Another Word For It Patrick Durusau on Topic Maps and Semantic Diversity

April 12, 2016

Anonymous Chat Service

Filed under: Cybersecurity,Encryption,Government,Privacy,Security,Tor — Patrick Durusau @ 7:43 pm

From the description:

The continued effort of governments around the globe to censor our seven sovereign seas has not gone unnoticed. This is why we, once again, raise our Anonymous battle flags to expose their corruption and disrupt their surveillance operations. We are proud to present our new chat service residing within the remote island coves of the deep dark web. The OnionIRC network is designed to allow for full anonymity and we welcome any and all to use it as a hub for anonymous operations, general free speech use, or any project or group concerned about privacy and security looking to build a strong community. We also intend to strengthen our ranks and arm the current and coming generations of internet activists with education. Our plan is to provide virtual classrooms where, on a scheduled basis, ‘teachers’ can give lessons on any number of subjects. This includes, but is not limited to: security culture, various hacking/technical tutorials, history lessons, and promoting how to properly utilize encryption and anonymity software. As always, we do not wish for anyone to rely on our signal alone. As such, we will also be generating comprehensible documentation and instructions on how to create your own Tor hidden-service chat network in order to keep the movement decentralized. Hackers, activists, artists and internet citizens, join us in a collective effort to defend the internet and our privacy.

Come aboard or walk the plank.

We are Anonymous,
we’ve been expecting you.

Protip: This is not a website, it’s an IRC chat server. You must use an IRC chat client to connect. You cannot connect simply through a browser.

Some popular IRC clients are: irssi, weechat, hexchat, mIRC, & many more https://en.wikipedia.org/wiki/Compari…

Here is an example guide for connecting with Hexchat: https://ghostbin.com/paste/uq7bt/raw

To access our IRC network you must be connecting through the Tor network! https://www.torproject.org/

Either download the Tor browser or install the Tor daemon, then configure your IRC client’s proxy settings to pass through Tor or ‘torify’ your client depending on your setup.

If you are connecting to Tor with the Tor browser, keep in mind that the Tor browser must be open & running for you to pass your IRC client through Tor.

How you configure your client to pass through Tor will vary depending on the client.
Hostname: onionirchubx5363.onion

Port: 6667 No SSL, but don’t worry! Tor connections to hidden-services are end-to-end encrypted already! Thank you based hidden-service gods!

In the near future we will be releasing some more extensive client-specific guides and how-to properly setup Tor for transparent proxying (https://trac.torproject.org/projects/…) & best use cases.

This is excellent news!

With more good news promised in the near future (watch the video).

Go dark, go very dark!

April 9, 2016

Weekend Hacking Target: Modems

Filed under: Cybersecurity,Security — Patrick Durusau @ 8:26 am

If you’re not buried in the Lucene/Solr 6.0 release, you may be interested in weekend hacking practice.

Swati Khandelwal reports on an easy hack of cable modems in No Password Required! 135 Million Modems Open to Remote Factory Reset.

From the post:

More than 135 Million modems around the world are vulnerable to a flaw that can be exploited remotely to knock them offline by cutting off the Internet access.

The simple and easily exploitable vulnerability has been uncovered in one of the most popular and widely-used cable modem, the Arris SURFboard SB6141, used in Millions of US households.

Security researcher David Longenecker discovered a loophole that made these modems vulnerable to unauthenticated reboot attacks. He also released his “exploit” after Arris (formerly Motorola) stopped responding to him despite a responsible disclosure.

The Bug is quite silly: No Username and Password Protection.

See Swati’s post for the details on the hack.

Before you go looking for wifi hotspots and vulnerable modems, remember hacking law enforcement, other government agencies, indeed, any modem/network may be criminal activity.

As I have pointed out before, legal liability for vendors is the answer to this type of defect. It has worked in other areas of products liability and there is no reason why it could not work for computer software/hardware.

Good hunting!

April 8, 2016

Has Adobe Flash Ever Been Secure?

Filed under: Cybersecurity,Security — Patrick Durusau @ 8:34 am

Paul Ducklin piece on the latest Adobe Flash 0-day vulnerability, Adobe ships 0-day patch for Flash – get it while it’s hot!, prompts me to ask:

Has Adobe Flash Ever Been Secure?

As of today, the National Vulnerability Database, searching on Adobe Flash produces 797 “hits.”

CVE, using Adobe Flash as the search string, produces 799 “hits.”

Finding the periods, if any, where Flash has been secure, would be a much shorter listing.

In lieu of such a list, however, I have to also ask:

Why are you using Flash to deliver or consume content?

Adobe Flash is a major security problem.

Patching Flash isn’t the solution.

Deleting Flash is.

There is an unfortunate amount of content delivered using Flash.

My solution? No content is worth Adobe Flash vulnerabilities. Ask the content provider to supply content in another format.

April 5, 2016

Linux System Calls – Linux/Mac/Windows

Filed under: Cybersecurity,Linux OS,Security — Patrick Durusau @ 3:44 pm

Well, not quite yet but closer than it has been in the past!

The Definitive Guide to Linux System Calls.

From the post:

This blog post explains how Linux programs call functions in the Linux kernel.

It will outline several different methods of making systems calls, how to handcraft your own assembly to make system calls (examples included), kernel entry points into system calls, kernel exit points from system calls, glibc wrappers, bugs, and much, much more.

The only downside of the movement towards Linux is that its kernel, etc., will get much heavier scrutiny than in the past.

In the past, why bother with stronger code in a smaller market share?

Move Linux into a much larger market share, we may get to see if “…to many eyes all bugs are shallow.”

As an empirical matter, not just cant.

April 4, 2016

SQL Injection Cheat Sheet

Filed under: Cybersecurity,Security — Patrick Durusau @ 10:16 am

SQL Injection Cheat Sheet

From the webpage:

An SQL injection cheat sheet is a resource in which you can find detailed technical information about the many different variants of the SQL Injection vulnerability. This cheat sheet is of good reference to both seasoned penetration tester and also those who are just getting started in web application security.

If you are interested in helping government agencies or corporations locate insecure web applications, this cheat sheet will come in handy.

For governments remember that older, unpatched databases are the rule rather than the exception.

April 2, 2016

State Visa Breach – ISIS To Hack State

Filed under: Cybersecurity,Security — Patrick Durusau @ 1:31 pm

Mike Levine and Justin Fishel report yet more vulnerabilities in government databases in Security Gaps Found in Massive Visa Database.

