Digital investigations and Forensics – Page 6

February 22, 2016February 22, 2016

Iphone-as-a-weapon: back to 1991 (or: why you can’t trust commercial grade security)

The Iphone vs FBI quarrel about the “need” of Apple’s support to hack into an Iphone switches back the clock to 1991, when Phil Zimmermann gave PGP to the rest of the world, infringing the US veto on encryption export. So, this Apple vs FBI thing is actually nothing new since the position of the supporter for the two arguments is still the same.

But there is a new perspective, though, that worth to be considered and that wasn’t that spread at Zimmermann’s time: the role of non-for-profit, personal encryption.

A company, like Apple, sooner or later will comply with the disclose/hack support order by a court. It is just matter of finding a way to minimize the sales impact of such compliance.

Open-source, NGO, non-for-profit created encryption, on the contrary, has neither an “owner” nor a “CEO” who can be ordered to do something “nasty”. Furthermore, open-source based encryption already gives “the good guys” all the information they need to break the ciphers that endanger their investigation.

The point, though, is another: the FBI didn’t ask for the Iphone security’s blueprints. They just wanted a “tool” to exploit the gimmick, with no actual need to understand how would it works. And to me this is a nightmare scenario. I might trust a forensic expert who does his job in a lab, but I have some “problem” acknowledging the fact that every single law enforcement agent, with no actual competence, might have such a powerful tool to be used without actual supervision.

Again, we go back in time: who will watch the watchers?

February 17, 2016

Is The IPhone Criminals’ Weapon of Choice?

According to NBC, Apple has been ordered by a federal judge to support the FBI in decrypting the Iphone used by the people accused of having slaughtered 14 people in San Bernardino, California, last December, 2, 2015. The court order has been necessary since Apple refused to voluntarily provide such support.

These are the bare facts, that have been turned into a horse of different colours by? bad-faith anti and pro encryption activist. The former sang the usual song “Strong Encryption Smooths Criminals”(FBI Records), while the latter waged the old flag “Weak Encryption Affects Civil Rights”.

The federal court neither asked for a backdoor nor for the enforcement? of a weaker Iphone security, but just said Apple to support the after-crime investigation. This court order doesn’t hampers people’s legal right to strong encryption, because the justice said something like “you have the right to own a strong safe, but the State has the right to try to open it whatever the mean in case of a criminal investigation”. In this context, then, the fact that Apple has been ordered to provide support to the FBI is not constitutionally illegal.

I still support strong encryption for the masses (and for companies too), but I don’t think that making a case out of this court order might help the civil right cause. It only works as as a (maybe unintended) advertising stunt for Apple that can portray itself as a “privacy shield”.

July 17, 2015

Hacking Team: A Class Action Against Adobe?

After the Hacking Team scandal, everybody and his cousin is calling for a “death sentence” against Adobe Flash, accused of being the “vessel” that allowed Hacking Team’s malware to land on users’ PC and smartphones.

A logical consequence of this ? vulnerability and its exploiting by several malwares, including those made by Hacking Team, would be a class-action against Adobe that, as a matter of fact, released a “bugged-by-design” application.

But this is not going to happens against Adobe, as against the other (big or small) fishes of the software pond. We are much too “programmed” to accept a software fault as an act of God instead of either a mistake or a deliberate marketing choice.

Will things change after the Hacking Team scandal? I don’t think so, thus get ready for the next viral infection, information theft or denial of service: is just business as usual.

July 15, 2015July 15, 2015

Hacking Team: The True Culprit

In 1999 Mark Minasi wrote The Software Conspiracy: Why Companies Put Out Faulty Software, How They Can Hurt You and What You Can Do a book about.

In 2004 Alan Cooper wrote (and I translated the Italian version for Apogeo) The Inmates Are Running the Asylum: Why High Tech Products Drive Us Crazy and How to Restore the Sanity.

There have been, and still are, countless warning about the careless attitude toward security of the software houses’ marketing strategies (take a beta, call it final and release it.)

So, why the “concerned” journalists and activists only blame Hacking Team and Hacking Team-like companies, instead of involving in their outcry those who sold the world a bunch of crappy and vulnerable software?Secure programming and security by design are not “options”: by refusing to incorporate security into the roots of a software project would be like designing a car without worrying about the functionality of the brakes.And now we are facing the consequences.

July 14, 2015

Hacking Team: Silence On The Wire

Sometimes, what isn’t told is more important then what actually is.

None of the Italian mainstream primetime talk shows, usually very fast in arrange a panel of “experts” to help Joe Sixpacks’ audience understanding what’s the fuss, spent a single second with the Hacking Team case. And the news already lost its momentum on the newspapers.

Next week, nobody will ever remember what happened and in a couple of months everything will be back to business as usual…