras, one of the officers said, “We can’t get much from a store’s security cameras.  You just need to call your bank to cancel your cards.” End result: File a report.  Call the banks. Get a replacement driver’s license.  Yes.  This still happens.  And criminals thrive on it.

The irony with a lack of seizing electronic evidence is that for most of the forensic examiners in law enforcement, they love to dig and dig and dig and dig through data to find the smoking gun.  It is the lifeblood of what they do.  If only the devices were seized and given to them.  Case in point:  I was called to exam a laptop of a missing teenager, six months after she was reported missing.   The detective simply did not put any reliance on a laptop, in which the teenager was religiously using for social media, as a source of important evidence.  The teen’s body was later found buried less than 5 miles from the police department where this detective drank coffee at his desk, with the laptop sitting downstairs in evidence for months.  I would have loved to examine that laptop ON THE SAME DAY the teen was reported missing.  It was virtually useless by the time I got it.

Seeing that tech should make it easier for police work, it should make it easier for writers of fiction.  It doesn’t.  I read (and write) a lot.  Technology can ruin good fiction.  No longer can a fictional criminal live his or her life under the radar.   Even the good guys can’t avoid ‘the radar’.   The Jack Reacher series should have been set in the 80s, because there is no way that Jack Reacher can roam the country without ever ringing some bells in surveillance tracking technology and live only with the technology of a single ATM card.  I was lucky that my undercover work was before the Internet really took off.  Backstopping an ID today requires way more than it did when I was undercover.

Writing fiction set in today requires knowing technology, because any scene that should have technology but doesn’t simply makes that scene unbelievable.  Same with Hollywood. Seriously.  It gets harder and harder to watch a movie that intends to be realistic without realistically using technology.   Show me a movie where no one is texting anywhere in a scene and I’ll show you a movie where technology is selectively ignored for the sake of simplicity at the cost of plausibility.

I can hear it now.  Police work is hard.  It’s not easy to get search warrants.  Not every department has a forensic unit.  We are too busy to solve crimes.  We are short-staffed. We don’t get enough training.  Blah blah blah.  I’ve heard it before and proved it can be done time and time again.  I have always believed that 10% of law enforcement do 90% of the work while 90% of law enforcement try to pawn off the remaining 10% of the work (while fighting over taking credit for it).  If just another 10% of law enforcement suddenly got a sense of urgency to require high tech investigations be a part of every crime scene, we’d reduce crime stats in half and solve twice as many crimes.

Now if only I can find a book or movie that doesn’t pretend technology doesn’t exist..

 

537 Hits

Never a shortage of examples

I have given 20 presentations this year and that was only in the first half of 2016 (although, I have not scheduled anything for the remainder of the year to finish some projects).

In each of the presentations, whether the attendees were parents, children, law enforcement, or digital forensics analysts, I have always been able to give really good examples of compromises.  On the day of the presentation or day before, I search for a recent breach and will most always find a good one.  If I search a day after the presentation, I sometimes find a new breach that would have also been a good example of a hacking incident.

So for the cybercrime preventation talks, I tell everyone that anyone can be a victim no matter what you do.  Sometimes you are specifically targeted and other times, you fall into a group of victims from a third party breach.  And the more 'third party' accounts you have, the more risk of having your personal data exposed.  For example, if you have a T-Mobile phone, Premera for health insurance, applied for a government security clearance, shop at Home Depot, and ate at Wendy's, you potentially have had your personal data or credit card information compromised five times by doing absolutely nothing wrong.

If you are targeted, even if you do everything right, you can have your personal information breached.  This applies even to CEOs, like the CEO of Twitter....and Facebook...and the CIA...Most likely, as the Internet of Things heat up and everything gets connected to the Internet, our risk will skyrocket to the point that the only people who don't have their personal information compromised are have been living on a mountain all their lives...with no electricity...and no credit cards...or car...or phone...  For the rest of us, it is probably just a matter of time.    As for me...my ID has been stolen once and I seem to get notice letters from services about a new breach on a regular basis. The good news is that I always have plenty of great examples to talk about.

 

645 Hits

I'm just a Tor exit node! I'm just a Tor exit node!

I'm just a Tor exit node!  I'm just a Tor exit node!

