Why Wordfence Supports Strong Encryption Without Backdoors
This morning global headlines are discussing Apple’s move to oppose a court order issued by the US government regarding breaking into it’s own iPhone. This case has far reaching consequences and is part of a wider debate on cryptography and whether consumers and businesses should have access to strong cryptography and the data protection that comes with it.
I’m going to start by explaining what is happening in the Apple case. Then we’ll discuss the wider implications and why Wordfence supports Apple’s move to oppose the order by the US government. I’ll also explain how this affects you, both in the WordPress space and in your wider business and personal activities.
Yesterday a Federal District Court judge in California issued a court order which compels Apple to develop software that will unlock an iPhone used by one of the two attackers who killed 14 people in San Bernardino in California in December 2nd of last year.
This morning Apple issued a statement expressing sympathy for the victims in the San Bernardino attack and supporting the search for justice, but making it clear that they will oppose the order. The statement explains that by developing a custom version of iOS, the iPhone operating system, as the order requests, they will be creating a master key that will allow the government to unlock all iPhones and access their data too.
According to Apple:
Building a version of iOS that bypasses security in this way would undeniably create a backdoor. And while the government may argue that its use would be limited to this case, there is no way to guarantee such control.
The legal mechanism that the US government is using to compel Apple to build this back door is the All Writs Act of 1789. The relevant quote from the law is that it allows judges to “..issue all writs necessary or appropriate in aid of their respective jurisdictions and agreeable to the usages and principles of law.” Apple argues that this new interpretation of the All Writs Act could allow the government to:
…extend this breach of privacy and demand that Apple build surveillance software to intercept your messages, access your health records or financial data, track your location, or even access your phone’s microphone or camera without your knowledge.
Now lets chat about why Wordfence supports Apple’s opposition to this order.
What the government is asking for is a back-door into the encryption that protects the iPhone. Whether this back-door is a key that gives them access, or is a custom built operating system that lets them gain access, is not relevant. The results are the same and the back-door is binary data in both cases.
The first problem this introduces is that this back door will need to be protected. It will need to be stored by the US government on a secure network or system. If criminals gain access to this back-door or the techniques it employs, or if they are able to reverse engineer the back-door, they will gain access to all iPhones. Criminals will then have the same extraordinary access to encrypted consumer data that the US government has.
In handing a set of keys to the government, we assume two things:
- The US government is infallible. Specifically, they are able to keep all their confidential data secure all the time.
- The US government is unimpeachable. Specifically, all employees can be completely trusted.
At Wordfence, we have the greatest respect for the work that many in government and in public service do. This includes the intelligence community where we have friends who make extraordinary sacrifices to work in those roles. But we think it’s fair to acknowledge that our government and it’s people are human and therefore can make mistakes.
This problem affects most companies in the same way, but to illustrate, we will use ourselves as an example. Wordfence uses strong encryption to protect your data. Specifically we use public key cryptography along with symmetric cryptography to encrypt sensitive data as it moves across the network. In order to keep that data secure, we need to keep our private keys secure. That’s our job and our responsibility.
If we were to create a back-door into that encryption, we would be trusting that the holder of that back-door is able to keep the back-door secure. That creates a big problem for us as a practical matter. Right now we have a limited number of entry points or “endpoints” in security speak, that we need to protect.
If we hand a new set of keys to the government, we suddenly have to protect a huge number of new endpoints that need to be protected to protect those keys. If those endpoints are on a US government network, classified or not, it probably would expand into the tens or hundreds of thousands of new endpoints that need to be protected to protect our secure data.
We would have no visibility into those endpoints because they would all be ‘classified’. We have no access to audit the government’s network. We simply have to trust that they are infallible and unimpeachable.
Introducing a back-door with keys for that backdoor into our own cryptography has the effect of massively expanding the number of endpoints that need to be protected to protect our network and our customers.
This problem extends in a similar way to other companies who use cryptography to protect your data. It also affects consumer devices and software like web browsers and the secure connection they currently enjoy with web servers.
The effect of this on WordPress publishers is that they may be compelled, or their vendors may be compelled into providing backdoors into cryptography that protects their customer or website data. They may also be forced to provide a backdoor into the secure connection between a visitor web browser and their website. The problems it introduces are:
- The size of the network that needs to be protected to protect your customer data is suddenly much larger.
- If the backdoor is compromised, your customer data and website data is compromised.
- You now have the responsibility of protecting a much larger attack surface behind which are the private keys to your network and you have no visibility into that network or the ability to audit it’s security.
I’d like to make three more points that relate to this argument:
Even if you create backdoors into encrypted data used by consumers and businesses, it is a mathematical reality that a bad guy, or terrorist in this case, can write their own encryption software that is unbreakable and has no backdoor. It is relatively easy to write an application that provides unbreakable encryption to a criminal or terrorist – the algorithms are open source. If backdoors are mandated by governments, then the only people with secure encryption will be the very people you are trying to surveil.
It is possible to perform effective surveillance without backdoors. Tor is an anonymous browser that hides the identities of users by using strong encryption. Using a timing attack (also called end-to-end correlation) you can confirm a Tor user’s identity simply by monitoring the network without being able to break Tor’s encryption. This is an example of using meta-data for surveillance rather than decrypted data. Not having access to a backdoor does not prevent the intelligence services from doing their job.
Finally, as Alex Stamos, Facebook Chief Security Officer asked Admiral Rogers (Director of the NSA) at a security conference last year: If we give the US government a backdoor into encrypted data, should we give other governments that same access? How do we justify giving the United States extraordinary access if we do business in France and don’t give the French government the same access? The results of granting the US government a backdoor could well be that all governments require that same access if you do business in their jurisdiction.
Framing this debate as leaving “no stone unturned as we gather as much information and evidence as possible.”, as US Attorney Eilleen M. Decker said, does not fully capture the complexity of this debate and the cost of granting extraordinary access to systems and cryptography. Granting that extraordinary access runs the risk of leaving us less secure while criminals are free to choose to use strong unbreakable encryption.
For this reason, Wordfence supports Apple in their move to oppose the court order to create a back door into their smartphones.
I would like to encourage you to learn more about why access to strong cryptography matters and to join the debate. Post your comments below.
Sincerely,
Mark Maunder – Wordfence Founder and CEO.
