Slashdot Mirror
How the FBI Hacks Around Encryption
Advocatus Diaboli writes with this story at The Intercept about how little encryption slows down law enforcement despite claims to the contrary. To hear FBI Director James Comey tell it, strong encryption stops law enforcement dead in its tracks by letting terrorists, kidnappers and rapists communicate in complete secrecy. But that's just not true. In the rare cases in which an investigation may initially appear to be blocked by encryption — and so far, the FBI has yet to identify a single one — the government has a Plan B: it's called hacking.
Hacking — just like kicking down a door and looking through someone's stuff — is a perfectly legal tactic for law enforcement officers, provided they have a warrant. And law enforcement officials have, over the years, learned many ways to install viruses, Trojan horses, and other forms of malicious code onto suspects' devices. Doing so gives them the same access the suspects have to communications — before they've been encrypted, or after they've been unencrypted.
Hacking — just like kicking down a door and looking through someone's stuff — is a perfectly legal tactic for law enforcement officers, provided they have a warrant. And law enforcement officials have, over the years, learned many ways to install viruses, Trojan horses, and other forms of malicious code onto suspects' devices. Doing so gives them the same access the suspects have to communications — before they've been encrypted, or after they've been unencrypted.
It does not give the FBI bulk surveillance capabilities unless they work with bulk tools, namely botnets and worms trying to infect everything they can get. And that looks pretty bad when discovered.
So widespread use of end-to-end encryption would mean that the FBI would be mostly restricted to operating within the confines of the Constitution. We can't really have that.
To allow "hacking" to circumvent encryption, the FBI must have (direct or indirect) access to a suspect's device.
For that, they must first have a suspect. Encryption can still prevent becoming a suspect in the first place.
Ah, arrogance and stupidity, all in the same package. How efficient of you. -- Londo Mollari
"they should be able to get a warrant to try to break that encryption"
RTFA, That's his point too. The trouble is he only finds 9 examples of judges giving opinions or court orders:
"Mayer analyzed the few public examples of law enforcement hacking he was able to find, most of them from the FBI and DEA: five public court orders and four judicial opinions."
He found discussions where the FBI expressed the belief that it is legal without a warrant and alluded to previous times they'd done it warrantless.
"He also looked through declassified FBI documents and found that officials there have “theorized that the Fourth Amendment does not apply” when investigators “algorithmically constrain the information that they retrieve from a hacked device"
"Mayer said that in internal emails, federal investigators argued that targeted hacking might not constitute a search, and hinted at past times when officials may have hacked without getting a warrant first."
So if you believe the FBI has only done this 9 times then perhaps Libertarians are crackpots. On the other hand it seems likely the FBI has done this hundreds of thousands of times, and thus 9 examples of judicial opinions on cases suggests they're not telling the courts.
The FBI of course won't even reveal the total number of targets its used malware against, be it 9 or 9 million.
... so can everybody. Chinese, Russians, Bulgarians, Ukranians, Germans....
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
https://www.youtube.com/watch?v=OUzzAlorT7Q
Ideally, judicial review ought to be good enough. However, in practice that's not true. The FISA court is one entity that frequently deals with cases involving electronic surveillance. While I'd like to think the court is well-intentioned, they are overwhelmed and wield great power. They've helped to expand law enforcement powers with rulings like the "special needs" doctrine. They face so many requests for surveillance that they admit they simply don't have the ability to properly review them. Essentially, the NSA is left to police itself and ensure it doesn't violate the Constitution. They're a rubber stamp. Even with other courts, requests for search warrants aren't given sufficient scrutiny and aren't refused often enough.
It will another case similar to Stingray, the cell phone intercept:
http://www.yro.slashdot.org/story/12/10/27/144229/secret-stingray-warrantless-cellphone-tracking
Where the FBI claimed they could do it with a pen register (i.e. without a warrant), and used pleas bargaining and misdirection to keep the details of the intercepts from the court.
And of court every little district cop used it without a warrant, or even a legal basis for its use:
http://yro.slashdot.org/story/15/05/25/0344206/san-bernardino-sheriff-has-used-stingray-over-300-times-with-no-warrant
Eventually the courts find outs its a blanket sweep of data and then required a warrant for this use:
http://www.wctv.tv/home/headlines/TPD-Stingray-Use-Raises-Privacy-Questions-262047771.html
IMHO, it will be similar. Some hypothetical specious theory that lets them hack without a warrant, and they're keeping the details from the court so as to not face any scrutiny. Similar to Stingray.