Never thought I would still see this happening…

http://www.ibtimes.co.uk/seattle-police-raid-home-privacy-activists-who-maintain-tor-anonymity-network-node-1552524

I have personally seen warrants served on the wrong address on two occasions.  The first was a drug investigation where the lead detective went to the wrong door to an apartment.   The warrant was correct in having the correct address, but the detective didn’t take the time to check the numbers on the door…

The second time I witnessed a wrong door entry was when the lead detective had the wrong address on both the search warrant and affidavit.  The detective never even corroborated the information to find the right address.  Basically, the detective looked down the street and picked the house she thought was the drug dealer’s house.  After SWAT kicked in the door and broke a few things in the process, it took all of 5 minutes to realize that it was the wrong house.  The drug dealer was on the next street over…the victim house got a new door from Home Depot and carpet cleaning paid for by the task force.  

Both of these warrants taught me something that I will never forget.  Before you kick in the door, make sure you got the right door.  After you make sure you got the right door, make sure again.  Then ask your partner to double-check that you got the right door. Then get a warrant and kick it in if the suspect doesn’t open it for you.

After investigating drug crimes, I went into cyber cases.  The same fear of entering the wrong house became even more worrisome since relying on IP addresses is not the same as relying on your eyes. You have to rely upon a fax from an Internet service provider for the address.  In an investigation case of following a suspect to his home, it is easy to physically see the house for which you plan to swear to in an affidavit.  But with an IP address, you have to rely on some third party service provider to give you the subscriber at the physical address where the IP address exists and trust that the information is accurate. That is at least one step before swearing to an affidavit to ask for authority to force your way into someone's home.  Investigators must still confirm that their suspect and/or evidence is at that particular and specific address, which requires at least some legwork to confirm the physical address.

When Tor is used by a criminal, relying on the IP address is worse than a bad idea, especially since it is so common knowledge that an exit node on the Tor network has nothing to do with the origin of any data that flows through it, other than the data flows through it.  I have taught and wrote about Tor as it relates to criminal/civil investigations for several years now, each time repeating:

IP address ≠ a person

MAC address ≠ a person

Email address ≠ a person

Tor IP address ≠ the address you want

CSI Cyber regularly does one thing right…whenever the cybercriminal uses Tor (proxies) on the show, the Hollywood FBI hackers don’t even try to trace it because they know that a proxy is not going to lead back to the cybercriminal.   They then resort to other means to find the cybercriminal before the hour ends.  Not that any of their other methods are realistic, but at least they got Tor right.  Anyone watching CSI Cyber even one time is exposed to explanations that tracing cybercriminals using Tor is virtually impossible.  This is the “CSI effect” in reverse.

Since TV show viewers can figure it out, you can imagine my surprise seeing this tweet today:

I don’t have access to the case reports, nor know anyone involved, but the one thing I can tell is that if this case was based on an IP address alone, I cannot fathom why no one checked to see if the IP address was a Tor exit node.  Checking a Tor exit node takes about 10 seconds.  The Tor Project even helps and provides everything you need.

https://check.torproject.org/cgi-bin/TorBulkExitList.py

Certainly, there are probably other details that could have led to going to the ‘wrong’ house, but running a Tor relay should not be one of those details.  At least currently, it is not illegal to run a Tor exit node.

The best analogy I can give to how relying on a Tor exit node to accurately reflect the physical address is that using an envelope.  Consider a criminal committing a crime through the mail (mailing drugs or something like that).  Instead of putting his address as a return address, he puts your address as the return address, drives to another city, and drops the package in a mail box on the side of the street.  Let’s say the police seize the package of drugs at its destination and then kick down your door because your return address was on the package.  Any investigator charged with tracking criminals online must (not should) be aware of how Tor works.  Even in the private sector investigating employee misconduct, or IP theft, knowing how Tor works is mandatory when IP addresses are involved.  You just can't get around knowing it unless you don't mind kicking down the wrong door one day..

https://www.torproject.org/about/overview.html.en

On side note, I am one of the biggest advocates of those who have the job of tracking, investigating, arresting, charging, prosecuting, convicting, and incarcerating predators of children.  I have not a bit of compassion for these criminals and I cannot imagine anyone feeling any different.

Coincidently, I gave a presentation on this very topic at an ICAC conference in the Seattle area last year…oh well.