Additional Resources:
- The Electronic Frontier Foundation is filing an amicus brief with the court in support of Apple.
- According to Reuters, the Whitehouse said in a statement that the government is not asking for a backdoor and are instead asking for help with a single device in an investigation.
Comments
1:39 pm
What can regular people like us even do about any of this other than reposting it on social media?
1:45 pm
Good question Ryan. I would say following the issue in the news is step 1. Hopefully we've shed some light on the debate. If you're in the United States and there's a bill being debated in state or federal government, find out where you stand on the issue and then call or write your congressman or senator and express your point of view. Alternatively you can share it on social media or write about in on your blog or social media. This also affects policy.
I think it's important to take a position and express that point of view because there are very big organizations that have a vested interest in taking the opposing view. And so it's really important that all voices are heard and what we end up with is a true reflection of what most of us want and (hopefully) what we need, rather than what the vocal minority wanted or those with more power or money wanted.
~Mark.
2:05 pm
Please Wordfence team, make an official petition about this and then update your blog post so everyone can sign it...
https://www.change.org/petition
2:08 pm
Interesting idea, thanks Adam. We'll keep that in mind. We have a fairly big community now so we can probably shift policy if we all feel strongly about an issue and agree on it.
1:44 pm
Excellent article. Thank you for taking the time to break this down specifically. I had an ID theft for almost 1 million dollars. I get privacy at whole different level than most people do. I will be sharing this on my Facebook page and on Twitter. I use your software and recommend it to my clients. Thank you again. Bec:)
1:45 pm
Does this mean Google and Microsoft complied with the order?
1:55 pm
The government order this post is talking about is directed at Apple only and has nothing to do with Google or Microsoft or any other company. It would, however, set a dangerous precedent if Apple complied.
1:58 pm
I'm not sure they've been asked to do anything as this is specific to the massacre in San Bernardino. The attackers were communicating via iPhone (iOS). This is Kafka-esque. Orwellian. Yikes.
5:10 pm
The answer to that question is they have been complying for years. MS operating systems have back doors written into their code, why do you think they are so prone to viruses? The government gave MS a monopoly for Windows and MS gave the government free, unfettered access to all of the computers it is installed on. As far as Google is concerned, they already do regular, on the fly, data dumps to the NSA so the answer to your question is an overall yes, augmented by, it has been in place for a long time so it doesn't matter.
1:55 am
Jennifer, I thought I was paranoid :-) I usually follow the axiom 'Never attribute to conspiracy, that which can be explained by incompetence', and I know that MS is incompetent!
But you may be correct, and MS is inherently untrustworthy.
I'm a unix/Linux user.
1:45 pm
I completely applaud the move Apple has made, as well as your decision to support them in their endeavor. As a user of your products, I appreciate your stand to protect each of us from the government's prying eyes. Please keep up the great work you guys are doing!
1:46 pm
Really surprised to never see the words 'slippery slope' in this or other reports.
1:47 pm
Dangit! I knew I left something out. ;-)
4:09 pm
or "thin end of the wedge"
11:01 pm
" Tip of the iceberg."
1:49 pm
I don't have a problem with a backdoor. There has never before been an option to prevent the government from invading your privacy, either by tapping your phone or searching your premises, when a judge issues a warrant. The bigger problem is trusting employees at a company such as Apple to keep their hands off your data. Personally, I prefer to give up some liberties to ensure that the country is more secure from terrorists.
1:57 pm
Thanks for your comment Phil. So this is not a point of view I share, but it's one that is widely held among many folks, particularly in Washington. I was in DC late last week for a security conference that brings together the private sector and the intelligence community. There was a panel that discussed "Going Dark" and most of the panel (being from the I.C.) held a similar view. In particular the same point you're making was raised:
Until relatively recently it has never been possible for consumers to completely hide data in a black box that only they can open.
It was very tempting to address my view on this in the article but it would have gone way beyond the 1000 words it already is. But I'll share a few comments here.
Firstly, I agree. Absolutely, that is a big change. But there's a mathematical reality that comes with it and that is: Even if you force vendors to introduce backdoors for consumer products, it doesn't prevent the bad guys from simply developing and using their own unbreakable encryption. I should add that it is trivially easy for a high school student to write an unbreakable encryption algorithm using only the exclusive OR (XOR) function. There's no getting around this.
So yes, secure black boxes for data are a new thing. But they aren't going away and back doors don't make them go away.
The counter argument that was made on the panel is that most criminals are stupid and will use backdoored consumer products, so at least you'll get most of the data. I'm not sure I buy that because strong crypto products will likely go open source and be widely available - just not commercially available or legally available.
What I've noticed is that is almost turning in to a West Coast vs East Coast debate in the US. (I live just outside Seattle) Most military and intelligence contractors are on the East coast and most tech startups are on the west coast - and of course Apple, Google, Microsoft, etc. And so those with a vested interest in the intelligence industry are arguing one way while tech companies that don't sell to government take the opposite position.
Again thanks for your comment.
Mark.
2:07 pm
Philip, it really isn't that simple. The US government has already proven that it cannot be trusted to comply with its own privacy & security laws - so why would you present such a weak argument that everyone knows is a fallacy.
As for the old argument about protecting the country from terrorists - it is wearing a bit thin. Many more people are injured and murdered every day from violence than die from acts of terrorism, so perhaps you need to rethink your priorities and logic.
4:59 pm
There has always been a black box option. It’s private knowledge.
What's in one's head has always been inaccessible by government, except by torture, which does not provide reliable intel anyway. So their argument isn't exactly accurate.
If technology advances to the point that a living brain can be scanned for data, would they then argue that they should be allowed to do this too? Is that also justified? (What if it's just a bystander, not even a suspect, who *may* have overheard something subconsciously?)
Regarding trusting Apple employees, that is also a huge concern. Once they have created a "master key", then we’d have to trust *them* to be both infallible and unimpeachable too. And it’s recently come to light that they are frequently solicited to by Chinese companies / government agents. Are they supposed to forget how they did it afterwards and never use that knowledge again?
5:04 pm
Good point Steve regarding private knowledge. Thanks for your comment.
9:35 am
That would be a great movie script!
1:54 pm
Excellent article. Thanks for explain several implications about Security Risk on today's technologies. Even when the dispute correspond to a big company like Apple, those problems affects to any user that work on products that save or receive data.
