Robert Graham
Author Archives: Robert Graham
- Home → Author's archive:
Robert Graham
There’s no conspiracy behind the FBI-v-Apple postponement
The FBI says it may have found another way to get data off an iPhone, and thus asked to postpone a hearing about whether Apple can be forced to do it. I thought I'd write a couple of comments. Specifically, people are looking for reasons to believe that the FBI, or Apple, or both are acting in bad faith, and that everything that happens is some sort of conspiracy. As far as I can tell, all evidence is that they are acting in good faith.Orin Kerr writes:
If that happens, neither side will look good in the short term. The FBI won’t look good because it went to court and claimed it had no alternatives when an alternative existed. The whole case was for nothing, which will raise suspicions about why the government filed the case and the timing of this new discovery. But Apple won’t look good either. Apple claimed that the sky would fall if it had to create the code in light of the risk outsiders might steal it and threaten the privacy of everyone. If outsiders already have a way in without Apple’s help, then the sky has already fallen. Apple just didn’t know Continue reading
Why we are upset with the NYTimes Paris terrorist article
On the Twitters, we've been mocking that NYTimes article on the Paris terrorists and how they used "encryption". I thought I'd write up a brief note as to why.It's a typical example of yellow journalism. The public isn't familiar with "encryption", so it's easy to sensationalize it, to make it seem like something sinister is going on.
At one point, the article says:
According to the police report and interviews with officials, none of the attackers’ emails or other electronic communications have been found, prompting the authorities to conclude that the group used encryption. What kind of encryption remains unknown, and is among the details that Mr. Abdeslam’s capture could help reveal.
That's not how encryption works. Instead, if "encryption" were the one thing the terrorists were using to hide, then you'd certainly find encrypted emails and encrypted messages -- ones you couldn't read without knowing the key.
The lack of emails/messages instead hints that the terrorists were meeting in person, passing paper notes to each other, or using telepathy. All of these, even telepathy, are more likely explanation for the lack of evidence than "encryption".
This article cites anonymous "authorities" here as concluding encryption was used. The New Continue reading
No, you backoff on backdoors or else
Speaking at #SXSW, President Obama threatened the tech community, telling us to backdoor our encryption ourselves or else congress will mandate a worse solution later.No, Mr. President, it works the other way around. You'd better backoff on your encryption demands, or else the tech community will revolt, That's what's already happen with Apple's encryption efforts, as well as app developers like Signal and Wickr. Every time you turn the screws, we techies increase the encryption.
It's not a battle you can win without going full police-state. Sure, you can force Apple to backdoor its stuff, but then what about the encrypted apps? You'd have to lock them down as well. But what about encrypted apps developed in foreign countries? What about software I write myself? You aren't going to solve the "going dark" problem until you control all crypto.
If you succeed in achieving your nightmare Orwellian scenario, I promise you this: I'll emigrate to an extradition-free country, to continue the fight against the American government.
Your crypto backdoors creates a police-state beyond what even police-state advocates like Michael Hayden and Linsdey Graham can tolerate. Your point on "balance" is a lie. We've become radically unbalanced toward mass Continue reading
Can the Apple code be misused?
This post will respond to the tweet by Orin Kerr:The government is right that the software must be signed by Apple and made to only work on Farook's phone, but the situation is more complicated than that.Tech help: What are the best responses to DOJ claims in new Apple/FBI brief re whether code could be misused? Thks. pic.twitter.com/V08EcV9Rev— Orin Kerr (@OrinKerr) March 11, 2016
The basic flaw in this picture is jailbreaks. This is a process of finding some hack that gets around Apple's "signing" security layer. Jailbreaks are popular in the user community, especially China, when people want to run software not approved by Apple. When the government says "intact security", it means "non-jailbroken".
Each new version of iOS requires the discovery of some new hack to enable jailbreaking. Hacking teams compete to see who can ship a new jailbreak to users, and other companies sell jailbreaks to intelligence agencies. Once jailbroken, the signing is bypassed, as is the second technique of locking the software specifically to Farook's phone.