 

UPDATE: APRIL 8, 2016

Link to the search warrant affidavit:  AFFIDAVIT

1513 Hits

Barking up the Encryption Tree. You're doing it wrong.

Barking up the Encryption Tree.  You're doing it wrong.

There always comes a time when an obscure, yet important concept, leaves the technical world and enters the main stream.  Recovering deleted files was one of those where we pretty much knew all along not only that it can be done, but that we have been doing it all along. The Snowden releases were another aspect of ‘yeah, we knew this all along, but the GFP (general f’ing public) was oblivious.

Encryption is just the most current ‘old’ thing to make the limelight.  Whenever something like this happens, there are ton of people ringing the end-of-the-world bells, clamoring that national security will be lost, and personal freedoms take a back seat to everything.  It happens all the time and when it happens, there is a fire to make new laws on top of thousands of other laws, in which the promise of better safety and security is as strong as a wet paper bag holding your groceries on a windy and rainy day.

b2ap3_thumbnail_bancalifornia.JPG

Legally, it is super easy to ban, control, and/or regulate encryption. A stroke of the pen with or without citizen oversight can make it happen quickly and painlessly.  One signature on the last page of a law that is a ream in size is all it takes.

Practically, it is impossible to completely eliminate or control or regulate encryption.  The only thing laws will do is restrict the sale of encryption products by corporations.  Encryption exists in the minds of mathematical practitioners and can be recreated over and over again. You can't blank out someone’s brain (I hope not…).  Encryption is available everywhere on the Internet, from software programs that are FREE and OPEN SOURCE to download and even in TOYS that can be bought off Amazon.com.  These 'toys' work by the way.

b2ap3_thumbnail_engima.JPG
Enigma encryption...for sale on Amazon.com

Go ahead and ban encryption and people will just buy a $10 toy to create cipher text for emails.  Tor use will skyrocket as will third party online privacy providers operating in safe harbors overseas.  Banning encryption or breaking the trust of companies like Apple will only result in loss of business for corporations and (more) loss of trust by consumers of both corporations and government.  Even if encryption is not banned, but under the complete control of any government, that particular piece of technology won’t be used for anything other than entertainment. No business is going to transmit sensitive intellectual property data through an insecure system.  No government is going to use a system that can be more easily compromised by enemies or hackers.

b2ap3_thumbnail_veracrypt.JPG
Free encryption software: https://sourceforge.net/projects/veracrypt/

The end result of banning encryption is creating a whole new class of “criminals” who just want to protect their private communications.  “Private” does not mean “illegal”.  Controlling the source code of Apple is only going to cause Apple to end up with 3 employees who will their only customers.  Not even the government will use Apple if they know the source code has been compromised...especially if compromised by the government itself.

Not long ago, I gave a presentation on Internet investigations to a group of law enforcement investigators.  One of the first questions I asked was 'Given authority and ability, what would like to see done in regards to the Internet?".  Most answers were to 'lock it down', 'watch everything', 'control it all', and "give government complete control".  At the end of the presentation, no one felt that way after I explained how that will negatively affect everyone down to the individual person business, including the government.  Ignorance may be bliss, but that doesn't make ignorance a good idea.

If this 'ban encryption bandwagon' keeps going, the next thing we will see is envelope regulations requiring the paper to be transparent, just in case the government needs to read your mail without opening it.

b2ap3_thumbnail_envelope.JPGI also do not believe that there is any one 'thing' that can prevent the apprehension of criminals, prevention of terrorist attacks, or investigation of a crime.  If encryption can do all of those, we need better investigative training for our detectives and case officers.
966 Hits

The four corners of the Apple v FBI encryption debacle

The four corners of the Apple v FBI encryption debacle

If only the FBI had picked a case where the issue was clear cut…that would make this encryption issue so much easier.

  1. The FBI doesn’t want Apple to simply “unlock” the phone.

Apple (and just about every other high tech company) has been unlocking devices and allowing access to data for law enforcement for decades.  That’s not the issue here.  The FBI wants the encryption to be broken. They want software to be rewritten or written that compromises security features. That’s a lot different than just unlocking a device.  That request breaks security.  Worse yet, it sets a precedent.  Law enforcement knows about precedent setting laws. Sometimes it is good, but sometimes it is not.