1:55 pm
Hello,
I agree with Apple on denying anyone or 'any' government carte blanche access to private secure data for 'any reason'!
One only has to watch '1' episode of 'Person of Interest' to understand what this would mean
to security of all people, businesses and governments across the globe!
We are a small fry on the web with right at 30 websites and I am constantly amazed how many times a day any one of our sites our attacked by people or persons trying to log on as admin and steal data and vital information from us or our visitors. Multiply by millions of times and I can fully understand why Apple would refuse the request. Thank goodness there our people and companies like Apple and Wordfence, that draw the line on such an ill thought out demands.
Randy Yancey
Owner/Webmaster of APO Website Group
Springfield, Missouri
1:55 pm
Sorry, but there is no way in hell that I would trust the government to properly manage/safeguard such capability. I previously personally saw how government officials, with high level security clearances, have a disregard for security, which they deemed as 'inconvenient', for their operational capability. It could easily be stated that such a 'tool' was used, due to national security implications. This can be vaguely interpreted. As for the current situation, I agree that information on the phone could prove valuable. If they want the phone unlocked/opened, they could simply send an agent with the phone to Apple, and babysit the phone, while Apple unlocked the phone, at Apple, under Apple's control. Do they not trust Apple? Do they want control (i.e. the decryption software), or do they want the information on the phone?
2:05 pm
I can see both sides.
On the one hand, at what cost privacy? If by not allowing this backdoor, a terror attack kills a thousand, or a million, is that worth the cost? On the other hand, as many have pointed out, all you're doing by allowing this is forcing the terrorists to rely on their own encryption efforts.
I think one point that has been missed is that most of these terrorists do not appear to have strong technical skills in terms of encryption, but on the other hand all it takes is one good expert joining them and they will have all the capacity they need.
Knee jerk reactions will never provide a proper way of looking at all sides of the debate.
2:47 pm
"If by not allowing this backdoor, a terror attack kills a thousand, or a million, is that worth the cost?"
I certainly think so. A quick check shows that in 2014 the number of lives lost to terrorism GLOBALLY was equal to the number of lives lost to traffic fatalities in the U.S. alone.
Links for the citations:
http://www.statista.com/statistics/202871/number-of-fatalities-by-terrorist-attacks-worldwide/
https://en.wikipedia.org/wiki/List_of_motor_vehicle_deaths_in_U.S._by_year#Motor_vehicle_deaths_in_U.S._by_year
It's my opinion that the risk of dying from a terrorist act is so minuscule as to be worth ignoring at all. The average person in a small rural North American town has a far greater chance of being mauled by a pack of rabid dachshunds than they do of falling prey to terrorism. Alas, the trend in N.A. over the last 25 years is to promote fear and disempowerment as the themes of the day. That trend is costing citizens their rights in the name of a threat that is so minimal as to be meaningless on its own.
Joe Average and Suzy Creamcheese are far, far more likely to die from poor diet and lifestyle choices than they are to succumb to the nefarious plots of a few crazies. As such, I think it's insane to give away one's rights. Government wants you to believe that the threat is huge. You're more likely to get hit by lightning.
Fear is a bad position from which to make decisions. FEAR = False Evidence Appearing Real. Don't let The Man snow you. It's just a power play to eventually gain absolute control over a cowering population.
2:05 pm
It is so important that we continue to be educated on this topic. While I want to catch the "bad guys" as much as the NSA does, I do not trust the federal government to keep this information away from the IRS or other agencies that have been known to use it for political purposes.
If the government says they just want to have access to individual devices, would it be possible for the govt to reimburse businesses like Apple for the cost of providing access to accounts on a case by case basis with a court order? Apple would be indemnified and the govt would have to provide a need to snoop.
2:10 pm
I see no difference when a court orders entering my home and taking everything than a court ordering software to be unlocked. I know many of the engineers at apple. I believe they already have the backdoor. I am more afraid of large companies who are not accountable to anyone than a government like the US. What Apple is afraid of is that other governments will want to get the backdoor.
Why doesn't Apple just take the phone unlock it and provide the data to the government.
This is not a privacy issue! The phone is owned by the county of San Bernadino. When will software finally start being treated like hardware. Hardware Engineer
2:11 pm
I think that it is too big of an issue for either corporations or the government to decide. It is alas, a case for the Supreme Court, one in which thankfully Scalia will not be involved in.
2:13 pm
There is such a thing as the 4th amendment. Not that it means much any longer but I have little faith in the executive branch, or the judicial branch at this stage in history. They're going to do what they want regardless. I do applaud Apple for taking a stand and they certainly have the resources to go head to head in court.
2:54 pm
They CAN be stopped, if people are AWARE. People these days are too busy on facebook and playing games to be AWARE. And to stand up.
They want control of your phone to know what you say through apps. VOIP, SMS and calls are already monitored. Control of money and every info about you, your secret lovelife and anything they can hold against you to force your collaboration when required by them.
2:15 pm
I have to agree with "umeweall" about trusting the government - ANY government - to take care of security on something like what the judge is demanding.
I am in Europe and consdidering the much tougher stance here in favour of the security of personal privacy, I can imagine that Apple devices could be banned throughout the EU and the EFTA for intentionally having a backdoor installed in their devices. What would that do to Apple? Or the rest of the American manufacturers (well, in a manner of speaking) for that manner. And where would the backdoor be programmed in? Any votes for China?
Sorry, that scares the daylights out of me!
2:50 pm
Have you not read about the 5 eyes? Check out wikipedia. They already spy on one another, including EU citizens. Phones are more convenient way to spy and also to get your money if they want, or block you from something fast. BIG BROTHER on steroids.
2:17 pm
Considering my data was breached at the IRS, and knowing that the government operates solely on 'lowest bidder' contracts for all of their subcontract work - websites and networking included - I don't want them having the key to the backdoor of anything, let alone my phone. They already have enough technology in their hands that gathers data. I understand that they want to crack this 'one' phone. I get it. But not at the expense of opening a Pandora's box of slippery slope disastrous issues.
2:21 pm
Good move for Apple!
I could imagine the dramatic outcome if they would have complied like the godaddy boycott year lol
2:21 pm
As Edward Snowden has shown, all it takes is a single tech-savvy employee to be able to release information out of the NSA. The government simply can NOT be trusted to keep things secret. Snowden has been very, very careful in what he releases to the public and through what forums, but we can't assume a future leak would be as responsible.