From the post:

Cyber-defense experts found security gaps in a State Department system that could have allowed hackers to doctor visa applications or pilfer sensitive data from the half-billion records on file, according to several sources familiar with the matter –- though defenders of the agency downplayed the threat and said the vulnerabilities would be difficult to exploit.

Briefed to high-level officials across government, the discovery that visa-related records were potentially vulnerable to illicit changes sparked concern because foreign nations are relentlessly looking for ways to plant spies inside the United States, and terrorist groups like ISIS have expressed their desire to exploit the U.S. visa system, sources added.

That sounds serious so I was doing due diligence, ho-humming through the report when I ran across this explanation for why this isn’t serious:


CCD allows authorized users to submit notes and recommendations directly into applicants’ files. But to alter visa applications or other visa-related information, hackers would have to obtain “the right level of permissions” within the system -– no easy task, according to State Department officials.

Hmmmm, ‘…”the right level of permissions” within the system…’

I’m sorry, do they mean like root? 😉

Levine and Fishel aren’t specific about the vulnerabilities, there are public reports to point you in the right direction:

Audit of Department of State Information Security Program

November 2012 https://oig.state.gov/system/files/202261.pdf

November 2013 https://oig.state.gov/system/files/220933.pdf

October 2014 https://oig.state.gov/system/files/aud-it-15-17.pdf

November 2015 https://oig.state.gov/system/files/aud-it-16-16.pdf

Management Assistance Report: Department of State Incident Response and Reporting Program

February 2016 https://oig.state.gov/system/files/aud-it-16-26.pdf

With redactions you will have to work backwards from FISMA, OMB, and NIST requirements and vulnerabilities discovered in other governmental systems.

The sort of mosaic work at which topic maps excel.

As far as ISIS hacking the visa system, you can imagine the conversation at ISIS HQ:

Speaker 1: I want to volunteer for mission X in the United States.

Speaker 2: Do you have a valid US Visa?

Speaker 1: No, it was denied.

Speaker 2: Sorry, this mission is for holders of valid US visas only. Apply for another mission.

Right. Speaker 1 is volunteering for a mission that may result in the deaths of hundreds, possibly even themselves, but they are stopped from visiting the US for lack of a valid visa.

Does that strike you as an odd juxtaposition of concerns?

If you can’t think of non-visa controlled ways to enter the United States, you are too dumb to be a jihadist or to be defending against them.

March 30, 2016

Walking the Walk on Privacy

Filed under: Government,Privacy,Security — Patrick Durusau @ 4:26 pm

Many people grumble about government surveillance but how many do you know who have taken concrete steps to combat that surveillance?

That many. Huh.

Sounds like government surveillance has and will maintain the upper hand.

Unless, the people under surveillance organize to do something about it.

The Electronic Freedom Foundation (EFF) is organizing an effort to enable you, yes you, to do exactly that!

California Surveillance Sweep

From the post:

Join EFF on Saturday, April 9 for a first-of-its-kind crowdsourcing campaign to hold California law enforcement agencies accountable for their use of surveillance technologies.

Volunteers like you will help us track down the privacy and useage policies of law enforcement agencies across California and add them to our database. We’ll show you how to do it, and you can be anywhere with an Internet connection to participate.

What: California Surveillance Sweep

Date: Saturday, April 9

Time: 12 pm – 4 pm PT

Where: Anywhere (virtual participation); San Francisco (details TBD)

I bitch as much about privacy as anyone and have any number of unsound suggestions in that regard.

This effort by the EFF is a low-risk effort to hoist the surveillance state on its own laws.

Given the propensity for national law enforcement to lie I’m not betting on state and local law enforcement being any more truthful.

Still, you can’t say you haven’t exhausted all traditional remedies unless you have.

I signed up.

Are you?

March 20, 2016

How-To Maintain Project Delivery Dates – Skip Critical Testing

Filed under: Programming,Project Management,Security — Patrick Durusau @ 4:25 pm

David William documents a tried and true way to maintain a project schedule, skip critical testing in: Pentagon skips tests on key component of U.S.-based missile defense system.

How critical?

Here’s part of David’s description:

Against the advice of its own panel of outside experts, the U.S. Missile Defense Agency is forgoing tests meant to ensure that a critical component of the nation’s homeland missile defense system will work as intended.

The tests that are being skipped would evaluate the reliability of small motors designed to help keep rocket interceptors on course as they fly toward incoming warheads.

The components, called alternate divert thrusters, are vital to the high-precision guidance required to intercept and destroy an enemy warhead traveling at supersonic speed – a feat likened to hitting one speeding bullet with another.

The interceptors, deployed in underground silos at Vandenberg Air Force Base in Santa Barbara County and at Ft. Greely, Alaska, are the backbone of the Ground-based Midcourse Defense system (GMD) – the nation’s main defense against a sneak attack by North Korea or Iran.

Hmmm, hitting a supersonic target with a supersonic bullet and you don’t test the aiming mechanism that makes them collide?

How critical does that sound?

The consequences of failure, assuming the entire program isn’t welfare for the contractors and their employees, could be a nuke landing on the West Coast of the United States.

Does that make it sound more critical?

Or do we need to guess which city? Los Angeles, San Diego, would increase property values in San Jose so there would be an off-set to take into account.

Here’s my advice: Don’t ever skip critical testing or continue to participate in a project that skips critical testing. Walk away.

Not quietly, tell everyone you know of the skipped testing. NDAs be damned.

No one is well served by skipped testing.

A lack of testing has lead to the broken Internet of Things.

Is that what you want?

Hiring Ethics: Current Skills versus 10 Years Out of Date – Your Call

Filed under: Cybersecurity,Ethics,Security — Patrick Durusau @ 3:47 pm

Cyber-security ethics: the ex-hacker employment conundrum by Davey Winder.

From the post:

Secure Trading, a payments and cyber-security group, has announced that it has appointed Mustafa Al Bassam as a security advisor on the company’s technology and services, including a new blockchain research project. Al Bassam, however, is perhaps better known as Tflow, a former core member of the LulzSec hacker group.

According to Wikipedia, Tflow played an integral part in the Anonymous operation that hacked the HBGaryFederal servers in 2011, and leaked more than 70,000 private emails.

As director of a team that includes ethical hackers, Trustwave’s Lawrence Munro says he would “never knowingly hire someone with a criminal record, especially if their record included breaches of the Computer Misuse Act.” Munro reckons such a thing would be a red flag for him, and while it “may seem draconian to omit individuals who are open about their past brushes with the law” it’s simply not worth the risk when there are white hats available.

The most common figure I remember is that the black hats are ahead by about a decade in the cybersecurity race.