Details are more complicated than this. Each jailbreak is different, and many won't allow this secret Apple software to be run. Some will. The point Continue reading
Code is expressive. Full Stop. (FBIvApple)
I write code. More than a $billion of products have been sold where my code is the key component. I've written more than a million lines of it. I point this out because I want to address this FBIvApple fight from the perspective of a coder -- from the perspective of somebody who the FBI proposes to conscript into building morally offensive code. Specifically, I want to address the First Amendment issue, whether code is expressive speech.Consider Chris Valasek (@NudeHabasher), most recently famous for his car-hacking stunt of hacking into a Jeep from the Internet (along with Charlie Miller @CharlieMiller).
As Chris tells the story, he was on an airplane without WiFi writing code for his "CANbus-hack" tool that would hack the car. Without the Internet, he didn't have access to reference information, such as for strtok(). But he did remember from years earlier working on my (closed-source) code, and used the ideas he remembered to solve his immediate problem. No, he didn't remember the specifics of the code itself, and in any case, his CANbus-hack was unrelated to that code. Instead, it was the ideas expressed my code that he remembered.
What he came up with was this:
Continue reading
Captain America Civil War — it’s us
The next Marvel movie is Captain America: Winter Soldier. The plot is this: after the Avengers keep blowing things up, there is pushback demanding accountability. Government should be in control when to call in the Avengers, and superhumans should be forced to register with the government. Ironman is pro-accountability, as you've seen his story arc evolve toward this point in the movies. Captain America is anti-accountability.This story arc is us, in cybersecurity. Last year, Charlie Miller and Chris Valasek proved they could, through the "Internet", remotely control a car driving down the freeway. In the video, we see a frightened reporter as the engine stalls in freeway traffic. Should researchers be able to probe cars, medical equipment, and IoT devices accountable to nobody but themselves? Or should they be accountable to the public, and rules setup by government?
This story is about us personally, too. In cyberspace, many of us have superhuman powers. Should we be free to do whatever we want, without accountability, or should be be forced to register with teh government, so they can watch us? For example, I scan the Internet (the entire Internet) with relative impunity. This is what I tweeted when creating my Continue reading
An open letter to Sec. Ashton Carter
Hi.For security research, I regularly "mass scan" the entire Internet. For example, my latest scan shows between 250,000 and 300,000 devices still vulnerable to Heartbleed. This is legal. This is necessary security research. Yet, I still happily remove those who complain and want me to stop scanning them.
The Department of Defense didn't merely complain, but made threats, forcing me to stop scanning them. You guys were quite nasty about it, forcing me to figure out for myself which address ranges belong to the DoD.
These threats are likely standard procedure at the DoD, investigating every major source of scans and shutting down those you might have power over. But the effect of this is typical government corruption, preventing me from reporting the embarrassing detail of how many DoD systems are still vulnerable to Heartbleed (but without stopping the Chinese or Russians from knowing this detail).
Please remove your threats, so that I can scan the DoD in the same way I scan the rest of the Internet. This weekend I'll be scanning the Internet for system susceptible to the DROWN attack. I would like to include DoD in those scans.
I write to you now because you are Continue reading
Early Internet services considered harmful
This journalist, while writing a story on the #FBIvApple debate, got his email account hacked while on the airplane. Of course he did. His email account is with Earthlink, an early Internet services provider from the 1990s. Such early providers (AOL, Network Solutions, etc.) haven't kept up with the times. If that's still your email, there's pretty much no way to secure it.Early Internet stuff wasn't encrypted, because encryption was hard, and it was hard for bad guys to tap into wires to eavesdrop. Now, with open WiFi hotspots at Starbucks or on the airplane, it's easy for hackers to eavesdrop on your network traffic. Simultaneously, encryption has become a lot easier. All new companies, those still fighting to acquire new customers, have thus upgraded their infrastructure to support encryption. Stagnant old companies, who are just milking their customers for profits, haven't upgraded their infrastructure.
You see this in the picture below. Earthlink supports older un-encrypted "POP3" (for fetching email from the server), but not the new encrypted POP3 over SSL. Conversely, GMail doesn't support the older un-encrypted stuff (even if you wanted it to), but only the newer encrypted version.