If someone within the NSA were an actual bad actor with malicious intent, they could steal a copy of the hackable iOS and sell it to a foreign government.
2:24 pm
That's an outstanding explanation, Mark! We install your software for every WP site we touch. Keep up the great work.
2:26 pm
The US government will do anything to get control of data to spy on the population so it can manipulate and control us. Many of these attacks are what are called "Red Flag" attacks actually done by government agents. In San Bernadino early witnesses talked about 3 muscular men doing the attacking, yet those "suspects" who tell no lies when they are dead were a man and a woman.
I would not put it past the US government to use this as an excuse to get the information and the backdoor codes so that it could then use it on all of us. These iPhones they may have are probably planted and filled with false data.
I may be a bit cynical, but there is far too much of this going on to deny it happens.
2:26 pm
@Franckel:
Dissenting opinions are always welcome but your comment suggests you either didn't read the post or didn't understand it. What you wrote is barely even on topic.
"Those who would give up essential liberty to purchase a little temporary safety, deserve neither liberty nor safety." -Ben Franklin
2:31 pm
”He who would trade liberty for some temporary security, deserves neither liberty nor security.” - Ben Franklin
2:33 pm
There should be a way to provide data requested to FBI for Court approved Terrorist cases without compromising the entire network.
2:38 pm
1984.
If you haven't read the book, find it, and read it (don't bother with the movie) It will send chills down your spine, especially when you consider it was written in 1948.
3:14 pm
Yeah, when I was a teen it was 1984 scare - now no one thinks USA is worse big brother than ever imagined, with the kind of tools available today for spying. I had then the Apple 2E computer - who could have imagined the tiny and advanced devices that control lives today - access to banking, homes, everything. People are so addicted to these little phones, they never let them out of their sight. Even in vacation - water proofed for swimming and kiting. At romantic dinners - I see on the beach in the Caribbean where we live tourists staring into their phones all dinner long. Making a pic and sending to FB. It is best touch point for espionage. Camera, sound, SMS, calls, apps- all possible info on you.
BAck then we talked, had political interests. Most young people today cannot write more than a tweet and don't want anything 'heavy' just to have a party, get drunk, waste life on FB addiction and no time to sleep. Play games and watch YT videos. So when do they ever get AWARE?
Of what truth is ? Like the bankers robbery in 2007 - too bug to comprehend for average person. No crooks paid the price aside from tiny token fine on billions earned.
They are the ones running the show, not the props in the gov.
To tell American public [or of any other country where an organized 'terror act' was made to occur in order to kill civil liberties] that is hyped up on fear of terror by the controlled TV channels {I worked years ago in media in war zones and had good insight to 'free' media] - to tell them their gov is a spying big brother will not work.
APPLE is smart- they tell them their phone is at risk. This is only thing people care about these days - that little phone so dear to them they cannot live without it for a minute.
2:44 pm
BIG BROTHER always fabricates "terror attacks" at convenient times they wish to increase their spying capabilities on citizens of the world or forge profitable wars.
Good on you Apple for standing up to the criminals, who use a nations fear to squash the very liberties they wave on July 4th. This is an ongoing process few of the masses are aware of - and brave individuals pay a heavy price for standing up and leaking information from the gov they worked for when they see the unjust actions going on. A point well pointed out in this article.
Yes, imagine the next brave employee who would do this- post the backdoor info online to force return to secure and private data the gov can not so easily get their fingers on. They tap all our SMS, phone calls and internet data, bank transactions and more, in greed for taxes, but imagine this access to your bank accounts and all other logins and data - the biggest ever 1984 unimagined and unaware by the masses is under our nose for a while, this is one peak to gaining fuller control easier.
Imagine when this brave person stands up to stop it. How? He or she would post the info online. Then a secure OS would need to immediately be made but meanwhile what a terrible financial tragedy for billions of people could occur.
This would be fastest way to steal, even more effective than what bankers did in 2007-2008. And likely would also get away with it, from one amazing heisst to the next.
2:45 pm
Great article Mark. You make it very clear why the one requested back door could be then used to compromise all IOS users in this specific case. The argument, that it would result in the bad guys creating their own unbreakable encryption and the consequence that the effective target would be everyone else, is particularly persuasive. While I write from the UK, I'm sure that our GCHQ (NSA equivalent) are watching developments with interest! I'm glad that Wordfence is around to help Wordpress users. Bob
2:50 pm
The above opinions seem to all be going one way but I believe that the greater "Public Good" has to override individual "Right To Privacy"
So in my mind the question isn't "To Backdoor Or Not To Backdoor?" but rather - "What Are The Controls Under Which We Can Backdoor, and Who?"
In the end we have to trust our democratic process or we have nothing worth protecting.
2:50 pm
This is a very well written, clear concise and balanced article. Thank you. I note responses vary from coldly logical to highly emotional.
While I sympathize with the latter, in this case its clear that the risks of providing a back door far outweigh the advantages.
The logic in the article cannot be refuted. Those who seek to force access using outdated laws should take a good look at previous similar attempts.
I am reminded of the creation of the first computer viruses by Microsoft to counter software piracy. That didn't end well, except possibly for the creation of a new industry. In terms of efficiency it created an ongoing disaster and opportunity for crime on a worldwide scale.
We might argue that similar viruses would have been created by a third party anyway. We can never know.
But it does make me realize that creating a back door into otherwise secure encryption will have huge, ongoing and unpredictable ramifications.
Maybe we should also widen the debate to include best practices for keeping crucial information on portable devices.
Now there is an development opportunity!
2:53 pm
Kudos to you for posting a clear description of the issue and the consequences of expanding the powers of the surveillance state currently in place. I especially appreciate the "infallible & unimpeachable" point you raise above. When held as a measure against the past performance of the US government executive branch, any reasonable person would conclude the risks of compliance outweigh the benefits by several orders of magnitude. Good job!
2:55 pm
Excellent article Mark. It will be interesting to see how this case unfolds in the coming weeks and months, as well as how the mainstream media take sides.
2:56 pm
I believe this report is not accurate.
As I understand it, the FBI wants Apple to assist it in disabling processes it has in place to defeat brute force attacks against passwords. This seems more than reasonable, and Apple will comply.