There’s an ethical dilemma, you can hire up to ten year out of date white hats or you can hire cutting edge black hat talent.

Hired “yeses” about your security or the security of your clients doesn’t impact the ability of others to hack those systems.

Are you going to hire “yes” talent or the best talent?

March 19, 2016

LANGSEC: Taming the Weird Machines (Subject Identities in Code/Data)

Filed under: Cybersecurity,Functional Programming,Programming,Security — Patrick Durusau @ 4:48 pm

LANGSEC: Taming the Weird Machines by Jacob Torrey.

From the post:

Introduction

I want to get some of my opinions on the current state of computer security out there, but first I want to highlight some of the most exciting, and in my views, promising recent developments in security: language-theoretic security (LangSec). Feel free to skip the next few paragraphs of background if you are familiar with the concepts to get to my analysis, otherwise, buckle up for a little ride!

Background

If I were to distill the core of the LangSec movement into a single thesis it would be this: The complexity of our computing systems (both software and hardware) have reached such a degree that data must treated as formally as code. A concrete example of this is return-oriented programming (ROP), where instead of executing shellcode loaded into memory by the attacker, a number of gadgets are found in existing code (such as libc) and their addresses chained together on the stack and as the ret instruction is repeatedly called, the semantics of the gadgets is executed. This hybrid execution environment of using existing code and driving it with a buffer-overflow of data is one example of a weird machine.

Such weird machines crop up in many sorts of places: viz. the Intel x86 MMU that has been shown to be Turing-complete, the meta-data of ELF executable files that can drive execution in the loading & dynamic-linking stage, etc… This highlights the fact that data can be treated as instructions or code on these weird machines, much like Java byte-code is data to an x86 CPU, it is interpreted as code by the JVM. The JVM is a formal, explicit machine, much like the x86 CPU; weird machines on the other hand are ad hoc, implicit and generally not intentionally created. Many exploits are simply shellcode developed for a weird machine instead of the native CPU.

The “…data must be formally treated as code…” caught my eye as the reverse of “…code-as-data…,” which is a characteristic of Lisp and Clojure.

From a topic map/subject identity perspective, the problem is accepting implied subject identities and therefore implied properties and associations.

Being “implied” and not “explicit,” the interaction of subjects can change when someone, perhaps a hacker (or a fat-fingered user), supplies values that fall within the range of implied subject identities, properties, or associations.

Implied subject identities, properties, or associations, in code or data, reside in the minds of programmers, making detection well nigh impossible. At least prior to some hacker discovering an implied subject identity, property or association.

Avoiding implied subject identities, properties and associations will require work, loathsome to all programmers, but making subject identities explicit, enumerating their properties and allowed associations, in code and data, is a countable activity.

Having made subject identities explicit, capturing those results in code based on those explicit subject identities more robust. You won’t be piling implied subject identities on top of implied subject identities, or in plainer English, you won’t be writing cybersecurity software.

PS: Using a subject identity discipline does not mean you must document all of your code using XTM. You could but DSLs designed for your code/data may be more efficient.

March 18, 2016

Sex Toy Privacy Incentive For A Safer IoT?

Filed under: Cybersecurity,IoT - Internet of Things,Security — Patrick Durusau @ 8:51 pm

Will sex toys provide the incentive for a safer Internet of Things (IoT)?

Robert Abel reports in Bad vibes: Researcher hacks sex toy of a live demonstration of a hack on a sex toy.

Robert also reports that no user personal information was disclosed by this particular hack, the same may not be true for all IoT sex toys or hacks.

Is sex toy privacy enough of an incentive for better IoT security? 😉

March 14, 2016

You Can Help Increase Frustration at the FBI, Yes! You!

Filed under: Cryptography,Cybersecurity,FBI,Government,Security — Patrick Durusau @ 1:17 pm

Skype co-founder launches ultra-private messaging, with video by Eric Auchard.

From the post:

A group of former Skype technologists, backed by the co-founder of the messaging platform, has introduced a new version of its own messaging service that promises end-to-end encryption for all conversations, including by video.

Wire, a 50-person start-up mostly made up of engineers, is stepping into a global political debate over encryption that pits privacy against security advocates, epitomized by the standoff between the U.S. government and Apple.

The company said on Thursday it was adding video calling to a package of private communications services that go beyond existing messaging providers.

See the post and/or check out new service: https://wire.com/privacy/

From the homepage of Wire:

Our personal and professional data is at the center of a new economy. The information we share on social networks, via email, and messaging services is being used to build profiles. These profiles are in turn used to sell us products and services through targeted advertising and suggestion. The data collected is vast, detailed, and often very personal. Vast resources are being spent to refine the profiles, all without transparency, policy or oversight.

Our personal and professional online communications should not be part of this economy. In the physical world we talk with each other directly. We can lower our voices or close a door to share private thoughts. In the online world we should be able to communicate directly without passing our private communications through these corporate data mines.

Wire is different.

You will also find this FBI heartburn product comparison matrix, suitable for framing, to let everyone know you are serious about security (select for larger image):

wire-matrix

There’s a web version of the service so I don’t have to buy a phone just to use it and/or annoy the FBI.

I’m signed up.

What about you?

FAQ: Why the emphasis on annoying the FBI?

Good question!

During my lifetime the FBI has illegally spied on civil rights leaders and organizations, the same for anti-war movements and virtually every other departure from the “norm.”

The more ordinary folks annoy the FBI, the less time and resources it has to conduct illegal operations against other citizens.

It won’t stop the FBI any more than being covered with 10,000 fleas would prevent you from driving. It would make driving, however, a very unpleasant experience.

Enlist to Fight in Crypto Wars 2.0

Filed under: Cryptography,Cybersecurity,Government,Security — Patrick Durusau @ 8:05 am

Nat Cardozo writes in The Next Front in the New Crypto Wars: WhatsApp:

From the post:

In Saturday’s edition of the New York Times, Matt Apuzzo reports that the Department of Justice is locked in a “prolonged standoff” with WhatsApp. The government is frustrated by its lack of real-time access to messages protected by the company’s end-to-end encryption. The story may represent a disturbing preview of the next front in the FBI’s war against encryption.

I’m sure the government is “frustrated” by it lack of access to messages but that has been possible long before WhatsApp. Anyone using PGP with email has been able to achieve end-to-end encryption for years.

The real difference: WhatsApp makes encryption is convenient for users.

If you want to fight on the side of privacy, make encryption for your app as secure and convenient as possible.

Inconvenient encryption will not be used and result in clear text streams and speech.

