Not the clearest reporting I've ever read… I
need to run this by my iPhone toting students. As I read it, the FBI
forced a password change to the iCloud because that let them read all
the backups. But the backups stopped back in October. If they could
access the iPhone (a different password?) they could turn the backup
system on again and the iPhone would send data to the iCloud where
they already have access. Am I right in assuming that the iPhone
password is not part of the encryption kerfuffle? Or will ten bad
tries to unlock the iPhone result in erasing everything? (Not 10
failed attempts to enter the encryption key)
FBI rebuts
reports that county reset San Bernardino shooter's iCloud password
without consent
The FBI on Saturday rebutted
media reports that San Bernardino County technicians acted without
the agency’s consent [So, FBI “consent” or insistence? Bob]
when they reset the password for the Apple iCloud account belonging
to one of the shooters involved in the Dec. 2 terror attack at a
county facility that killed 14 people.
… Apple said that in early January it provided
four alternatives to access data from the iPhone besides the
controversial method the FBI is now proposing.
But one of the most encouraging options was ruled
out after the phone’s owner – Farook’s employer, the San
Bernardino County Public Health Department – reset
the password to his iCloud account in order to access data from the
backup, according to Apple officials.
That means the iCloud password on the iPhone
itself is now wrong, and it won’t back up unless someone can get
past the phone’s passcode and change it. [Not
if backup is turned off. Bob]
… When iCloud is enabled, iPhones
automatically sync with the cloud if they are charging and are
connected to a familiar Wi-Fi network.
Had there been no reset on the iCloud password,
investigators may have been able to get a more updated backup of
Farook's iPhone without any need to unlock the device itself. [I
don't see how that would work. Bob]
… Federal
prosecutors wrote in court filings Friday that the reset by the
phone’s “owner” took place “in the hours after the attack,”
and an Apple executive later said it occurred within 24 hours.
But the FBI said in its statement Saturday that
agents worked with San Bernardino County technicians to reset
Farook’s password on Dec. 6 – four days later – because “the
county owned the account and was able to reset the
password in order to provide immediate access to the iCloud back up
data.
… Prosecutors still contend that unlocking the
iPhone is crucial because some data does not sync to iCloud. They
said the FBI has retrieved Farook’s iCloud backups up to Oct. 19,
about six weeks before the attack, and an FBI affidavit suggested
that Farook deliberately
disabled the sync feature.
(Related) But don't take my word for it…
On FBI’s
Interference with iCloud Backups
In a letter
emailed from FBI Press Relations in the Los Angeles Field Office,
the FBI admitted to performing a reckless and forensically unsound
password change that they acknowledge interfered with Apple’s
attempts to re-connect Farook’s iCloud backup service.
… This statement has only one of two possible
outcomes:
FBI will Compel More Assistance, and mislead
the courts:
… FBI must clarify which of these two meanings
their letter had. Either the FBI has recklessly interfered with the
processing of evidence OR FBI has mislead the courts on the amount
and the nature of assistance required by Apple under the All Writs
Act.
Would Apple's encryption be “reasonable?”
I’ve previously posted a link to a report
by the California Attorney General on breaches in California and
recommendations, but I like that this post by Hunton & Williams
focuses on the how the recommendations relate to “reasonable
security:”
Importantly, the Report states that, “[t]he failure to implement all the [Center for Internet Security’s Critical Security] Controls that apply to an organization’s environment constitutes a lack of reasonable security” under California’s information security statute. Cal. Civ. Code § 1798.81.5(b) requires that “[a] business that owns, licenses, or maintains personal information about a California resident shall implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.”
You can read the rest of their post here,
but I want to pull out one part of their summary of the
recommendations:
Organizations, particularly in the health care industry, should consistently use strong encryption to protect personal information on laptops and other portable devices, and should consider it for desktop computers.
So even though HIPAA doesn’t require encryption,
if you are not using strong encryption, you might be running afoul of
California’s law (even though it’s a “should” and not
“shall”). And this is where state attorney generals may have a
significant role to play in privacy enforcement, as Danielle
Citron argues in her new paper.
This should be interesting. I hope to learn lots
from whatever leaks in court.
Judge Rules
FBI Must Reveal Malware It Used to Hack Over 1,000 Computers
On Wednesday, a judge ruled that defense lawyers
in an FBI child pornography case must be provided with all of the
code used to hack their client's computer.
When asked whether the code would include the
exploit used to bypass the security features of the Tor Browser,
Colin Fieman, a federal public defender working on the case, told
Motherboard in an email, simply, “Everything.”
… The case has drawn widespread attention from
civil liberties activists because, from all accounts, one warrant was
used to hack the computers of unknown suspects all over the world.
On top of this, the defense has argued that because the FBI kept the
dark web site running in order to deploy the NIT, that the agency, in
effect, distributed
child pornography. Last month, a
judge ruled that the FBI’s actions did not constitute
“outrageous conduct.”
Perspective. Unlikely to replace thumbdrives
soon.
'Five-dimensional'
glass discs can store data for up to 13.8 billion years
… Scientists from the University of
Southampton in the UK have created a new
data format that encodes information in tiny nanostructures in
glass . A standard-sized disc can
store around 360 terabytes of data, with an estimated
lifespan of up to 13.8 billion years even at temperatures of 190°C.
Not clear how this works, but it makes great
campaign fodder.
DOJ ends
probe of utility over IT replacements; no charges filed
… About 500 IT workers at SCE were cut, mostly
through a layoff. Some of the IT workers complained of having to
train
foreign replacements on an H-1B visa to remain eligible for a
severance package.
… The cuts followed a decision by the utility
to hire Infosys and Tata Consultancy Services to take over some its
IT work. Both firms are major
users of visa workers.
(Related)
Sen.
Blumenthal demands lifting of IT 'gag' order
… Approximately 200 IT workers at Northeast
Utilities (now called Eversource Energy) lost their jobs in 2014.
No comments:
Post a Comment