Thus, if you are a reporter using Continue reading
The disingenuous question (FBIvApple)
I need more than 140 characters to respond to this tweet:If you were a crime victim and key evidence was on suspect's phone, would you want govt to search phone w/ warrant?— Orin Kerr (@OrinKerr) February 22, 2016
It's an invalid question to ask. Firstly, it's asking for the emotional answer, not the logical answer. Secondly, it's only about half the debate, when the FBI is on your side, and not against you.
The emotional question is like ISIS kidnappings. Logically, we know that the ransom money will fund ISIS's murderous campaign, killing others. Logically, we know that paying this ransom just encourages more kidnappings of other people -- that if we stuck to a policy of never paying ransoms, then ISIS would stop kidnapping people.
If it were my loved ones at stake, of course I'd do anything to get them back alive and healthy, including pay a ransom. But at the same time, logically, I'd vote for laws to stop people paying ransoms. In other words, I'd vote for laws that I would then happily break should the situation ever apply to me.
Thus, the following question has no meaning in a policy debate over paying Continue reading
About McAfee’s claim he could unlock iPhone
So John McAfee has claimed he could unlock the terrorist's iPhone. Is there any truth to this?http://www.businessinsider.com/john-mcafee-ill-decrypt-san-bernardino-phone-for-free-2016-2
No, of course this is bogus. If McAfee could do it, then he's already have done it.
In other words, if it were possible, he'd just say "we've unlocked an iPhone 5c running iOS 9 by exploiting {LTE baseband, USB stack, WiFi stack, etc.}, and we can therefore do the same thing for the terrorist's phone". Otherwise, it's just bluster, because everyone knows the FBI won't let McAfee near the phone in question without proof he could actually accomplish the task.
There's a lot of bluster in the hacking community like this. There is a big difference between those who have done, and those who claim they could do.
I suggest LTE baseband, USB stack, and WiFi stack because that's how I'd attack the phone. WiFi these days is pretty well tested, so that's the least likely, but LTE and USB should be wide open. I wouldn't do anything to help the FBI, though. The corrupt FBI goes around threatening security-researchers like me, trampling on our rights, so they've burned a lot of bridges with precisely the people Continue reading
Some notes on Apple decryption San Bernadino phone
Today, a judge ordered Apple to help the FBI decrypt the San Bernadino shooter's iPhone 5C. Specifically:- disable the auto-erase that happens after 10 bad guesses
- enable submitting passcodes at a high speed electronically rather than forcing a human to type them one-by-one
- likely accomplish this through a fimware update
The text of the court order almost exactly matches that of the "IOS Security Guide". In other words, while it may look fairly technical, actually the entirety of the technical stuff they are asking is described in one short document.
The problem the FBI is trying to solve is that when guessing passcodes is slow. The user has two options. One option is that every bad guess causes the wait between guesses to get longer and longer, slowing down guessing, forcing an hour between guesses. The other option is to have the phone erase itself after 10 bad guesses. Ether way, it makes guessing the passcode impractical. The FBI is demanding the Apple update the software of the phone to prevent either of these things from happening.
The phone is an iPhone 5C, first released in September 2013, so is quite old. This increases the chance that Continue reading
We’ve always been at war with Eastasia
Consider the example in the book 1984 regarding the ongoing war between the three superstates of Oceania, Eurasia, and Eastasia (representing English, Russian, and Chinese empires respectively).
At the start of the book, Oceania is at war with Eurasia. They have always been at war with Eurasia. That's the political consensus, and all historic documents agree. However, Winston Smith (the protagonist) remembers a time five years ago when Oceania was instead at war with Eastasia. Winston Smith struggles with philosophical idea of "truth". Which is more true, what everyone knows and what's in the newspapers, or the memories within his head?