I am a little disturbed by all the Black Helicopter misstatements and paranoia emanating from people who should know better. Edward Snowden was not "careful" in the information he released. The Chinese and Soviets squeezed him like a sponge soon after they had him in their grasp.
The person who posted this:
+++ Many of these attacks are what are called "Red Flag" attacks actually done by government agents. In San Bernadino early witnesses talked about 3 muscular men doing the attacking, yet those "suspects" who tell no lies when they are dead were a man and a woman. +++
is disgusting and beneath contempt.
And I think jumping on the Apple bandwagon a bit premature. The company which is destroying people's phones via Error 53 should be looked at very carefully.
Finally, if anyone thinks you have a right to hide behind "privacy" claims when you've slaughtered Americans you are living in an alternate universe. The terrorists need to know that iPhones aren't safe havens for butchers and killers. If that perception ever develops, Apple will be a dead company.
Rick Chapman
Managing Editor and Publisher, Softletter
Author: Selling Steve Jobs' Liver. A Story of Startups, Innovation, and Connectivity in the Clouds"
"In Search of Stupidity: Over 20 Years of High-Tech Marketing Disasters"
3:05 pm
The whole point of encryption is to pick algorithms that make decrypting a message without all the keys so difficult that it would take decades to decrypt the message. It's not so much Apple won't, but that Apple can't decrypt the phone in any reasonable amount of time. No judge can overrule mathematics.
Unless Apple already has a backdoor built in in which case decrypting the phone too quickly would be a dead giveaway that they have such a backdoor when they most certainly should not have one. Kind of a catch 22 for Apple either way.
3:10 pm
Mark thanks for a very well written article that helped clarify the issue for me. I 100% support Apple in their position. I appreciate your position on this.
3:22 pm
Thank you for posting your stance on this very important security and freedom issue!
3:33 pm
Surely we can agree that the specific phone owned by Rizwan Farook needs to be unlocked?
Perhaps therein lies a way forward that keeps everyone happy?
3:34 pm
What a well thought out and dynamic article. I usually don't contribute responses to posts but I feel compelled, being a long time Wordfence fan, and making a living online for decades.
I've worked exclusively as a successful webmaster, marketer and content producer in the adult industry since 1999, before that I worked mainstream online since 1993. We've been on the front lines of the most nastiest, sophisticated, manipulative and destructive war on intellectual property & customer data since the beginning. Eastern Europe specializes in intellectual property theft and Asia in corporate data, government data, etc.
I have so much to say, and a wealth of knowledge but, containing my thoughts, I can only say obstruction of justice. I've seen many platforms come and go in my day and one thing always remains the same, the people wanting to be anonymous, and steal from you, always flock to those platforms, create infinite identities, and usually destroy the user experience, and platform, in the end.
Corporations & governments are always fighting for power. We are finally reaching a crescendo here, where a multi national corporation { I wont bash them } is saying they have the right to create a platform where anyone can hurt anyone without impunity. The corporation is being paid, making money, to create something that enables destruction without consequence. Logic tells me this is not sustainable.
You have a choice. The government is your keeper, or a corporation is your keeper. One of the two will know all about you. Both take your money, only one fires bullets to protect you. Don't be fooled.
3:51 pm
Well said. Maybe you can answer my question, posted below... Why can't Apple pull the needed info without giving government access?
4:01 pm
Apple and Google locked themselves out of their own products starting in around 2014 by providing consumers with strong encryption that they don't have a backdoor to. The case above involves the iPhone 5. On that phone if you try to guess the code to get into the phone (it's locked) 10 times, the phone wipes itself. So Apple can't get in and neither can the feds.
What the government is asking Apple to do is to build a custom version of iOS so that they can brute force hack their way into the phone. Essentially the custom iOS would allow more than 10 guesses and would allow the gov't to make those guesses electronically, so very quickly, thereby creating a backdoor. They would gain access in a very short amount of time.
So to answer your question: Apple can't pull the data unless they build a backdoor for themselves and they don't want to so the government is trying to force them to.
6:59 pm
Disagree with the whole premise. Not only can apple do it, they have done it many times in the past.
http://www.thedailybeast.com/articles/2016/02/17/apple-unlocked-iphones-for-the-feds-70-times-before.html
This is one of many stories available if you do some looking. It shows that iphones are a lot easier to access than they are letting on.
I think it is more of a political stance. A question posed today by someone was "I wonder if the CEO of Apple would have been a little more helpful if the feds were asking for help finding out about a serial killer that was exclusively targeting gay people.?
I am not saying it is right or wrong but it definitely made me wonder about the political slant the CEO may have, as he is an admitted homosexual.
Apple has easy access to any of the encrypted software and I would venture a guess that the cryptographers at NSA would see it as child's play to break into any iphone. I mean, really, there are multitudes of guides online on how to jailbreak an Iphone. So getting that info the feds are looking for cannot be much harder.
It is all politics from both sides.
4:12 pm
Did you actually read what Mark said? Since 2014 Apple no longer has the ability to do this as they encrypted their operating system in 2014. All new phone since 2014 now have encryption on by default. The article you quoted even states that it was since 2008. So from 2008 to 2014 they unlock over 70 phones. But that stopped in 2014. This would be the very first phone that Apple would hack into since the encryption has been in place. The phone in question is encrypted. If Apple does this then every government in the world will want this ability. Even the much more oppressive ones like China. If you don't understand technology please keep your views to yourself!
3:36 pm
I'm torn between both arguments. Security is important and the threat of fundamentalist Islamic terrorism is growing exponentially. The rights of those 14 victims were abused in the most brutal of fashions. But the rights to privacy for ordinary law abiding citizens is one of the most important hallmarks of a free society.
However, why can't the boffins at NSA virtualise the data on the phone and brute force the passcode on one of their CRAY mainframes? I can virtualise any pc or server that's offline, and iPhone is just another computer. A CRAY would brute force it in a week or two.
3:40 pm
This is a very informative and well thought out article on this subject. I am thankful for software like Wordfence and use it to protect all the websites I maintain. I also am glad your company looks out for the consumers. For those in California this sounds very similar to a proposed bill (CA Assembly Bill 1681). Keep up the good work Wordfence!