FISA courts aren't courts. There is no defense council. It is one sided, and the government can do whatever it wants and get a warrant for anything, so long as the courts can find some ridiculous, contrived view that 'limits' the search. For example, "every email ever sent, except the one last tuesday about carl's lunch" why, that clearly narrows it down! Warrant approved!
Of course the FBI isn't happy about people going dark.
It's easier without having to deal with the encryption.
More and more endpoints are also getting full disk encryption.
Thinking long term, the FBI doesn't want to be in an arms race with the software developers of browsers, operating systems and the like.
Will they still be able to hack to software running on the endpoints ?
Maybe someday they won't find a way around it. Even though they have a court order they might not be able to do what they are asked to do. That is what scares them.
New things are always on the horizon
I don't think libertarians have drifted toward neoconservativism. If you're perceiving Republicans in libertarian clothing, I think there are a couple of things going on which might give that impression but neither is driven by a philosophical shift.
The whole "TEA Party" thing for example is a rejection of the big government neocons of the Bush era. It has a few libertarian leanings, but unfortunately maintains much of the Republican baggage. These neocon/libertarian hybrids have evolved in the opposite direction from what you're implying.
Then, you're also seeing the Rand Paul type folks who are willing to jump through the Republican hoops in order to bring a few libertarian ideas to the mainstream. Let's face it. In order to win the Republican presidential nomination, you need to have at least some appeal to the "family values" and "strong defense" contingents in the Republican base. The strategy of compromising principles for political appeal is a huge bone of contention among liberty activists. People willing to go down that road might also appear to be "pseudo-libertarians", but their drift toward the Republican orthodoxy is a matter of practical necessity, not political philosophy.
The point is not whether that can decrypt a selected target, rather it is that encryption causes a problem with surveillance from both a practical and legal standpoint. First by encrypting your communications, you clearly establish an assumption of privacy, which isn't as obvious with clear text (IANAL, but I assume that creates a hurdle in the courtroom). Second, applications that take in massive data of warrentlessly available data streams don't have the facilities to hack each one and still provide timely indicators of malfeasance. This kinda relies on the first point, because if someone didn't encrypt their communications, one MIGHT argue that the communicatee didn't mean for it to be private.
But ... but.. Muh ROADS!
"Somebody has to do something. It's just incredibly pathetic it has to be us."
--- Jerry Garcia
Then, you're also seeing the Rand Paul type folks who are willing to jump through the Republican hoops in order to bring a few libertarian ideas to the mainstream. Let's face it. In order to win the Republican presidential nomination, you need to have at least some appeal to the "family values" and "strong defense" contingents in the Republican base. The strategy of compromising principles for political appeal is a huge bone of contention among liberty activists. People willing to go down that road might also appear to be "pseudo-libertarians", but their drift toward the Republican orthodoxy is a matter of practical necessity, not political philosophy.
It certainly seemed like a necessity based on the past outcomes of elections and primaries. But it's not working at all for Rand Paul and other libertarian-leaning candidates that are trying to appear more "mainstream". Instead, the electorate these days is bent on rejecting anything that looks like a mainstream politician. Even the Democrats are leaning that way, with Bernie Sanders polling way higher than any of the political pundits predicted. That says less about Sanders than it does Hillary Clinton - an "insider" that no one views as more trustworthy than any other career politician (yes, Sanders is, in fact, also a career politician, but he has managed to be perceived as an outsider. It's all about the optics.
We are, it seems, on the verge of a populist uprising. Voters have been betrayed so many times and so completely they now realize there is no one in Washington that is listening to their concerns any more. I'm actually surprised there haven't been more of them dumped by voters like Eric Cantor was.
"Somebody has to do something. It's just incredibly pathetic it has to be us."
--- Jerry Garcia
In places like Ferguson and Baltimore, one could argue that it's already happened (unofficially, of course).
"[Regarding the 'cloud,'] ownership was what made America different than Russia." -- Woz
BULLSHIT.
Star chamber, kangaroo "court," FISA "court"... they're all the same. Any institution that contemptible does not deserve to be called a "court" at all!
"[Regarding the 'cloud,'] ownership was what made America different than Russia." -- Woz
I'm curious if off the shelf protection programs detect the FBI malware, or they've been compromised at the money layer.
blindly antisocialist = antisocial
The saddest part is that Sanders is closer to my ideals than Paul. I don't like Sander's route, I don't think. But, yeah... Rand's an idiot from what I can see and I agree that he's pandering to the Republicans.
"So long and thanks for all the fish."