You can increase the level of frustration in governments around the world by engineering convenient and strong encryption.

Opportunities to afflict governments around the globe don’t come up very often.

Step up and take this one.

March 12, 2016

Obama’s Magic Pony Transcript

Filed under: Cryptography,Cybersecurity,Security — Patrick Durusau @ 9:19 pm

If you are going to write about President Obama’s magic pony speech on encryption, this transcript, courtesy of Philip Elmer-DeWitt, Here’s What Obama Said at SXSW About Apple vs. FBI.

I think your options are to believe that President Obama is so poorly informed by his technical advisers that he doesn’t understand the encryption issue and/or that he understands the issue and is simply lying.

I don’t see a third option.

Do you?

Wait until he is in an ambulance, then we’ll get him…

Filed under: Cybersecurity,IoT - Internet of Things,Security — Patrick Durusau @ 3:59 pm

The Facts Are In: Ambulances vulnerable to hackers

From the post:

Reports from multiple sources lead to a horrible conclusion. Almost all ambulances are vulnerable to hacking.

There are many compelling reasons for ambulances to be connected and computerized. Emergency responders can take advantage of connectivity to learn more about patients and use that info to deliver better emergency care. And patient status can be communicated to emergency rooms to better prepare for response. This is a life-saving capability.

But you can tell what can go wrong, right?

The Threat Brief calls out three reports that all reach the same conclusion: ambulances can be hacked.

The details remain an exercise for readers but that is likely just a matter of time.

Easy to imagine an online vulnerability store where you enter year, make/model and you are supplied with the latest hacks for that vehicle.

I wonder if the DARPA Improv competition will have many of these?

March 5, 2016

Data Mining Patterns in Crossword Puzzles [Patterns in Redaction?]

Filed under: Crossword Puzzle,Data Mining,Pattern Matching,Pattern Recognition,Security — Patrick Durusau @ 12:06 pm

A Plagiarism Scandal Is Unfolding In The Crossword World by Oliver Roeder.

From the post:

A group of eagle-eyed puzzlers, using digital tools, has uncovered a pattern of copying in the professional crossword-puzzle world that has led to accusations of plagiarism and false identity.

Since 1999, Timothy Parker, editor of one of the nation’s most widely syndicated crosswords, has edited more than 60 individual puzzles that copy elements from New York Times puzzles, often with pseudonyms for bylines, a new database has helped reveal. The puzzles in question repeated themes, answers, grids and clues from Times puzzles published years earlier. Hundreds more of the puzzles edited by Parker are nearly verbatim copies of previous puzzles that Parker also edited. Most of those have been republished under fake author names.

Nearly all this replication was found in two crosswords series edited by Parker: the USA Today Crossword and the syndicated Universal Crossword. (The copyright to both puzzles is held by Universal Uclick, which grew out of the former Universal Press Syndicate and calls itself “the leading distributor of daily puzzle and word games.”) USA Today is one of the country’s highest-circulation newspapers, and the Universal Crossword is syndicated to hundreds of newspapers and websites.

On Friday, a publicity coordinator for Universal Uclick, Julie Halper, said the company declined to comment on the allegations. FiveThirtyEight reached out to USA Today for comment several times but received no response.

Oliver does a great job setting up the background on crossword puzzles and exploring the data that underlies this story. A must read if you are interested in crossword puzzles or know someone who is.

I was more taken with “how” the patterns were mined, which Oliver also covers:


Tausig discovered this with the help of the newly assembled database of crossword puzzles created by Saul Pwanson [1. Pwanson changed his legal name from Paul Swanson] a software engineer. Pwanson wrote the code that identified the similar puzzles and published a list of them on his website, along with code for the project on GitHub. The puzzle database is the result of Pwanson’s own Web-scraping of about 30,000 puzzles and the addition of a separate digital collection of puzzles that has been maintained by solver Barry Haldiman since 1999. Pwanson’s database now holds nearly 52,000 crossword puzzles, and Pwanson’s website lists all the puzzle pairs that have a similarity score of at least 25 percent.

The .xd futureproof crossword format page reads in part:

.xd is a corpus-oriented format, modeled after the simplicity and intuitiveness of the markdown format. It supports 99.99% of published crosswords, and is intended to be convenient for bulk analysis of crosswords by both humans and machines, from the present and into the future.

My first thought was of mining patterns in government redacted reports.

My second thought was that an ASCII format that specifies line length (to allow for varying font sizes) in characters, plus line breaks and lines composed of characters, whitespace and markouts as single characters should fit the bill. Yes?

Surely such a format exists now, yes? Pointers please!

There are those who merit protection by redacted documents, but children are more often victimized by spy agencies than employed by them.

March 3, 2016

EFF On First Amendment, Apple, All Writs Act

Filed under: Cybersecurity,Government,Law,Security — Patrick Durusau @ 8:30 pm

Deep Dive: Why Forcing Apple to Write and Sign Code Violates the First Amendment by Andrew Crocker and Jamie Williams.

From the post:

EFF filed an amicus brief today in support of Apple’s fight against a court order compelling the company to create specific software to enable the government to break into an iPhone. The brief is written on behalf of 46 prominent technologists, security researchers, and cryptographers who develop and rely on secure technologies and services that are central to modern life. It explains that the court’s unprecedented order would violate Apple’s First Amendment rights. That’s because the right to free speech prohibits the government from compelling unwilling speakers to speak, and the act of writing and, importantly, signing computer code is a form of protected speech. So by forcing Apple to write and sign an update to undermine the security of its iOS software, the court is also compelling Apple to speak—in violation of the First Amendment. (emphasis in original)

Despite my mentioning A Readers’ Guide to the Apple All Writs Act Cases earlier today, I wanted to call the EFF amicus brief out separately.

Its strong defense of Apple solely on First Amendment grounds merits special mention.

Enabling the government to compel speech, for any reason, should be resisted in courts, in the streets and in refusing to speak.

Or as one of my least favorite people in history once put it:

220px-Voennaia_marka_Ni_shagu_nazad!

(Not one step back)

Yes, it is really that important.

A Readers’ Guide to the Apple All Writs Act Cases

Filed under: Cybersecurity,Government,Law,Security — Patrick Durusau @ 3:54 pm

A Readers’ Guide to the Apple All Writs Act Cases

From the post:

The last few weeks and months have been awash in media coverage of two cases before magistrate judges involving the federal government seeking to use the All Writs Act to compel Apple’s cooperation with ongoing criminal investigations. The older case, in the Eastern District of New York, involves a drug case where the phone’s owner has pleaded guilty to the charges against him. The more recent case, in the Central District of California, involves an iPhone used by Syed Farook, one of the alleged San Bernardino shooters. While the two cases involve different different phone models, operating systems, alleged crimes, and legal postures, they touch on similar questions related to the scope of the All Writs Act.