Then Ocean's allegiance switched back again. On the sixth day of Hate Week, as crowds gathered to denounce Eurasia, the Party switched enemies to Eastasia. In a particularly rousing speech against their enemy, the speaker was handed a slip of paper, Continue reading
Fscking Visual Studio Code JS Hello World
The reason Linux never succeeded on the desktop is the lack of usability testing. Open-source programmers hate users, and created such an ugly baby that only a fanboy could love it. It's funny watching the same thing happen to "Visual Studio Code", Microsoft's answer to the Atom editor. You'd think with Microsoft behind it, that it'd be guided by usability testing. The opposite is true. It spends a lot of time hyping it, but every time I try to use it, I encounter unreasonable hurdles for the simplest of things. It's the standard open-source paradigm -- they only spend effort to make something work in theory without the extra effort to make it usable in practice.The most common thing you'll want to do is first create a "hello world" program, then debug it. As far as I can tell, there are no resources that'll explain how to do this. So, for JavaScript on Windows, I thought I'd explain how this works.
Firstly, you'll need to install NodeJS and VS Code. Just choose the defaults, it's uneventful.
Secondly, you need to understand how projects work. This is the first hurdle everyone has with an IDE. You don't simply run the Continue reading
Hackers aren’t smart — people are stupid
The top three hacking problems for the last 10 years are "phishing", "password reuse", and "SQL injection". These problems are extremely simple, as measured by the fact that teenagers are able to exploit them. Yet they persist because, unless someone is interested in hacking, they are unable to learn them. They ignore important details. They fail at grasping the core concept.
Phishing
Phishing happens because the hacker forges email from someone you know and trust, such as your bank. It appears nearly indistinguishable from real email that your bank might send. To be fair, good phishing attacks can fool even the experts.
But when read advice from "experts", it's often phrased as "Don't open emails from people you don't know". No, no, no. The problem is that emails appear to come from people you do trust. This advice demonstrates a lack of understanding of the core concept.
What's going on here is human instinct. We naturally distrust strangers, and we teach our children to distrust strangers.Therefore, this advice is wired into our brains. Whatever advice we hear from experts, we are likely to translate it Continue reading
Nothing says “establishment” as Vox’s attack on Trump
I keep seeing this Ezra Klein Vox article attacking Donald Trump. It's wrong in every way something can be wrong. Trump is an easy target, but the Vox piece has almost no substance.Yes, it's true that Trump proposes several unreasonable policies, such as banning Muslims from coming into this country. I'll be the first to chime in and call Trump a racist, Nazi bastard for these things.
But I'm not sure the other candidates are any better. Sure, they aren't Nazis, but their politics are just as full of hate and impracticality. For example, Hillary wants to force Silicon Valley into censoring content, brushing aside complaints from those people overly concerned with "freedom of speech". No candidate, not even Trump, is as radical as Bernie Sanders, who would dramatically reshape the economy. Trump hates Mexican works inside our country, Bernie hates Mexican workers in their own countries, championing punishing trade restrictions.
Most of substantive criticisms Vox gives Trump also applies to Bernie. For example, Vox says:
His view of the economy is entirely zero-sum — for Americans to win, others must lose. ... His message isn't so much that he'll help you as he'll hurt them...That's Bernie's Continue reading
Twitter has to change
Today, Twitter announced that instead of the normal timeline of newest messages on top, they will prioritize messages they think you'll be interested in. This angers a lot of people, but my guess it's it's something Twitter has to do.Let me give you an example. Edward @Snowden has 1.4 million followers on Twitter. Yesterday, he retweeted a link to one of my blogposts. You'd think this would've caused a flood of traffic to my blog, but it hasn't. That post still has fewer than 5000 pageviews, and is only the third most popular post on my blog this week. More people come from Reddit and news.ycombinator.com than from Twitter.
I suspect the reason is that the older twitter gets, the more people people follow. (...the more persons each individual Twitter customer will follow). I'm in that boat. If you tweeted something more than 10 minutes since the last time I checked Twitter, I will not have seen it. I read fewer than 5% of what's possible in my timeline. That's something Twitter can actually measure, so they already know it's a problem.
Note that the Internet is littered with websites that were once dominant in Continue reading
Lawfare thinks it can redefine π, and backdoors
There is gulf between how people believe law to work (from watching TV shows like Law and Order) and how law actually works. You lawyer people know what I'm talking about. It's laughable.The same is true of cyber: there's a gulf between how people think it works and how it actually works.
