The FBI Can Break Encryption

(By Bill Blunden via Dissident Voice)

Slide showing how the NSA performs <a href="">man-in-the-middle attacks</a> on SSL/TLS encrypted web traffic  (Photograph: Guardian)
Leaked slide showing how the NSA performs man-in-the-middle attacks on SSL/TLS encrypted web traffic (click to enlarge)Photo credit: Guardian 

[…] recent history is chock full of instances where the FBI employed malware like Magic Lantern and CIPAV to foil encryption and identify people using encryption-based anonymity software like Tor. If it’s expedient, the FBI will go so far as to impersonate a media outlet to fool suspects into infecting their own machines. It would seem that crooks aren’t the only attackers who wield social engineering techniques.

In fact, the FBI has gotten so adept at hacking computers, utilizing what are referred to internally as Network Investigative Techniques, that the FBI wants to change the law to reflect this. The Guardian reports on how the FBI is asking the U.S. Advisory Committee on Rules and Criminal Procedure to move the legal goal posts, so to speak:

The amendment [proposed by the FBI] inserts a clause that would allow a judge to issue warrants to gain ‘remote access’ to computers ‘located within or outside that district’ (emphasis added) in cases in which the ‘district where the media or information is located has been concealed through technological means’. The expanded powers to stray across district boundaries would apply to any criminal investigation, not just to terrorist cases as at present.

In other words the FBI wants to be able to hack into a computer when its exact location is shrouded by anonymity software. Once they compromise the targeted machine it’s pretty straightforward to install a software implant (i.e. malware) and exfiltrate whatever user data they want, including encryption passwords.

If encryption is really the impediment that director Comey makes it out to be, then why is the FBI so keen to amend the rules in a manner which implies that they can sidestep it? In the parlance of poker this is a “tell.”

As a developer who has built malicious software designed to undermine security tools I can attest that there is a whole burgeoning industry which prays on naïve illusions of security. Companies like Hacking Team have found a lucrative niche offering products to the highest bidder that compromise security and… a drumroll please… defeat encryption.

There’s a moral to this story. Cryptome’s John Young prudently observes:

Protections of promises of encryption, proxy use, Tor-like anonymity and ‘military-grade’ comsec technology are magic acts — ELINT, SIGINT and COMINT always prevail over comsec. The most widely trusted and promoted systems are the most likely to be penetrated, exploited, spied upon, successfully attacked, covertly compromised with faults hidden by promoters, operators, competitors, compromisers and attackers all of whom warn against the others while mutually benefiting from continuous alarms about security and privacy.

When someone promises you turnkey anonymity and failsafe protection from spies, make like that guy on The Walking Dead and reach for your crossbow. Mass surveillance is a vivid expression of raw power and control. Hence what ails society is fundamentally a political problem, with economic and technical facets, such that safeguarding civil liberties on the Internet will take a lot more than just the right app.

Read full article here.

One Reply to “The FBI Can Break Encryption”

  1. While I agree with the author that encryption/security software alone is not enough to deal with mass surveillance, and that we need radical political/economic change in addition to technological solutions, I also want to emphasize that I do think that technological countermeasures are critical. Yes, the FBI/NSA can usually defeat encryption (mostly through side-channel attacks). But that does not mean that encryption is useless.

    With the amount of resources and technical sophistication that the NSA has at their disposal, if they single one of us out for a “targeted access operation”, it’s unlikely that we (other than a few exceptional hackers among us) will be able to defend against it. However, what we can do is collectively work to develop security systems that make it very expensive or difficult to perform mass surveillance. Tor, disk encryption software, PGP, and other tools are not magic bullets. We should not get lulled into a false sense of security thinking that we have “secured” our communications. There are (at this point) no “apps” that will defend all of us against an adversary like the NSA or GCHQ that is determined to compromise us. But we can make their job harder, which means they will fail more, get caught more, and waste more resources doing it.

    But again, this is only meaningful if we are simultaneously working towards radical political change that gets rid of these intelligence agencies altogether. While oppressive institutions such as the NSA exist, we should do everything in our power to interfere with their ability to monitor us. However, in the long run, we also need to be working to shut them down completely.

Leave a Reply

Your email address will not be published. Required fields are marked *