Mark Arambula
Zunamic Technology
Irvine, CA
4:11 pm
I understand that our government has a duty to protect its citizens against. That said, this article makes a solid argument against creating backdoors into our devices for governments, and points out that it isn't necessary. Well written, Mark. I enjoyed reading it.
4:17 pm
Hi Mark,
I follow your blog with great interest but my thoughts suggest that the creator (Apple) must know how to get into their own software so isn't that a risk anyway, that people inside Apple have to be trusted not to give potential hackers a key to their own software.
The buck has to stop somewhere, but where?
5:02 pm
Just wanted to add that part of the responsibility for securing systems like the iPhone rests with infosec companies like us and our analysts who do penetration testing and vulnerability disclosure. So I'd say it stops with the industry, the open source community, regulators and the vendors themselves.
4:31 pm
This is a very important debate, taking the intuitive action of providing every possible assistance to our government to combat terrorism could have disastrous consequences for our ongoing security. Also brushed over by those two words infallible and unimpeachable are the links between many elected and appointed officials at all levels of government and business. So the possibility of access to commercially sensitive information by business competitors either by accident or design becomes a real possibilty
4:39 pm
I don't understand - do you not see the difference between accessing data on a phone that physically exists in your hand and being able to do this over the internet? Honestly as a parent, Apple's feature of permanently locking out people over the password thing has been a permanent thorn. Every time the kids get themselves locked out on their iPads, I have to wipe their entire devices. I am sick of there being no physical way around this. And it doesn't apply to the server ... I can walk up to a server and physically access it too, unlike the iPhone. When I lock myself out of wordpress, the whole site doesn't delete itself - I can reset the password. When my server password is lost, it can be reset too. But the phone can't. What is the reasoning for that??
4:48 pm
I sincerely hope the sense of this quote from the article was simply a logic flaw, or bad writing and insufficient proofreading, and not indicative of Wordfence's, or Apple's, position:
"This morning Apple issued a statement saying that, while they are deeply sympathetic with the attacks that occurred last year, they will oppose the order."
Please clarify that neither Apple nor Wordfence is "sympathetic with the attacks", and both are "sympathetic to the goal of gaining full knowledge of all facts associated with the attacks", or words to that effect.
4:59 pm
Ugh. Thanks Dennis. That was my fault entirely, and it wasn't for lack of proof reading. At least three people read that post before it went live and missed that. Nice catch. Changed to:
"This morning Apple issued a statement expressing sympathy for the victims in the San Bernardino attack and supporting the search for justice, but making it clear that they will oppose the order."
5:05 pm
I applaud Aplple's stand and that Wordfence is alerting the world to this issue. One of the reasons the MAC operating system is nearly hacker proof is that it doesn't have the back doors in place that have been built into windows since the horrible Windows Milennium that was so bad it had to be pulled. Why are PCs so prone to security violations? Because of all the back doors built into the Windows OS and I speak from first hand knowledge of those requirements that are handed to Microsoft by the government. The government just wants yet another opportunity to plug its spyware into our lives and satisfy its prurient curiosity about what we're doing so it can have yet another reason to dig deeper into our personal lives and further violate the Constitution. I say 'good on ya' to Apple and I hope that everyone realizes that if Apple says 'yes' to the government, it's just another step down the Orwellian road.
5:13 pm
Thanks Mark. This is to add my voice to the loud chorus of support for your efforts. Unfortunately, much of this is preaching to the choir. We who are in business of the internet know all too well about the fight for privacy, and we're doing what we can to keep our customers safe from the bad guys (thanks in large part to Wordfence). But I'm not so sure if it's useful to describe it as an East Coast mentality v. a West Coast mentality. I lived in Boston for 22 years, and amidst the surface clutter of being an "historical city," which it is, dig a bit deeper and you'll find an awareness and passion among a vast majority of it's citizenry that matches the the awareness and passion in the west, where I now live. But that's not my point, Mark. As soon as Tim Cook posted the "message to our customers," I shared it on my Facebook page. No "likes," no "comments," no nothing. Granted, I'm not much of a Facebook person, but I got a whole bunch of likes and comments on a picture I'd posted previously of my Subaru all caked with mud after a trek through the the Grand Staircase National Monument in Southern Utah. Here's the point: We know what dangers we're facing vis a vis privacy, but millions of people don't, and complacency, more than ignorance, even more than stupidity, is the biggest threat to our fragile democracy. With an open back door (to pandora's box), what's to stop the insurance companies, lenders, health care providers, pharma, etc. in addition to an otherwise well-meaning government, from learning everything about us, not to mention the treasure trove that would open to the bad guys? Complacency. East, West, Midwest, North, South, it's everywhere. There's a lot of anger out there these days, but it's mis-directed. Aside from the pointless political shouting, it appears we're headed for a quiet disaster, long before we can even begin to understand what has happened to us.
Again, thanks for your stand, Mark. I'm supporting you 100%.
8:49 pm
By the way, Apple is overblowing the FBI's request a bit. I found this article to be very informative on the actual logistics of it: "Again in plain English, the FBI wants Apple to create a special version of iOS that only works on the one iPhone they have recovered. This customized version of iOS (*ahem* FBiOS) will ignore passcode entry delays, will not erase the device after any number of incorrect attempts, and will allow the FBI to hook up an external device to facilitate guessing the passcode. The FBI will send Apple the recovered iPhone so that this customized version of iOS never physically leaves the Apple campus." How do you suddenly spread this to the world if you made it device-specific and that device never left the Apple campus? http://blog.trailofbits.com/2016/02/17/apple-can-comply-with-the-fbi-court-order/
10:27 pm
Why doesn't Apple just comply with the court order by providing software to hack the terrorists phone and then self destruct itself. That is the software can run only once on the terrorists phone only which is identified by its serial number...
5:24 am
Apple very clearly explain the reason why they can't do this in their press release in Section 4 - The Threat to Data Security http://www.apple.com/customer-letter/
6:59 am
Exactly that has been proposed.
BTW, what's makes Apple's position even more untenable is that phone is the property of San Bernardino, not the murderers. The reason the FBI needs access to that phone is they suspect the two killers were supported by others in the accumulation of the munitions and explosives they gathered before they slaughtered 14 people in cold blood.