  1. It’s not the end of the world if encryption is broken.

Our lights will still turn on. Cars will still run.  Kids will still be able to go to school.  However, online payment systems will be as protected as a wet paper bag, secure communications will be as secure as Windows 3.1, and anything you send electronically is fair game to hackers (and government).  But don’t worry. If encryption is banned or broken, there will still be those able to use encryption (hint: one is government and the other is not law-abiding citizens).

  1. “Terrorist will Go Dark” is the best marketing ever created by government. 

The only time terrorists are not operating in the dark is when they use social media in the open, print terrorism training manuals (which are then posted online), and killing people in the open.  Plus, they still have to drive, fly, walk, eat, sleep, talk, go to the doctor, read a book, watch TV, and surf the Internet.  Terrorist and criminals have all the faults of ‘regular’ folks like complacency, laziness, incompetence, and bad luck when they plan and commit terrorist acts.  I've published two books on catching criminals (and terrorists) with online and forensic investigations.  You can put both books in the hands of a terrorist and the methods to find and catch them will still work.  "Going dark"? If a criminal or terrorist can do all the things needed to carry out their devious plans in encrypted emails ONLY, their plans are going to stink.  Planning an attack or conspiring to commit a crime requires way more than sending encrypted emails.  Working undercover in criminal organizations did teach me a thing or two in how it really works and how they really think and plan.

  1. You have nothing to hide, so what’s the big deal?

The government claims that since you cannot build a house that is impenetrable, you should not have use of encryption that can’t be broken.  Well..if I could make my home impenetrable, you bet I would. If I could buy a safe that was unbreakable, I would.  They just don’t exist.  It’s not that I have anything illegal to hide in a safe, but I don’t want anyone to steal what I have.  It’s not that I have anything top secret in an email, but I just don’t want strangers reading what I am sending to a friend, or to a business colleague.  The point is NOT having something to hide, but rather, NOT hanging my underwear in the front yard on a clothesline for anyone to see or steal (that is, if they wanted to steal my undies…).

And of course, if Apple loses, or bows down to government pressure, I can think of at least one less customer who will buy a "secure" device from Apple since the definition of "secure" will change to "that which you can't break, but hackers and government can". 

1458 Hits

Let's not go all Patriot Act on this Apple - FBI encryption thing.

Let's not go all  Patriot Act on this Apple - FBI encryption thing.

I’ve been involved in about a half dozen conversations, three different email threads, and twice as many emails with friends and clients about this Apple – FBI encryption issue.   It seems to be a divided opinion with no compromise, at least as far as I can see.

 

FBI's Fight With Apple Over Encryption May Erode European Trust in US - Newsweek

http://news.google.com Sat, 20 Feb 2016 19:24:00 GMT

NewsweekFBI's Fight With Apple Over Encryption May Erode European Trust in USNewsweekMax Schrems, the Austrian who brought the Safe Harbor case to the European Court of Justice and won, tells Newsweek that the FBI's possible victory over Apple isn't too concerning to Europeans because it is a targeted access to data—not the pre ...and moreᅠ»

Read more ...

Here is my opinion: “Let Apple develop their software as they see fit for business and consumer demand, as long as their actions do not violate law.” 

That means that I am in agreement with Apple choosing to not decrypt a dead terrorist's phone. I am not a pro-terrorist or pro-criminal person. In fact, in my previous law enforcement career, I arrested more criminals personally than the rest of my 100+ officer department did…combined.  Not once did I have to break the law, bend the law, or misinterpret the law to make any of my cases in patrol or as a detective. Not once did I ask for any leniency or looking the other way ‘just this one time’ to make a case or to gather evidence. Not once. Ever.

So for any law enforcement agency asking ‘just this once’ to do something does not mean ‘just this one time’. It means, “just this one time until we ask again.”  Technical issues aside, whether or not Apple can unlock the phone or just doesn’t want to unlock the phone, the bigger question is why should they?  If a landlord refuses to give a key to a residence that SWAT has a search warrant for, SWAT will just boot the door. They can't force the landlord to give up the key.  I know this analogy is weak in the key area since you can't break unbreakable encryption, but the concept holds true. You can't force the landlord to give up the key unless the key is some how evidence.