In an attempt to create a one-stop shop for our coverage and the related documents and some useful sources, we’ve compiled this readers’ guide. We will update it as the cases progress to include the latest filings and posts, so check back for more as things unfold.

Just Security has started a “one-stop shop” for its coverage and official documents in the Apple All Writs Act cases.

Considering how seldom news sources point to rulings, briefs, etc., this will get a lot of hits in the coming months.

It does not include coverage from other professional sources, such as LawFare – Hard National Security Choices. Two items by Robert Chesney from LawFare that you may find of interest:

A Primer on Apple’s Brief in the San Bernadino iPhone Fight

Apple v. FBI Primer #2: On Judge Orenstein’s Ruling in the Queens Meth Case

If anyone has collected the professional legal commentary sites posting on the Apple All Writs Act cases, I would appreciate a pointer.

March 2, 2016

Justifying the Investigatory Powers Bill – Despite a Lack of Evidence

Filed under: Government,Security — Patrick Durusau @ 8:45 pm

In UK Parliment Reports on the Draft Investigatory Powers Bill, I pointed to a number of UK Parliament reports that leave little doubt about the excesses of the proposed Investigatory Powers Bill.

Undeterred by those objections, the UK government pressed ahead with reams of poor writing to distract citizens from the lack of justification for any of the proposed Investigatory Powers Bill.

Here are links to the latest effort at obfuscation:

Investigatory Powers Bill 2015-16 – The cancer on the body politic in question. (258 pages)

Overarching Documents:

Investigatory Powers Bill: government response to pre-legislative scrutiny (web) Ref: ISBN 9781474129541, Cm 9219, same document but for printing: Investigatory Powers Bill: government response to pre-legislative scrutiny (print) Ref: ISBN 9781474129534, Cm 9219 (102 pages)

Operational case for bulk powers (47 pages)

Operational case for the retention of internet connection records (31 pages)

Comparison of internet connection records in the Investigatory Powers Bill with Danish internet session logging legislation (8 pages)

Delegated powers and regulatory reform committee: memorandum by the Home Office (31 pages)

Investigatory Powers Bill: codes of practice

National security notices: draft code of practice (19 pages)

Interception of communications: draft code of practice (101 pages)

Security and intelligence agencies’ retention and use of bulk personal datasets: draft code of practice (38 pages)

Equipment interference: draft code of practice (83 pages)

Communications data: draft code of practice (118 pages)

Bulk acquisition: draft code of practice (50 pages)

A grand total of 886 pages, none of are relevant without a justification for the powers sought.

I used to think the British educational system was the best in the world, bar none, but this batch of documents may force me to rethink that assessment.

For example:

The Operational case for bulk powers reports on the need for cyber security (page 16):


4.14. The cyber security of the UK is of growing importance to our national security, economy and society. The levels of cyber-attacks by criminals and hostile states have grown considerably; the number of nationally-significant cyber incidents dealt with by the security and intelligence agencies, for example, doubled between 2014 and 2015. Terrorists are increasingly seeking cyber capabilities in order to threaten the critical national infrastructure of the UK. The scale of the challenge is daunting: one recent cybercrime attack alone infected around 150,000 users in the UK.

4.15. The scale of the internet limits the utility of targeted powers and make bulk capabilities critical to the UK’s efforts to detect and defend against such attacks. 95% of the cyber-attacks on the UK detected by the security and intelligence agencies over the last six months were only discovered through the collection and analysis of bulk data. These have included numerous attacks against government networks and every major UK commercial sector. The security and intelligence agencies routinely share this unique intelligence with their partners in UK industry, enabling them to protect their businesses and customers from cyber-attacks.

I was quite amazed to learn users can be infected by cyber attacks:

The scale of the challenge is daunting: one recent cybercrime attack alone infected around 150,000 users in the UK.

It’s a good thing the UK still has the National Health Service. 😉

I could have sworn that computer systems and not people were infected by cybercrime. But that’s unlikely to be what the authors meant. Making it sound like people were being injured creates a sense of urgency.

Along the same lines, consider that 95% of cyber-attacks go unnoticed, save for bulk data collection:

95% of the cyber-attacks on the UK detected by the security and intelligence agencies over the last six months were only discovered through the collection and analysis of bulk data.

If 95% of cyber-attacks are so trivial and non-threatening that victims are unaware of the attacks, where is the sense of urgency?

I concede that charged with making a case out of non-existing evidence is a challenge to any writer. I offer this collection of documents as proof for that proposition.

Best wishes to everyone in the UK who is trying to stop this slide into madness.

‘Hack The Pentagon’ Bug Bounty Program (Have a good idea, then f*ck it up)

Filed under: Cybersecurity,Government,Security — Patrick Durusau @ 3:53 pm

U.S. Announces ‘Hack The Pentagon’ Bug Bounty Program by Bill Chappel.

From the post:

Announcing what it calls “the first cyber bug bounty program in the history of the federal government,” the Department of Defense says it’s inviting hackers to test the security of its Web pages and networks.

The contest is only for “vetted hackers,” the DoD says, which means that anyone hoping to find vulnerabilities in its systems will first need to pass a background check. Participants could win money and recognition for their work, the agency says.

The pilot program is slated to begin in April. And if you’re wondering whether the hackers might disrupt a critical piece of the Department of Defense’s infrastructure, the agency says that hackers will target a predetermined system that’s not part of its critical operations.

According to a list published by the Defense Department, it currently manages 488 websites, which are devoted to everything from the 111th Attack Wing and other military units to the Yellow Ribbon Reintegration Program.

The “Hack the Pentagon” initiative is the work of the Defense Digital Service, a DoD unit that was launched last fall as part of the White House’s U.S. Digital Service.

A sad story. A Pentagon bug bounty program, even if limited to only parts of the DoD’s infrastructure, could pull cyber talent from around the world.

End result: Better security for the Pentagon and bug reports on commonly used elements of web infrastructure.

However, the Pentagon wants only “vetted hackers.”

A pool of non-threatening or at least docile talent that is willing to find but also conceal vulnerabilities.

The bug bounty program is a great idea, “vetted hackers” is the perfect way to diminish its value. To the Pentagon and the general public.

What this program needs is an anonymous rewards program like Crime Stoppers.