What Apple is saying that a phone not even owned by murderers should be a sacrosanct vault of privacy. That every iPhone is a little island of safety for terrorists if they're smart enough to use a strong password. Information in that phone that might lead to apprehending more murderers? Pshaw! If a few members of the proletariat have to be gunned down to protect the secrets of the Silicon elite, well, sacrifices have to be made.
Seventy percent of the public believes Apple should cooperate with the FBI and I bet that number is 90%+ in San Bernardino. And if another attack similar to San Bernardino occurs and it is suspected important data resides in a killer's phone, that number will jump to 90%+ nationwide. Killers and terrorists have no "right to privacy."
And this entire post started off with a serious misstatement of the facts. The FBI is not asking for Apple to provide secret keys that enable them to bypass encryption (though a lot of foreign governments are demanding just that). This is not a "backdoor" attack. This is a smash in the front door attack on a phone that was used, not owned, by a killer who might very well have stored data about other killers.
What's Apple's new advertising campaign for the iPhone 7 going to be? Nine out 10 Jihadists buy iPhones before blowing themselves up? Maybe ISIS will agree to endorse the iPhone as the choice of terrorist networks everywhere. Hey, maybe al-Baghadi and Tim Cook can shoot an ad together extolling Apple's commitment to keeping terrorist secrets safe and secure.
Then Baghadi can throw Tim off a building for being gay.
Apple's behavior is PR stupidity at its finest. This, combined with Error 53, shows the company is losing touch with reality.
Rick Chapman
Managing Editor and Publisher, Softletter
Author: Selling Steve Jobs' Liver. A Story of Startups, Innovation, and Connectivity in the Clouds"
"In Search of Stupidity: Over 20 Years of High-Tech Marketing Disasters"
"SaaS Entrepreneur: The Definitive Guide to Succeeding in Your Cloud Application Business"
1:34 am
Without giving them the backdoor, why don't they given them the info???
1:46 am
So we have a secretary of state who regularly deals with the highest levels of classified information and she chooses to use a private server simply because of "convenience"?
And then jokes about "how shall I wipe clean my server? You mean with a cloth?" ?
Only a person with an IQ way below room temperature would trust ANY government agency to correctly handle and safeguard any sensible data. As much as I want to catch terrorist plots as early as possible I mistrust our highly politicised government! I applaud apple for their decision which isn't an easy decision at all.
1:52 am
All of the 'big boys' are suggesting that specialist software will be in the hands of the government and will be used to remotely hack any iPhone in question, at will.
Why is it not viable that the phone is taken to apple labs, and connected to a standalone non networked device which performs the hack to retrieve the data?
The argument about "if they let you in now then the bad guys will just make their own unbreakable encryption" is slightly ridiculous, because without the backdoor you're not getting in anyway, so that situation is no worse than we're currently in.
Surely the best answer would have been to comply quietly so the terrorists (important word there!!) didn't know they were being looked at after they died? This kind of balls-out media frenzy is what is exacerbating the situation in the first place.
2:15 am
Is Google going to have to do the same with Android or do terrorists only use iPhones?
P:S: Your internet and telecommunications activity is being monitored right now by the British Government's GCHQ program "Tempora". You can read about it here - https://en.wikipedia.org/wiki/Tempora
2:40 am
In days gone by, the government would take the device in question to say, Apple, and ask them to retrieve the information for them. They could do so and provide the government with the information they requested, allowing them to proceed with their investigations. So, why aren't they doing that now? Because, Progressivism/Fabian Socialism depends upon the government's ability to micromanage those they are trying to control, and for them, there's no better way to micromanage the peasants than to delve into and monitor their communications, or give the impression they can, whenever they wish. It's a most serious form of oppression; the oppression of the mind. I, for one, would hope that the public outcry against such things would be sufficient to put an end to all such attempts, but, sadly, I fear that, for most people affected, they will do nothing. Say nothing. So long as they feel their "safety" is worth the intrusion, they will remain silent; Believing themselves to be safe because of it, not realizing that they have never been in greater danger.
5:19 am
Props to Apple, props to Wordfence.
5:52 am
Strange enough that everybody wants to protect his data against government eyes but don't care about terrorist protecting theirs projects.... Do you all have such important things to hide that your lives are less important than your mails and sms ? If I had to vote, I would vote for Government not for Terrorists, with no hesitation.
5:59 am
First, I support Apple's effort to refuse this request. I also support strong encryption technologies and agree with most of your points.
However, in this particular case, the US Gov't is not asking for a back door into encryption. They are asking for a brute force protection mechanism to be removed. It also requires physical access to the device, not snooping across the network.
It's a different scenario from encryption, but still important to not allow for this security feature to be disabled.
I think your argument would be better framed if you based it around how to protect your site from being hacked vs. giving encryption keys to 3rd party/government agencies. These are two, separate areas of security that many in the media are muddling together under the name of a "back door."
I admit that this is a very novel approach on how to break into an iPhone. I'm sure someone in the black hat community who is smarter than me will come up with a way to hook an iPhone to a Raspberry PI to prevent bricking during a brute force unlock attack.
6:07 am
Would this also not give them access to every Apple customers info in a country outside of the USA?
6:10 am
Sooner or later, all cell phones and devices will all be encrypted and this will be old news. The government might as well get used to it.
6:45 am
Thanks Mark for supporting Apple in this endeavor. Wordfence has always been a #Trusted partner in digital security and I am sure your support will not go unnoticed!
9:10 am
I certainly agree with the position of preventing the government for accessing personal information on personal devices.
One point not covered is the particular iphone in question was provided by his employer and that was a government agency. I also know that phones provided by employers are still the property of the employer and as would all the content on the phone. Employees do typically sign a statement to that effect.
So the dilemma is how to not compromise privacy issues for the individual and obtain information from a device not owned by the individual?
I do not think there is anything of value on this phone to begin with. The two perpetrators destroyed their personal phones and computer so I do not think it accidental this phone was not destroyed. There is probably nothing on it in the first place. They would not be so foolish to believe that any communication from this device would not have been monitored in some fashion.
IMHO the FBI is just chasing windmills here.
9:53 am
Any software that is developed that unlocks one device will allow people to unlock many more devices.
If developed, organized crime would have a copy within a very short period of time. It would be like creating the biggest Trojan horse ever created.
What I would like to see, is various authorities, such as WordFence, WordPress, Apple, to create petitions to petition the government to change their point of view about this demand. The People can make change, but only if directed in a manner where many voices can be heard in one place to make the impact with numbers.