Yes, yes, yes, I know this is a terrorist case. I’ve been involved in terrorism cases before  and exactly know how important these cases are (as I have also investigated murders..they are also important). I have seen quite enough to know how important it is to catch pedophiles, murderers, and terrorists. None should be on the street.  But that doesn’t mean taking shortcuts, bypassing Constitutional Rights, or asking a corporation to bend the rules a little to make a case.  Investigators can do this in Hollywood films, but not in real life.  

And yes, I have had cases where evidence was so little that probable cause to arrest didn’t exist. But such is life in the USA. Get PC (probable cause) and make the case or go back to square one.

After 9/11 and we panicked as a country to capture every terrorist responsible, the PATRIOT Act was typed, printed, signed, sealed, delivered, and implemented in 60 seconds flat. I was a federal task force officer at the time the PATRIOT when into effect. I have never seen such authority given to federal law enforcement in such short order without hardly a concern by the citizens the PATRIOT Act targeted (as in, it targets everyone's communications).  We do not need to continue along the lines of granting more authority to do what can already be done under the authority that already exists which is restricted to protect individual rights.  I’ve seen it misused before and it ain’t pretty. It's wrong.

As far as encryption goes, when any encryption is broken or perceived to broken, no one should use it. When TrueCrypt was reported to be flawed, it practically died, as it should.  Broken encryption is like a wet paper bag. It looks like it will hold your groceries until you actually put groceries in it.

Former NSA Chief Michael Hayden Sides With Apple, Though Admits 'No Encryption Is Unbreakable' - Billboard

http://news.google.com Thu, 18 Feb 2016 15:38:22 GMT

The Week MagazineFormer NSA Chief Michael Hayden Sides With Apple, Though Admits 'No Encryption Is Unbreakable'BillboardTim Cook's opinion that Apple should not develop a way to hack into the encrypted phone belonging to one of the San Bernardino shooters has earned an endorsement from an unlikely source, though it comes with a big "but." Michael Hayden, the former NSAᅠ...Ex-NSA, CIA chief Michael Hayden sides with Apple in FBI iPhone encryption fightThe Week MagazineFormer Director of CIA and N ...

Read more ...

As for me, any software provider (or secure device provider) that tries to sell me encryption that is so good that no one, including the NSA, can get into it, they better mean it. A disclaimer of, “well, sometimes we might let the FBI access our encryption” means that I am going somewhere else. I have nothing to hide, but I also am not going to cut a hole in my bedroom wall for anyone to peer in and look whenever they want.

For those who fall back on the ‘if you have nothing to hide, you have nothing to worry about’, I fully support your beliefs in waiving your protections. After all, I have given Miranda warnings more times that I can remember and I always asked the suspects if they wanted to waive their rights. Most said yes. It’s their right to waive their rights.  But for me, I’m not waiving anything and I’m not in agreement that the choice to waive or exercise my rights can be taken away because a case agent can’t get enough evidence without resorting to bending the rules ‘just this one time’.

I mean, really. Would you buy a safe to hold your most prized and valuable possessions  knowing that a master key exists? That's like trusting the safe in your hotel closet....

1424 Hits

Apple. Oranges. And Encryption.

Apple. Oranges. And Encryption.

One of the hottest topics currently is the FBI vs Apple battle over encryption, in that the FBI wants Apple to rewrite their operating system in order for law enforcement to bypass Apple’s encryption.  The arguments on both sides are strong. Law enforcement must have the ability to bypass encryption in the name of national security.  Conversely, consumers (in the USA at least) are afforded protections in the Constitution against unreasonable search and seizure.  The third part of this argument is security and safety of ALL electronic data.  If the legal argument stands that encryption is outlawed, that puts all data at risk of being compromised by criminals, disgruntled employees, and lackadaisical custodians of data.

Apple Fights Order to Unlock San Bernardino Gunman's iPhone - New York Times

http://news.google.com Thu, 18 Feb 2016 02:59:37 GMT

New York TimesApple Fights Order to Unlock San Bernardino Gunman's iPhoneNew York TimesApple executives had hoped to resolve the impasse without having to rewrite their own encryption software. They were frustrated that the Justice Department had aired its demand in public, according to an industry executive with knowledge of the case ...Google's CEO just sided with Apple in the encryption debateThe VergeOn Apple, the FBI, encryption, and why you should be worriedVentureBeatApple, The FBI And iP ...