That would attract the best talent which in turn increases the security of Pentagon systems.

Or, is that the point of this program?

Won’t know that until the list of “vetted hackers” is published. Anyone at Lloyd’s giving odds on the same names appearing on current DoD contracts?

March 1, 2016

Failure Is Not An Option [Really?]

Filed under: Cybersecurity,Design,Government,Politics,Security — Patrick Durusau @ 3:22 pm

Slogans such as this one distort policy discussions, planning and implementation on a variety of issues.

failure-option-02

The issue here is cybersecurity but it could be sexual harassment, rape, terrorist acts (other than the first two), fraud, hunger, suicide, etc.

Take it as a given there are no, repeat no sparrow shall fall systems.

Sorry to disappoint you but even with unlimited resources, which no project has, that’s not possible.

Every discussion of cybersecurity or other policy issue MUST include the issue of how much security (risk if you prefer) can be obtained for N resources?

More likely than not you are always going to want more security that you have resources to obtain but acknowledging that up front, enables you to prepare for what happens when security fails.

Which it is going to do. No ifs, ands or buts, all security systems fail. Some more often than others but they all fail.

I don’t consider Roswell to be a counter-example. The information, such as does exist, isn’t important enough for the effort required to obtain it. Some secrets remain secrets out of disinterest.

Realizing failure is not only an option but a certainty, designers don’t have to waste time on plausible deniability and/or responsibility for all breaches. Congress allocated $N resources and for $N resources, you get the rot-13 cipher level of security.

As opposed to the VA routine where Congress allocates $N resources to the VA but expects $N3 care for veterans. Why is anyone surprised the VA provided $N level of care and created mechanisms to deny $N3 care?

Of course, cheating and lying aren’t the best options for dealing with a shortfall in funding but that mirrors the VA funders so that isn’t surprising either.

Be up front with clients and say:

  • Yes, failure is not only an option, it’s going to happen.
  • Anyone who says differently hopes you manage by bumper stickers.
  • Evaluate what $N resources can buy you against risk R.
  • Plan your response to failure (as opposed to the post-failure blame game)

Such an approach will make you a novelty among consultants/contractors.

February 29, 2016

Toking Weed vs. Evidence on Going Dark

Filed under: Cybersecurity,FBI,Government,Security — Patrick Durusau @ 7:24 pm

Going Dark? Federal Wiretap Data Show Scant Encryption Problems by Andrea Castillo.

From the post:


These charts use data from the annual Wiretap Reports published by the Administrative Office of the US Courts to display the portion of total reported wiretap orders that have been undermined by encryption technologies from 2001 to 2014. (This dataset only examines domestic wiretap requests. Information relating to wiretap requests regulated by the Foreign Intelligence Surveillance Act of 1978 is not available.) The charts show that, contrary to popular assumption, encryption technologies have only complicated a minuscule percentage of reported wiretap investigations in recent years.

going-dark-chart

Of the 147 wiretaps that encountered encrypted calls, 0.45% of 32,539 calls, 132 were deciphered so only 15 or 0.046% went undeciphered by the government.

For the sake of 15 wiretaps, the FBI and friends would strip over 300 million people of their privacy.

Did someone say that marijuana is no longer illegal in Washington, D.C.?

That’s the only explanation I can imagine for 15 wiretap cases being more important that 300+ million citizens.

Other explanations?

February 28, 2016

Media Makes Terrorists Good At Encryption [Projecting Ignorance]

Filed under: Cryptography,Cybersecurity,Government,NSA,Security — Patrick Durusau @ 9:15 pm

CIA Director: It’s the Media’s Fault That Terrorists Are So Good at Encryption by Kate Knibbs.’

From the post:


Ledgett poked his finger at the media even more explicitly. “We track when our foreign intelligence targets talk about the security of their communication,” he said. “And we see a growing number of them, because of what’s in the press about the value of encryption, moving towards that.”

The implication of these statements—that media reports are somehow optimized to help terrorists be better at evading law enforcement—is a dangerous one. Yes, of course terrorists read. But Brenner and Ledgett’s statements situate media support for strong encryption on the side of terrorism. Neither intelligence leader recognized how members of their own communities might also benefit from media reports about encryption. In fact, neither Brennan or Ledgett bothered to acknowledge that their own agencies rely on encryption as a crucial security measure.

Neither Brennan or Ledgett specified which reports were believed to be frequently dog-eared on ISIS squatters, but that doesn’t matter. Extremists are interested in privacy tools, and media reports on privacy tools. Saying that they read about which tools to use is just saying that any group with goals attempts to find information that will help achieve those goals. Implying that media reports are aiding and abetting the enemy—not to mention the notion that reports highlighting privacy protections are somehow devious—is just unfair and chilling.

Kate’s right about blaming the media for extremists using encryption is far fetched, not to mention “…just unfair and chilling.”

But what we are witnessing is the projection (Jung) of ignorance of the speakers onto others.

These witnesses making these statements have as much expertise at encryption as I do at break dancing. Which is to say none at all.

They are sock puppets who “learn” about encryption or at least buzz phrases about encryption from public media.

On in the case of the FBI, from an FBI training manual that shows images of hard wired connections in a phone junction box.

Comey now wonders why encryption is allowed to defeat such measures. You have to wonder if Comey has noticed that cellphones are not followed by long phone lines.

Other than summarizing their nonsensical statements, the news media in general should not interview, quote or report any statement by these witnesses without a disclaimer that such witnesses are by definition incompetent on the question at hand.

Members of Congress can continue to billow and coo with those of skills equal to their own but the public should be forewarned of their ignorance.

The Government Revolving Door and Apple

Filed under: Cybersecurity,FBI,Government,Security — Patrick Durusau @ 7:31 pm

Deposing Tim Cook by Stewart Baker.

I’m not going to quote any of Stewart’s post because I want to test your powers of deduction on his likely position.

Here is the one clue I will give you:

Stewart A. Baker is a partner in the Washington office of Steptoe & Johnson LLP. He returned to the firm following 3½ years at the Department of Homeland Security as its first Assistant Secretary for Policy. He earlier served as general counsel of the National Security Agency.

That blurb appears next to the post itself. I have no way to verify that information but accept it as true for the purposes of my question:

Does Stewart Baker support or oppose Apple’s objection?

Your answer goes here: ______

Now go read Stewart’s post.

How did you do?

You may want to set an auto-search to alert on Stewart’s next trip through the government revolving door.