This Lawfare blogpost thinks it's come up with a clever method to get their way in the crypto-backdoor debate, by making carriers like AT&T responsible only for the what ("deliver interpretable signal in response to lawful wiretap order") without defining the how (crypto backdoors, etc.). This pressure would come in the form of removing current liability protections they now enjoy for not being responsible for what customers transmit across their network. Or as the post paraphrases the proposal:
Don’t expect us to protect you from liability for third-party conduct if you actively design your systems to frustrate government efforts to monitor that third-party conduct.The post is proud of its own smarts, as if they've figured out how to outwit mathematicians and redefine pi (π). But their solution is nonsense, based on a hopelessly naive understanding of how the Internet works. It appears all Continue reading
They are deadly serious about crypto backdoors
Julian Sanchez (@normative) has an article questioning whether the FBI is serious about pushing crypto backdoors, or whether this is all a ploy pressuring companies like Apple to give them access. I think they are serious -- deadly serious.The reason they are only half-heartedly pushing backdoors at the moment is that they believe we, the opposition, aren't serious about the issue. After all, the 4rth Amendment says that a "warrant of probable cause" gives law enforcement unlimited power to invade our privacy. Since the constitution is on their side, only irrelevant hippies could ever disagree. There is no serious opposition to the proposition. It'll all work itself out in the FBI's favor eventually. Among the fascist class of politicians, like the Dianne Feinsteins and Lindsay Grahams of the world, belief in this principle is rock solid. They have absolutely no doubt.
But the opposition is deadly serious. By "deadly" I mean this is an issue we are willing to take up arms over. If congress were to pass a law outlawing strong crypto, I'd move to a non-extradition country, declare the revolution, and start working to bring down the government. You think the "Anonymous" hackers were bad, Continue reading
Is packet-sniffing illegal? (OmniCISA update)
In the news recently, Janet Napolitano (formerly head of DHS, now head of California's university system) had packet-sniffing software installed at the UC Berkeley campus to monitor all its traffic. This brings up the age old question: is such packet-sniffing legal, or a violation of wiretap laws.Setting aside the legality question for the moment, I should first point out that's its perfectly normal. Almost all organizations use "packet-sniffers" to help manage their network. Almost all organizations have "intrusion detection systems" (IDS) that monitor network traffic looking for hacker attacks. Learning how to use packet-sniffers like "Wireshark" is part of every network engineer's training.
Indeed, while the news articles describes this as some special and nefarious plot by Napolitano, the reality is that it's probably just an upgrade of packet-sniffer systems that already exist.
Ironical, much packet-sniffing practice comes from UC Berkele. It's famous for having created "BPF", the eponymously named "Berkeley Packet Filter", a standard for packet-sniffing included in most computers. Whatever packet-sniffing system Berkeley purchased to eavesdrop on its networks is almost certainly including Berkeley's own BPF software.
Now for the legal question. Even if everyone is doing it, it doesn't necessarily mean it's legal. But the wiretap Continue reading
Some notes on the Norse collapse
Recently, cybersec company "Norse Security" imploded. Their leaders and most the employees were fired, and their website is no longer available. I thought I'd write up some notes on this.All VC-funded startups are a scam
Here's how VCs think. They see that there is a lot of industry buzz around "threat intel". They'll therefore fund a company in that space. This company will spend a 5% of that money to create a cool prototype, and 95% in marketing and sales. They'll have fancy booths at trade shows. They'll have a PR blitz to all the reporters who cover the industry. They'll bribe Gartner to be named a Cool Vendor or Magic Quadrant Leader. They'll win industry kudos. They have some early sales 'wins' with some major customers. These customers will give glowing reviews of the product they bought -- even before turning it on.
In other words, it's a perfect "Emperor Has No Clothes" story, where neither customers, nor Gartner, nor the press is competent to realize the Emperor is not wearing clothes.
VCs know it's a scam, but they are hoping it'll become real. As a well-known leader in this space, employees with the needed expertise will flock Continue reading