Read more ...

Encryption does not explicitly have to be banned to outlaw encryption. Once a legal requirement of encryption having backdoors is created, encryption is effectively outlawed.

But I’m not writing about the legalities of encryption, nor the Constitutional protections of being secure in your home and possessions. There are many others debating those issues.  I’m writing about the practical law enforcement investigative efforts with encryption being a small sliver of the topic.  By the way, much of the 'encryption protections' marketed by providers such as Apple is pure marketing...access already exists in many instances.

 

Apple can read your iMessages despite them being encrypted - SC Magazine

http://news.google.com Wed, 27 Jan 2016 16:30:40 GMT

SC MagazineApple can read your iMessages despite them being encryptedSC MagazineDespite Apple taking a pro-encryption stance, with its CEO Tim Cook insisting that iMessages are safely encrypted, it turns out that if users backup data using iCloud Backup, they need to be aware that although Apple stores the backup in encrypted form ...

Read more ...

For example, law enforcement receives an abundance of training on an annual and ongoing basis for an entire career. This training covers everything from blood borne pathogens to the application of deadly force.  Investigators receive so much training in how to conduct investigations that range from a broad overview of criminal investigations to specific courses on blood spatter patterns, that any investigator can probably be considered an expert in their respective fields. I stopped counting my formal training hours after it went well over 2,000 hours.  That’s 2,000 hours of formalized, in the classroom training. I’d guess I have close to 3,000 hours now.  Investigators know how to do an investigation and do not need to bend Constitional Rights to do an investigation. The ends do not justify the means.

So consider the amount of training law enforcement receives. Encryption is one small sliver.  It is so small that investigators don’t even take training in it unless they are dedicated digital forensic analysts.  Encryption is such a small concern in most cases that encrypted files are many times ignored in the investigations simply because there is so much more overwhelming evidence to make the case that fighting with an encrypted file or system isn’t worth the effort without knowing how long it will take to crack it (if ever).

And that is my point, or at least one of my points.

To be fair, I am not discounting the importance that encrypted files and systems can give to an investigation.  But at the same time, I personally know of cases were suspects have purposely created thousands of encrypted files on storage media that contained meaningless data for the sole purpose of making an investigator’s job difficult.

My point is that investigators have such an array of investigative tools that they do not need to dip into areas where a person’s possessions and papers are no longer secure.  Although television’s CSI typically exaggerates the tools and capabilities available, there are some neat things that do some neat stuff that you can’t buy off the shelf at Radio Shack.  To the extent the government wants backdoors in encryption, they may as well as for a masterkey for every safe made...just in case they can't force open a safe. Would you ever purchase a safe knowing that someone (or many people) have a master key to your safe?

In the area of providing backdoors in encrypted devices, I am on the edge of saying that if anything, this leans in the area of laziness.  I have seen only ONE case where the only evidence was on one laptop which was encrypted.  All other evidence was circumstantial and would have made a difficult trial. That laptop, to this day and my knowledge, sits encrypted in evidence after years collecting dust. The suspect walked away, no charges. Highly frustrating.  

But that was the only case that I am personally aware.  I don’t know how many more are similar, but my guess is that the ratio is about the same.  But even if there were dozens of cases, I do not believe that waiving personal protections is worth those cases. In those cases, investigators need to do more work to find evidence NOT stored in the device.  Yes, that means getting out of the office. 

Not that I disagree with the ‘easy way’, but I do believe that some things must be done the ‘hard way’. That is just the way it is.  I started in law enforcement before the Internet took off for the average consumer and I left law enforcement when the Internet became what it is today.  I have seen investigators sit at their computers on a daily basis and leaving the office usually meant grabbing a cup of coffee at Starbucks.  Long term surveillance became a thing of the past for many.  Surveillance sometimes was not even on some investigators’ mind at all!  The entire tradition of being a gumshoe detective has been lost on so many.  About the only thing to get some detectives out of the office was the promise of overtime.

