Monday, April 4, 2016

Perspectives on computer security and encryption from Apple, the FBI and I : Apple

Apple's perspective on computer security and encryption

This is the third in a series that started with discussing the FBI and my own use of security and encryption technology.

Apple's most lucrative product line at the moment is their iOS based distributed content delivery platform. This includes the iPhone, iPad, Apple TV, iWatch, and related hardware.  While this hardware is distributed to customers, the platform is similar to the platform I manage for my employer where hardware is distributed geographically but control remains in our hands.   This is the platform which Apple has been marketing to the content industry for decades as a safe secure platform for them to distribute their multimedia where it is Apple and not the end users which control the technology.

These devices are intended to be connected to the network, and the ongoing work to secure them is similar to any other network connected device.  The network and exploits carried out on the network don't differentiate clients and servers as much as the layperson thinks, and any network connected device must be constantly updated to deny unauthorized control.  The question of authorized control doesn't differentiate between types of devices, and it is just as easy for Apple to remotely manage an iOS device as it is for me to remotely manage the computers I do.  The major difference is in the reliability of the network connection, with mobile devices having less stable network connections than servers.  People also don't tend to turn servers off when a specific user isn't using them, but remote management and control doesn't require constant network access.

Hardware assistance for Apple's security

Apple's iPhone 5C which was discussed in the FBI vs Apple lawsuit does not include Touch ID or a Security Enclave, so it is similar to the existing control which Canadiana has of our distributed computers. While Apple remains in control of the platform, they are not as secure from malicious apps or intruders with physical access to the computers as they would like.

Secure Enclave is Apples implementation of the SecureCore and TrustZone technologies from ARM I discussed in the previous article.  This will grant Apple greater control over the technology than they had before, including greater control over the scenario where the attacker has physical access to the hardware.

Some users may find this technology will eventually make what is commonly called jailbreaking much harder, if not impossible.  Apple could opt to use Secure Enclave to disallow the people who possess the hardware from having any ability to bypass any of Apple's control.  It is critical to understand that Apple's use of this technology is not to grant the technology user more control over the hardware or their data, but to transfer any remaining control that the user might have had to Apple.  People who possess this hardware often incorrectly think of themselves as owners, even though acquiring an iOS device has become legally more similar to renting than purchasing due to anti-circumvention legislation.

People who acquire this hardware are not alone in the confusion. When James B. Comey, Director of the FBI, offered testimony in front of the Judiciary Committee he said, "In recent months, however, we have on a new scale seen mainstream products and services designed in a way that gives users sole control over access to their data."  While some people have suggested he might have been talking about Apples adoption of SecureCore and TrustZone, he is incorrectly suggesting it was "users" of these devices who would have sole control over access to data rather than Apple having additional control over the device.  It is possible that he fully understands Apple's use of technology, and wants to offer free advertising to Apple knowing that Apple is specifically not offering the service he is suggesting they are.

This is the same concern I have with the services I provide:  If law enforcement and courts believe it is the entity that possesses the hardware that is in control rather than the entity controlling the software stack with full network access then they will continue to send court orders to the wrong entity.

Law enforcement need to understand the technology better.  In the case of an iOS device, it is Apple who is the responsible entity and should be served with the warrant.  A very different scenario would be someone who is running CyanogenMod where it is the individual user (in this case, legitimately called an owner) of the device that is in control and thus they should be served with the warrant.

Limits to Apple's control

In the specific case before the courts the technology user didn't destroy the device, and there has been nothing to suggest that the user even "jailbroke" the device to bypass any of Apple's control.  The FBI currently possesses the device and will obviously be granting network access and power to the device.  This means that all the potential limits to Apple's control do not apply in this case, and thus they have full access to do anything requested of them.

In this case it appears that the FBI jailbroke the device on their own, no longer having a technical requirement to require assistance from Apple.

The law

While I may believe that lawful access all too often grants excessive access to police without adequate oversight, the law is clearly in the government's favour in this instance with the iPhone.  If we were talking about information stored on Facebook or Twitter, where the physical location and who was in control of the computer in question wasn't confusing people, the debate would not be happening at all.  Clearly Facebook is in control of their network of computers whether or not the devices are stored in locations that Facebook owns, and Apple is similarly in control of their secured platform.