February 27, 2016

Internet of Things (Nissan LEAF) – Be Afraid, Be Sore Afraid

Filed under: Cybersecurity,IoT - Internet of Things,Security — Patrick Durusau @ 8:54 pm

Controlling vehicle features of Nissan LEAFs across the globe via vulnerable APIs

From the post:

Last month I was over in Norway doing training for ProgramUtvikling, the good folks who run the NDC conferences I’ve become so attached to. I was running my usual “Hack Yourself First” workshop which is targeted at software developers who’d like to get up to speed on the things they should be doing to protect their apps against today’s online threats. Across the two days of training, I cover 16 separate discrete modules ranging from SQL injection to password cracking to enumeration risks, basically all the highest priority security bits modern developers need to be thinking about. I also cover how to inspect, intercept and control API requests between rich client apps such as those you find on a modern smart phone and the services running on the back end server. And that’s where things got interesting.

One of the guys was a bit inspired by what we’d done and just happened to own one of these – the world’s best-selling electric car, a Nissan LEAF:

Nissan-Leaf2

What the workshop attendee ultimately discovered was that not only could he connect to his LEAF over the internet and control features independently of how Nissan had designed the app, he could control other people’s LEAFs. I subsequently discovered that friend and fellow security researcher Scott Helme also has a LEAF so we recorded the following video to demonstrate the problem. I’m putting this up front here to clearly put into context what this risk enables someone to do then I’ll delve into the details over the remainder of the post:

Troy Hunt, located in Australia, controls a Nissan LEAF located in Norther England via a web browser.

Heater on/off, driving (trip) history), nothing more serious but worldwide accessibility via a VIN number is an odd design decision.

You won’t be able to try this on as Nissan is reported to have taken the service offline as of 25 February 2016.

Don’t be too disappointed. Bad design and implementation decisions are repeated over and over again. Perhaps you will find the next one first.

February 26, 2016

Pwning Common Backdoors and Botnets with Metasploit

Filed under: Cybersecurity,Metasploit,Security — Patrick Durusau @ 4:08 pm

Pwning Common Backdoors and Botnets with Metasploit

From the post:

The Metasploit Framework has a lot of exploit modules including buffer overflow attacks, browser exploits, web application vulnerabilities, backdoor exploits, bot pwnage tools, etc. Exploit developers and contributors to the framework have shared a wide variety of interesting and very useful stuffs.

For this article, we will talk about utilizing Metasploit to hack and take over common backdoors and botnets. We will not go into all of the modules, but we will be mentioning some modules that could be of use to your future penetration testing job or work. We will not be doing exploit development so no need to get your debuggers and code editors.

If you are new to using Metasploit Framework particularly with the msfconsole (command-line interface of the framework) then you don’t need to worry because this is a simple step by step guide also on how to use an exploit module. One of the things needed for this tutorial is that you have Metasploit installed on your attacker machine thus I would advise you to have Kali Linux or maybe BackBox Linux which are penetration testing distributions and have Metasploit pre-installed.

For our target machine, I also suggest that you install Metasploitable 2 on your favorite virtualization platform like VMWare or VirtualBox. Metasploitable 2 is a vulnerable Ubuntu Linux virtual machine which is good for practicing your Metasploit-fu skills because it is built to be insecure and to be your pet.

Except for U.S. Presidential primaries and their “debates,” one of which was captured by closed-captioning as:

cnn-debate

most of the major sports are between seasons.

No better time than the present to begin acquiring and/or polishing your Metasploit skills!

The Insecure Internet of Things (IIoT) requires the digital equivalent of a “church key” for entry:

A5-Church-Key

but there are more sophisticated (and lucrative) targets.

Enjoy!

Economic Crime and Criminal Graphics

Filed under: Cybersecurity,Ecoinformatics,Security — Patrick Durusau @ 9:02 am

Adjusting the Lens on Economic Crime (Global Economic Crime Survey 2016)

From the foreword:

In business, the promise of opportunity is often tempered with the reality of risk.

This formula holds true not only for those working to build and sustain a business, but also for those looking to victimise one.
The story told in our 2016 Global Economic Crime

Survey is one with which we are all too familiar: economic crime continues to forge new paths into business, regulatory compliance adds stress and burden to responsible businesses, and an increasingly complicated threat landscape challenges the balance between resources and growth. The moral of this story is not new, but is one that may have been forgotten in our haste to succeed in today’s fast-paced global marketplace.

Our report challenges you to adjust your lens on economic crime and refocus your path towards opportunity around strategic preparation.

This work needs to be embedded in your day-to-day decision-making, and supported by strong corporate ethics. Preparing your company for sustained success in today’s world is no longer an exercise in mapping out plans that live out their days in dusty binders on a director’s shelf. Preparation today is a living,
breathing exercise; one that must be constantly tweaked, practiced and tended to, so that it is ready when threats become realities.

Understanding the vision of your company and strategically mapping out a plan for both growth as well as a plan for defence – one that is based on your unique threat landscape and profile – will be the difference between realizing your opportunity or allowing those who want to victimise you to capitalise on theirs.

It wasn’t entirely clear to me what was meant by “economic crime,” aside from possibly a different method of making a profit than the complaining enterprise. It’s all capitalism. Crime is just capitalism that doesn’t follow a particular set of local rules.

I am bolstered in that belief by Fig. 2 from the paper:

economic-crime

I have always puzzled over bribery & corruption for example. Why piece-work corruption is any worse than structural corruption (the sort preferred in the United State) has never been clear to me.

It isn’t clear how useful you will find the report, especially given graphics like the one found at Fig. 3:

financial-crime-chart

I have puzzled over it and the accompanying text for some time.

Does the 49% for financial services represent its percentage of the 36% of global crime rate? Seems unlikely because government/state owned follows at 44% and retail & consumer at 43%, which put us up to over 136%, without including the other categories.

Is it that 49% of financial services are economic crimes? That’s possible but I would hardly expect them to claim that title.

Sometimes, when graphics make no sense, they literally make no sense.

I think you can safely skip this paper.

February 25, 2016

Apple Fires At The Death Star!

Filed under: Cybersecurity,FBI,Government,Security — Patrick Durusau @ 8:40 pm

Well, almost.

More accurate to say Apple filed: APPLE INC’S MOTION TO VACATE ORDER COMPELLING APPLE, INC. TO ASSIST AGENTS IN SEARCH, AND OPPOSITION TO GOVERNMENT’S MOTION TO COMPEL ASSISTANCE.

Caveat: Don’t be confused by the errant page numbering in the table of contents (TOC). I have checked (and you can too) the authorities against the pages where cited. I’m not sure why the TOC is wrong but it is. Total length is sixty-five (65) pages.