Back to the encryption issue. First, be prepared for analogy after analogy about how we should (and should not) have back doors in encryption.  Remember, any backdoor requirement negates the encryption, as in, it will no longer be encryption when anyone can have the key to access it. Analogies don’t always work well, but they are already being used to argue for (or against) backdoors.  Probably the best analogy in this encryption issue is that the government is simply asking you to give them a key to the backdoor of your home, and they are asking you to trust they will only use it when and if they need it. That completely negates the security of your home. 

Second, be prepared to hear that terrorists will not be found and criminals will go free.  Well, that is true, always has been, and always will be.  The government is restrained by the Constitution.  But even with the restraints, you have no idea of the absolute power a search warrant gives law enforcement until you have held one in your hands, forced your way into a person’s abode, and looked into every nook and cranny with unfettered access. To say law enforcement needs more power than that is to say we don’t need protections against unreasonable searches and seizures.

I have also read comments where people have said, “I have nothing to hide, go ahead and look at what you want.” I totally support that argument. Anyone can waive their individual rights whenever they want. I’ve read Miranda Warnings more times than I can count and asked every person if they wanted to waive their rights. Most did.  I wouldn't.  Speaking of Miranda warnings, when the warnings were required to be given (if the suspect was in custody and being questioned), I can imagine the investigators crying over how cases will never be solved because we are telling criminals to not talk. Well...that didn't pan out.  They still talk and will always talk and always confess.  Some never will, regardless if they are given Miranda warnings, but the point remains that investigators must, and do, work within legal limits.

Where I diverge on a person waiving their rights is where everyone must be forced to waive their rights by having all their electronic devices and data accessible by law enforcement.  Again, once there is cause (probably cause), law enforcement can get pretty much anything they want, from kicking down a door to seizing all the funds in a bank account.  If technology eventually allows access into highly encrypted files, then they can have that too.  You don't have to open your door for the police, but if they have a warrant (or other authority, such as exigent circumstances), they will open the door.

As much as I would hate to see Apple close its doors, I would hope that if they lose the encryption battle, Apple simply shuts down in protest.  Consumers are already suspicious of companies that have covertly cooperated, without warrants, to capture and analyze data, and snoop everyone’s phone calls regardless if any individual was suspected of a crime. It’s not that you don’t have something to hide, you just don’t want someone from the government watching you in your home through a compromised webcam to make sure you aren’t doing something wrong.

The last point to make is that banning encryption is like banning anything. It doesn’t work. Banning something only makes new criminals out of non-criminals, allows criminals the only people to possess the banned things, and creates a black market.  If guns are banned, criminals will still have guns. Citizens who refuse to turn in their guns…they become criminals.  And guns will still be available on the black market. This is the same for encryption.  It will still be available and still used by criminals and terrorists. The only people who won’t use encryption (or who agree to allow backdoors) are those who wouldn’t be using it illegally anyway.

I feel for any investigator fighting an encrypted device for file (been there, done it, still doing it).  But a backdoor will not fix the problem. If Apple folds like a cheap card table and builds a backdoor, guess who won’t be using Apple products…criminals and terrorists… They will find something else, which leaves everyone else using an Apple product to know the security has been compromised.  The problem is not solved, it is multiplied.

I’m not bashing law enforcement, but I am saying to them that rather than trying to make laws and force private companies to do their bidding, get out of the office and work. Follow suspects around. Dig through garbage in trash runs.  Interview witnesses.  Develop informants.  Work undercover. Build cases. You don’t need 100% into everything from your desktop to build a case.

As far as the criminals and terrorists go…it does not matter how much they know about the limitations and extent of authority law enforcement has, because a good investigator can make a good case on any criminal or terrorist. I mean it.  There is not a criminal alive that can remain at large if a good investigator puts a case on him (or her). Encryption? So what.  Find evidence elsewhere, because if the only evidence you have is an encrypted device or file, you really don’t have much of a case. Dig and you will find.

 

891 Hits

What is this thing "privacy" you speak of?

What is this thing "privacy" you speak of?