There is no back-door being discussed.  All that Apple was being asked is to use their keys to the front door and access the data.  They are the entity that holds those keys, not the user of the technology who under anti-circumvention laws are denied legal access to the keys.

While Apple has been misdirecting people and stalling, and there are "engineers" who have allegedly threatened to leave Apple if the government is lawfully granted access, the situation is no different than any other of hundreds of technology companies providing services to users on a platform that the vendor rather than the user controls.  If Apple executives or individual employees are destroying evidence they should be found in contempt of court, and handled severely.

If Apple's engineering staff is not sufficient (or no longer after vigilantes resign) to solve any technical problems, then the court should order all source code and technical specifications to be disclosed to a third party who can do the require work.   If Apple refuses to disclose this information, then I would suggest that revoking their corporate charter should be the minimum on the table.

The fact that the FBI jailbroke the device should not have ended the case, and Apple should still be pursued by the government.

Politics

Adi Shamir, an award-winning cryptographer who helped create the RSA encryption algorithm in 1977, suggested that Apple "wait for a better test case to fight where the case is not so clearly in favor of the FBI."

I'm not convinced that Apple had an interest in winning the case. Apple's greatest threat to the market share for their secure vendor controlled content delivery platform comes from technology users switching to devices which they can individually control. Apple has a history of dishonestly trying to misdirect responsibility for their centralized control. While for decades it has been the confused content industry that still has some who mistakenly believe that this vendor control benefits them, a far more powerful scapegoat would be law enforcement and national security agencies.

Apple has the FBI falsely suggesting that next generation iOS devices "gives users sole control over access to their data", providing Apple with marketing for a service they don't provide and driving users to technology which the FBI and other government agencies will have easier access to through the legal system than competing technology. Whenever Apple is requested to disclose information they can claim "the Government made me do it", even though it is Apple who denied users of their services any device control in the first place.

It seems unlikely to me that the FBI didn't already have technology to "jailbreak" the device at hand.  This isn't going to be the simpler third party services available to end users, as governments will have far more resources and techniques available to them to "jailbreak" devices.  I suspect that the case was pursued for political reasons to try to push this issue forward, and likely to prop up Apple's marketing claims that they are providing technology which protects the users rather than Apple's conflicting interests.

Apple also knows that their business model and lobbying in support of anti-circumvention legislation is controversial, and them being the ones to push this case forward would provide less community opposition to the FBI than if a less divisive company were bringing the case forward.  Their involvement complicates what could have been an easy to understand set of sound bites in support of protecting technology owners rights against unreasonable search and seizure into something extremely complex to discuss.  I have been delayed in participating in the discussion as it took me a while to decide how to explain my position, and I fully expect to still get confused "but Apple are the good guys" comments to this article.

Apple's ongoing attack on technology owners interests could cause considerable damage.  If it becomes considered normal to have the vendor rather than the user be in control of communications technologies it may eventually lead (likely with Apple's continuing political lobbying) to governments outlawing citizen controlled technology which competes with Apple's vendor controlled technology.  It could be used to strengthen backwards laws which outlaw alleged device "owners" from removing non-owner locks from their devices, with the justifications moving from odd unproven theories about protecting "copyright" to even further counter-productive arguments about law enforcement and national security.

Conclusion

My answer to the question of whether I was on Apple or the FBI's side is clearly neither, as I consider them to have perspectives dangerously close to each other.  Neither are interested in allowing the wide deployment of technology that "gives users sole control over access to their data", and while their positions appear to be in opposition they are actually greatly helping each other.

Those who recognize the critical importance of secure citizen controlled communications technology should be opposing both of these entities, not siding with one or the other in a battle where the public interest loses no matter which one of those entities wins.

Perspectives on computer security and encryption from Apple, the FBI and I : my use

My perspective on computer security and encryption

This is a second article in a series that started with discussing the FBI and will end with discussing Apple.

I have worked in this industry since the early 1990's, administering Internet network connected computers.  I have worked for companies that produced firewalls, as well as worked in government departments where implementing security policies were critical.  Encryption is a critical part of what I do for clients and/or employers, as without it we could not build the services we are able to offer.