To entice you to read the document in full, here is the first paragraph:

This is not a case about one isolated iPhone. Rather, this case is about the Department of Justice and the FBI seeking through the courts a dangerous power that Congress and the American people have withheld: the ability to force companies like Apple to undermine the basic security and privacy interests of hundreds of millions of individuals around the globe. The government demands that Apple create a back door to defeat the encryption on the iPhone, making its users’ most confidential and personal information vulnerable to hackers, identity thieves, hostile foreign agents, and unwarranted government surveillance. The All Writs Act, first enacted in 1789 and on which the government bases its entire case, “does not give the district court a roving commission” to conscript and commandeer Apple in this manner. Plum Creek Lumber Co. v. Hutton, 608 F.2d 1283, 1289 (9th Cir. 1979). In fact, no court has ever authorized what the government now seeks, no law supports such unlimited and sweeping use of the judicial process, and the Constitution forbids it. (emphasis in original)

Now that’s an opening paragraph!

I especially like the “…to conscript and commandeer Apple in this manner” language.

Even if you have to go “blah, blah,” over the case citations, do read this memorandum.

It will leave you with no doubt the FBI has abandoned even lip service to the Constitution and our system of government.

February 24, 2016

Apple Response to Attempted FBI Mugging

Filed under: Cybersecurity,FBI,Government,Security — Patrick Durusau @ 6:02 pm

Apple is politer than I would be after an attempted FBI mugging.

The new webpage by Apple reads in part:

Why is Apple objecting to the government’s order?

The government asked a court to order Apple to create a unique version of iOS that would bypass security protections on the iPhone Lock screen. It would also add a completely new capability so that passcode tries could be entered electronically.

This has two important and dangerous implications:

First, the government would have us write an entirely new operating system for their use. They are asking Apple to remove security features and add a new ability to the operating system to attack iPhone encryption, allowing a passcode to be input electronically. This would make it easier to unlock an iPhone by “brute force,” trying thousands or millions of combinations with the speed of a modern computer.

We built strong security into the iPhone because people carry so much personal information on our phones today, and there are new data breaches every week affecting individuals, companies and governments. The passcode lock and requirement for manual entry of the passcode are at the heart of the safeguards we have built in to iOS. It would be wrong to intentionally weaken our products with a government-ordered backdoor. If we lose control of our data, we put both our privacy and our safety at risk.

Second, the order would set a legal precedent that would expand the powers of the government and we simply don’t know where that would lead us. Should the government be allowed to order us to create other capabilities for surveillance purposes, such as recording conversations or location tracking? This would set a very dangerous precedent.

The first sentence captures all that need to said for me:

The government asked a court to order Apple to create a unique version of iOS that would bypass security protections on the iPhone Lock screen.

Suddenly, the “land of the free,” becomes “land of the free, so long as you don’t cross the FBI…”

The government can certainly ask Apple to undertake such a project but Apple (and you) have an absolute right to decline. For any reason.

The FBI wants your freedom to choose to be at the sufferance of the FBI.

That doesn’t fit with my notion of liberty under the U.S. Constitution.

Does it fit with yours?

February 23, 2016

Apple Refuses to “Unlock” – False Meme – FBI Attempts To Press Gang Apple

Filed under: Cybersecurity,FBI,Government,Security — Patrick Durusau @ 9:43 pm

The meme that Apple has refused to “unlock” an iPhone in the San Bernardino shooting case is demonstrably false.

There is no magic key which Apple has refused to release to the FBI. (full stop)

Every media outlet or person describing the request to Apple as to “unlock:”

  1. Is ignorant of the facts of the FBI request,
  2. Is deliberating spreading disinformation for the FBI,
  3. Or both.

The falseness of the “unlock” meme isn’t hard to demonstrate.

The original court order reads in part:

1. Apple shall assist in enabling the search of a cellular telephone, Apple make: iPhone 5C, Model: A1532, P/N:MGF2LL/A, S/N:FFMNQ3MTG2DJ, IMEI:358820052301412, on the Verizon Network, (the “SUBJECT DEVICE”) pursuant to a warrant of this Court by providing reasonable technical assistance to assist law enforcement agents in obtaining access to the data on the SUBJECT DEVICE.

2. Apple’s reasonable technical assistance shall accomplish the following three important functions: (1) it will bypass or disable the auto-erase function whether or not it has been enabled; (2) it will enable the FBI to submit passcodes to the SUBJECT DEVICE for testing electronically via the physical device port, Bluetooth, Wi-Fi, or other protocol available on the SUBJECT DEVICE; and (3) it will ensure that when the FBI submits passcodes to the SUBJECT DEVICE, software running on the device will not purposefully introduce any additional delay between passcode attempts beyond what is incurred by Apple hardware.

3. Apple’s reasonable technical assistance may include, but is not limited to: providing the FBI with a signed IPhone Software file, recovery bundle, or other Software Image File (“SIF”) that can be loaded onto the SUBJECT DEVICE. The SIF will load and run from Random Access Memory (“RAM”) and will not modify the iOS on the actual phone, the user data partition or system partition on the device’s flash memory. The SIF will be coded by Apple with a unique identifier of the phone so that the SIF would only load and execute on the SUBJECT DEVICE. The SIF will be loaded via Device Firmware Upgrade (“DFU”) mode, recovery mode, or other applicable mode available to the FBI. Once active on the SUBJECT DEVICE, the SIF will accomplish the three functions specified in paragraph 2. The SIF will be loaded on the SUBJECT DEVICE at either a government facility, or alternatively, at an Apple facility; if the latter, Apple shall provide the government with remote access to the SUBJECT DEVICE through a computer allowing the government to conduct passcode recovery analysis.

4. If Apple determines that it can achieve the three functions stated above in paragraph 2, as well as the functionality set forth in paragraph 3, using alternative technological means from that recommended by the government, and the government concurs, Apple may comply with this Order in that way.

Does that sound like “unlock” to you?

Yet, media outlets as diverse as NPR, the New York Times and the Pew Foundation, have all repeated the false “unlock” meme, along with many others.

The court order is an attempt to force Apple to undertake a custom programming project at the behest of the government.

Do you think the government can whistle up Apple, IBM or Microsoft, or even you, for a custom programming job?

Whether you want to participate or not?

That’s what FBI Director Comey and his media allies want to hide under the false “unlock” meme.

Spread the true meme – this is slavery on the software seas and should be denounced as such.

The freedom you save may well be your own.

« Newer PostsOlder Posts »

Powered by WordPress