 

I luckily missed being born into the Internet generation.  Facebook creeped me out with the amount of information demanded to create an account.  It took me all of 1 minute to create an account, 5 minutes to decide to delete it, and then two hours to figure out how. That was years ago and I still receive email reminders from Facebook to re-join with all my information still in the deleted  account, as if I never deleted it. If you ever wondered what Mark Zuckerberg thought of Facebook users, you may want to take a look...http://www.businessinsider.com/well-these-new-zuckerberg-ims-wont-help-facebooks-privacy-problems-2010-5 

Perhaps a decade of working undercover has made me ultra-paranoid on personal information. At the time of doing UC work, I had little concern of sitting in an illegal business, having dinner with an organized crime figure and having one of his goons run me through Google, because there was no Google when I first started. That changed before I left the narc world and an undercover friend of mine was identified with Internet searches (while he was in the midst of a group of bad guys). If I was still doing undercover work, I'd no longer be doing undercover work. Thanks Google...

I can imagine that being born into the Internet age means never knowing what privacy is, nor have any concern about it all. Kids are literally texting in grade school, Facebooking in middle school, and blogging by high school.  Every generation now willfully gives up every aspect of their lives on social media and to buy some gadget online.

So when I see that the majority of people could care less about their most intimate and private details of their lives, it gives me pause. If you don’t think your Internet searches and web browsing is intimate, take a look at your web history and tell me that you don’t have some secrets in what you look at that you wouldn’t want anyone else to know about you. Health, wealth, and interests. How much more intimate can you get?

Despair at the Number of Americans Who Choose Security over Liberty, Privacy - Reason (blog)

http://news.google.com Thu, 31 Dec 2015 17:41:15 GMT

Reason (blog)Despair at the Number of Americans Who Choose Security over Liberty, PrivacyReason (blog)According to a new, frustrating poll, a majority of Americans in both the major parties appears to support warrantless government surveillance of Am ...

Read more ...

 

I’m not sure if people just don’t care the government watches and logs their Internet activity or if they just don’t know that they have a right to be secure in their homes, papers, and possessions. Either way, the result is the same. Privacy no more, and like the arrow flown, you can’t get the data back.

I can say that there are government organizations that actually take issue with privacy, one for example: Public Libraries. I’ve had criminal investigations where I needed information about a library patron for serious felonies. Not only were librarians willing to throw down with me to fight giving it to me, but I was promptly kicked out and told to get a warrant (which I did every time).  The library in the county where I live takes privacy seriously (KCLS). No security cameras anywhere. Not inside the library. Not in the parking lots. Nothing recorded. Patrons can use Tor if they bring it on a CD or flashdrive to plug into public use computers. The WiFi is free, no login required, no tracking of the users. 

For this, I say libraries may be the last bastion of personal privacy protection, but then again, I have no idea how many national security letters have been handed out to librarians

Certainly the day is close where privacy no longer exists in any manner. Already, if you ever applied for a security clearance, foreign governments have your application and probably your fingerprints too.

China says OPM breach was the work of criminal hackers - Engadget

http://news.google.com Thu, 03 Dec 2015 04:59:00 GMT

EngadgetChina says OPM breach was the work of criminal hackersEngadgetChina says the massive security breaches at the US Office of Personnel Management (OPM) that exposed the personal information of more than 21.5 million US government employees, con ...

Read more ...

I can say with experience, the Internet is great for investigators. Finding suspects has never been easier. In fact, finding an entire life history of a suspect takes on a whole new meaning with Facebook and every other type of social networking account.  Heck, they list their associates too. How much easier can it get? Criminals are people too, and they put as much personal information online as everyone else. Take the Dark Web as one example.  The Silk Road creator took massive steps to hide his identity, but an IRS agent identifed him with Google searches...

The Tax Sleuth Who Took Down a Drug Lord - New York Times

http://news.google.com Fri, 25 Dec 2015 17:48:14 GMT

New York TimesThe Tax Sleuth Who Took Down a Drug Lord New York Times It was Mr. Alford's supervisors at the I.R.S. who assigned him in February 2013 to a D.E.A. task force working the Silk Road case. The Strike Force, as it was known, had so far had l ...

Read more ...

My only concern with personal privacy evaporating like dry ice in the summer is that criminals also have an easier time of finding enough personal information to do damage to anyone, whether as ID theft, stalking, or worse.  It's bad enough that there are several levels of government agencies tracking everyone (including you), and that the criminals are using the same methods, but we also have the foreign governments doing it too.

Probably the best thing that can happen to the Internet is that it breaks...but then again, how will students find answers to their homework if they can't access Wikipedia? Can you imagine telling your kids to go to the library? The horror!

1215 Hits