Local vs Remote Control

One of the hardest concepts to grasp with modern technology, including with fairly technical people, is the need to separate the concepts of geography and control.  With simpler technology the person who possessed something was the one who controlled it, but with modern computing this is not the case.

A big part of my current job at Canadiana is to manage a network of computers.  While some of the computers are located in the building I normally work in, most are not.  We currently have computers in Ottawa, Montreal, Toronto and Edmonton, with plans to continue to expand across the country as we grow. I control all of these computers from wherever I am at the time, whether that is physically in our main Ottawa office or when I am working from remote (I am in Sudbury as I type this).

We use Virtual Private Networking (VPN) technology to connect these computers together, and a variety of other encryption technologies used for authentication and privacy.  In order to connect to any of these computers I must possess both the required cryptographic keys as well as passphrases required to unlock those keys.   This is required to ensure that it is only authorized individuals like myself that can gain administrative access to these computers, and we need to ensure that nobody can eavesdrop on this communication and learn anything that might allow them unauthorized access.  We often are working with multiple layers of cryptography: secured ssh command-line access through VPN encrypted connections to network interfaces which don't have publicly routable addresses.

It is modern computer security and cryptography which makes this critical feature possible.  It is what allows us to know that we are able to have exclusive control over these devices regardless of their location. Any weakening of computer security, either to benefit law enforcement or some third party special interests (device manufacturers, etc), opens the technology up to other unauthorized access and makes my clients at risk.  I am not alone, and much of the modern economy and politics of society is built upon the need to continuously improve computer security and encryption.

Hardware assistance for security

We plan to expand our services beyond what we currently offer in two important ways that will impact security policies.

Currently we host our servers in partner organizations that we trust, as well as a commercial service provider. As we expand we may want to physically locate computers on networks and in server rooms of organizations that we have less trust in.  We will want security features which will protect us even from people who have physical access to the computers, to ensure that the most they could do is disable a node and not be able to abuse keys/etc stored within that node to attack other nodes in our network.

As we move from hosting digitized images towards the data which the digital humanities community need, we will have reasons to offer these communities the ability to author apps which run on our servers with faster access to the data and only need to communicate the results of complex queries to remote computers. These apps will run on our computer, but we will want to ensure that nothing that these apps can do can impact the rest of our network.  While there is a wide variety of software based virtualization technologies, we may have reason to harness hardware assistance to implement security policies.

One example is ARM architecture manufacturers which offer SecurCore and TrustZone technologies.   This allows combinations of multiple physical CPUs as well as multiple sections within a CPU being separated, allowing one to secure the other.  This can be used in conjunction with UEFI secure boot, which if implemented correctly can ensure that only software digitally signed by the owner can run on the computer.

Using separate System on Chip (SoC) technologies, the firmware loaded into a secure SoC can be instructed to erase local keys if it detects tampering.  This way encrypted data on the system could not be accessed even if the computer itself was physically compromised.  Keys could be stored in that secure zone, meaning that even if disks were removed from the server the data on them would be inaccessible.

While some companies will be able to afford to manage the software stack on each CPU within each zone, many will simply hire this from other companies.  Ideal in these environments is if the hardware vendors and software authors of the different components consider each other hostile, providing the same types of checks-and-balances within a computer that we need in our public policy spaces.  In this way the operating system might detect hostile secure zone firmware in the same way that the secure zone firmware may detect a hostile operating system, with both working together to protect the computer owner from hostile applications.

For some of us we will only put our trust in transparent and accountable FLOSS.  Genode provides good documentation on their TrustZone implementation. Open Virtualization provides a great ARM TrustZone FAQ, which describes the relationship between TrustZone and the Trusted Platform Mobile (TPM).  These are both commercially supported projects which offer both FLOSS and non-FLOSS licensing options for software which is open and accountable.

The limits of physical access

Once a computer is fully secure, there are only a few things that someone with physical access can do that is not under the control of the entity with all the security keys.
  • They can disconnect the device from the network.  This doesn't grant the person with physical access control, but it does deny the remote owner the ability to issue new commands to the device.  The device can only act on instructions it already has on it, in the form of installed software.
  • They can disconnect the power to the device.  This also doesn't grant the person with physical access control, but denies the ability of the remote owner to execute any commands whether the software was already installed on the device or not.
  • They can destroy the device.  This also doesn't grant the person with physical access control, but denies the ability of anyone to ever control the device again.
This means that while it is possible for someone with physical access to disrupt the operations of the device, it doesn't grant them control over the device.