I'm actually a big fan of things like roads, libraries, and police departments. I don't even mind paying my taxes (I wish they were better spent/invested). Hell, I even support a strong social safety net - it stops people from stealing my stuff. I like my stuff. That's why I bought it. We need an educated citizenry that can increase their upward mobility and we need to maintain that while also ensuring that we retain our rights while establishing and maintaining protections for the commons. Most important is the rights of the individual (not the businesses and sure as shit not the government).
"So long and thanks for all the fish."
The criminal mind-set is obviously strong with the FBI. No surprise there.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
The moderation on posts like this is why so many people troll here. Agree or disagree with the reasoning, it's not a troll. Modding -1 troll shouldn't be used to mean -1 disagree.
If the police believe they have probable cause to search your property or monitor your communications, they have to go to a judge and present their evidence. There is no defense counsel present for this proceeding; only the police and the judge. If a search warrant is issued, it authorizes the police to search and possibly seize property within the scope of the warrant. In the case of a wiretap, the police can listen to communications relevant to the investigation but don't get to snoop on anything and everything. If the person being searched was present when a warrant was issued, they would have the ability to hide or destroy evidence. This is called obstruction of justice. They don't find out until after the search was executed. In the case of a wiretap, the person whose communications are being tapped isn't told until after the search warrant is completed. Instead of contesting the issuance of the warrant, the search warrant is executed, but the person being searched has the opportunity to contest the warrant afterwards. If a judge finds the warrant was invalid, any evidence obtained is inadmissible in court. This is how it's supposed to work.
There is nothing unusual about not having the defense present in the FISA court when the government seeks authorization for surveillance. That's no different than the process I described above. There are numerous other issues, though, including:
1) There is no probable cause to justify mass surveillance
2) Some of the justification for authorizing search warrants isn't legally sound, i.e., special needs doctrine
3) FISA isn't able to adequately review all the requests they receive for surveillance, so they become a rubber stamp
4) When the person being searched never becomes aware of a search warrant against them, they can't contest whether it's valid or not (especially true for mass surveillance)
5) The judges making these decisions don't understand technology and, therefore, make some strange rulings such as Smith v. Maryland (1979) -- not a FISA ruling, but the criticism applies to FISA, too
6) It may be necessary to keep some search warrants secret for a finite time to protect an investigation and prevent obstruction of justice, but this should be for a limited time, not effectively permanent as many of the FISA warrants allow
7) The entire process can be circumvented with national security letters that are also very difficult to contest (though as of a 2006 law, this is possible)
The FISA court was created in response to abuses of surveillance by the executive branch. They were supposed to prevent this, but instead they've actually expanded surveillance powers. Whether they're worthy of being called a court is up to you, but they're a court in the sense that their rulings are every bit as legally binding as any other court in the US.
Also, I haven't a clue why I inexplicably got a "lameness filter" error with a slightly different last line of this post.
Elections are coming up. Is it an issue worth bringing up? Since it's given that neither democrats or republicans are going to reign them in, what's the plan? There are other choices. Or is everybody just going to treat it like the weather and complain because they can't work an umbrella?
“He’s not deformed, he’s just drunk!”
The Democrats hate him, the Republicans despise him. He won't get much done. A government amusing itself with itself might be a good thing for the citizens. There's that.
"So long and thanks for all the fish."
Amen.
(Useless post to undo accidental bad mod.)
[SHOW SOME LENIENCY TOWARDS
So long as it is a lawful and just warrant then I've no problem with this. I used to be able to say that most libertarians aren't crackpots. Such is no longer true. Today, they're mostly Ayn Rand worshiping Republicans who are too ashamed to admit they're neoconservatives and have opted to co-opt the moniker in hopes that nobody notices. It's our fault for not speaking up against them.
I think you should be able to encrypt all you want and that they should be able to get a warrant to try to break that encryption but that you needn't help them to do so. They can have my mangled and unreadable data if they want it. With enough time and money they're allowed to decrypt it too. I can't wait until they do and find out that it's all just a bunch of saved pictures of lolcats and the occasional lolrus.
pleaz to no decrypt my bukkit! my encypted bukkit!!! nooo!!!
No, really. No lolcats but I do have a few lolrus pics saved. For some reason he amuses the hell out of me.
Wuzza "Lolrus"; "googookatchoo". Same as "I am the Lolcat; yakyakachat" ? No?
I don't usually enjoy most memes but I do like the Lolrus. Here's a good start.
http://knowyourmeme.com/memes/...
"So long and thanks for all the fish."