I encourage the technical enterprises who could have the most clout to create these petitions and circulate them widely. Then we can all participate in a common move to effect change.
12:03 pm
100% correct. If Apple creates a backdoor it is only a matter of time before some bad guy breaks in.
I'm surprised the banking industry is not lobbying against this. How much annual profit does the financial industry lose due to fraud and identity theft?
Our communication should be secured end-to-end. This subject should not even be on the table for discussion.
11:18 am
The United States Constitution: Article 4
"The right of the people to be secure in their persons, houses, papers and effects, against unreasonable searches and seizures, shall not be violated, and no warrants shall issue, but upon probable cause, supported by oath or affirmation, and particularly describing the place to be searched and the persons or things to be seized."
Since 911 our government has abrogated a Citizens Rights under article 4. Congress has decided to abrogate the constitution in a quest for "TOTAL AWARENESS" an FBI program which went into the "Dark Budget" in the mid 80's. This and many other programs are illegal and the Citizens have a right to resist. Apple is correct, and I am sure it's lawyers has advised them to resist this attach upon the bed rock of their commerce.
11:50 am
We have a 4th amendment right to be secure in our personal effects. Our computers (with our personal information on them) is one of our personal effects. Back then, one of our effects was paper communication in the form of letters. Today, it is electronic paperless communication.
If a bad guy cracks the encryption that is an "unreasonable seizure" as far as I am concerned because it could have been prevented.
Yes, we all want to give our law enforcement the tools they need to do their jobs. Of course we all appreciate their hard work. However, where do we draw the line? At what point do we say our freedom is more important than security? At what point do we stop penalizing 320 million people for the actions of a few?
How many people have had their PII stolen because we don't use strong end-to-end encryption?
Here is the deal. When safety becomes more important than freedom we will no longer be a free people. What good is it to be safe, but not free?
We have a real problem in America these days. We swat flys with sledgehammers. Surely the recent advancements in Artifical Intelligence, Nano Technology, Neural Networks, face recognition software and others, can help the cops catch the bad guys --- without us having to risk exposing ourselves and our personal information.
Side note: Thanks to the creators of the WordFence plugin for helping us keep our websites secure. You guys and gals are the best.
4:24 am
Please allow me one naiv question, I welcome any advise (and also feel free to call me stupid).
Why the FBI does not handover this one phone to Apple, then Apple find a way to drag out all data from it and handover data and phone to the FBI? It seems to me the obvious and most simplest way, but apparently this is no option.
Thank you.
1:14 pm
That was part of my question also. If they are STRICTLY interested in getting the information from this phone, they should take it to Apple, and let Apple open it up. Nope, the reality is that I believe that they want to control to do what they want, when they want, and are using this as a publicity stage to attempt to brow-beat Apple into giving unlimited access to ANY phone in the future, through this back-door that they want. Tell me, how many government computers have been hacked this year, including the current IRS situation. This type of backdoor capability, sitting on a government computer system, is highly dangerous, for all consumers, in the protection of their privacy.
9:43 am
There are probably hundreds of iphones in evidence lockers all over the country. If Apple gives in there every lawyer out there will demand the court require Apple to unlock any phones in their cases too. The requests would never end and the contents of peoples phones would be in the hands of lawyers and prosecutors and their workers all across the country.
5:24 am
This is a well-researched, well-written article that corrects common misconceptions by the media of what is actually going on and what the court order is actually asking of Apple.
As you said, the major problem with a back door it that it opens up the possibility of a whole new way for hackers to get in.
One thing you didn't allude to in the article is that it is actually quite an onerous burden from a business perspective for any company to be made to develop a whole new technology. I don't feel it's Apple's job to do that. Strangely enough, I don't see any court order focusing on the gun makers who made the weapons and ordering them to create a new version going forward that takes electronic records of the people's fingerprints who used it.
Apple has been nice about refraining to comment that it's not Apple's job to spend a whole lot of time and a whole lot of $ to develop a whole new (and LESS secure!) OS. But I feel that it needs to be said.
New reports state that Apple has fully co-operated with the FBI. If the FBI's best people (with the co-operation of Apple) can't un-encrypt the phone, I still don't feel that this is Apple's fault or Apple's responsibility to create a less secure OS (with a back door). Again, I don't see the court order targeting the weapons manufacturer.
The problem here is not solely the fact that the government will be able to spy on people's phones if a back door is crated, but rather that it creates a bigger risk of HACKERS being able to spy on people's phones. To end, if such a back door is created, I'm sure that private steganography may turn into a lucrative business field!
7:03 pm
Interesting topic, since the 911 has more than 500,000 people died in the US.
But nobody wiretaps the car industry for it.
A thought from Sweden.
1:27 pm
I respect your opinion and your thoughtful analysis of the situation, but I also respectfully disagree. I believe there is a common myth that what happens in the digital domain is somehow fundamentally different than what happens in the "real world". I do not believe the courts will support this view. For instance, consider this analogy - imagine I were stockpiling illegal drugs (or arms) in my home. Law enforcement has a right and duty to enter and search my home PROVIDED they have shown reasonable cause to the court and secured a search warrant. In this case, the court provides the check & balance against possible law enforcement malfeasance or incompetence, protecting my privacy until the point where the public good demands that my privacy be violated.
I believe the same principle applies in the digital domain. Barring reasonable cause, law enforcement has no right to violate my privacy by accessing my confidential information. However, once they can show reasonable cause, they can and should have the equivalent right to examine my digital secrets as they have to examine my person or personal property.
I admit this is slippery slope area - what I do not quite understand or agree with is the premise that the digital domain is fundamentally different from the physical world. i believe that the same principles that protect our physical privacy can and should be applied to our digital privacy. And I suspect that's where this is all headed. Apple is fighting the good fight as they must in order to ensure there is a broad precedent set which applies equally to their competitors. Failing to do so would subject them to a public relations fiasco and a marked competitive disadvantage. (Imagine what hay Samsung would make if Apple and only Apple handed the privacy keys over to the feds). But I believe they will lose in the end and the precedent will be set.
If this troubles you as a reader, then consider the upcoming elections as your personal chance to vote for a more liberal Supreme Court which is more likely to err on the side of protecting personal privacy rights...