The Law

When I am controlling a distributed set of computers on behalf of my employer, I and my employer should not be considered above the law.  If evidence of a crime was stored on our computers, and we were served with a valid court order to present this information to law enforcement or the court, we would obviously do so.

I would not consider it a reasonable course of action to deliberately configure computers under our control to destroy evidence.  As much as we might claim we are protecting the "privacy" of our clients, I don't consider that to be a valid reason to ignore a court order.  I would consider this an example of vigilantism that would be contrary to the public interest.  When a government makes harmful demands this should be something that is fought in the courts and debated in parliaments, not something that individual citizens or corporations take on themselves.   While we might agree or disagree with any specific government in any individual case, it makes us all unsafe if we condone individuals or governments ignoring the rule of law.

When a law is wrong we work hard as citizens to fix the law, not ignore it.  While I agree there are many buggy laws deployed in every country, I consider this a reason to get politically engaged as any trustworthy citizen or corporation should.

Law enforcement and courts need to modernize their understanding of technology, most importantly the question of control in a networked computing environment.  They need to understand that the physical location of the computer is not the most important factor to determining who controls the computer, and thus who to serve warrants to.

If we deployed fully secure hardware with hardware assistance, and had security put in place to protect us against attacks by unauthorized persons with physical access (IE: wiped keys if unauthorized physical access detected), then law enforcement must be aware of this advancement.  If in the pursuit of evidence to convict a user of our services they served a warrant against the physical hosting company rather than us then they risk destroying the evidence they are trying to collect.     The warrant must be served against the entity that controls the computer, not the entity that physically houses the computer.

It must never be considered the fault of the computer owner that evidence was destroyed by law enforcement.  The current technology illiterate or technology neophyte politicians, judges and police officers are making all of us unsafe.  Technology literacy must become a requirement of those who will be trying to make or enforce laws impacting technology.


Keep reading: Apple's use of computer security and encryption

Perspectives on computer security and encryption from Apple, the FBI and I : FBI

Many people have weighed in on the Apple vs FBI case, including a speech by President Obama.  People in the technology industry have lined up in support of one or the other.

My views can't be expressed as a simple support of one position or the other.  As I believe there is a third option I am authoring this as a series of articles that discusses the issue from three perspectives:

* This article discusses FBI
* A second article discusses my use of security and encryption technology
* A third article discussing Apple

Lawful Access

I've written about the question of lawful access before, and the requirement for there to be strong oversight of police and security agencies in order for those agencies to not themselves be the risk to society that they are supposed to be reducing.  Law enforcement and security agencies must have strong court oversight, and the courts themselves must have strong citizen oversight through ensuring the number of closed court sessions are kept to an extreme minimum.

There is a conflict of interest when it comes to law enforcement and security agencies and protecting the public.  Often these agencies will confuse protecting citizens against death from protecting their lives.  They promote policies which make it easier for them to find and punish wrongdoers, but generally have no concern about the harmful consequences of those policies on the health, safety and security of citizens.

FBI Opposition to encryption

There is no better example of why there is a need for checks-and-balances than the extreme views expressed by James B. Comey, Director of the FBI.  He has for some time been suggesting that the world is "going dark" because an increasing amount of communications is encrypted.  He sees only the narrow potential downsides of this technology in that it might hide criminal activity from the FBI, and ignores the critically important features -- the very fact that the modern economy and much of modern society is built upon private communications requiring strong encryption.

If Mr Comey were a doctor, he would recommend amputating a patients head to solve a back pain problem. He would be correct in saying that after amputation the patient would no longer feel back pain, and would likely be confused why people would consider that a failure.

Fortunately in our society we don't leave extremists like him solely in charge.  Even the NSA, which does its own cracking of encryption and has been accused many times of trying to weaken or put back doors in encryption, had its director come out in favour of encryption due to the extreme views expressed by Mr Comey.  In fact, there is a rift within the US government about this issue, and it is quite a complex one that simply can't be expressed by saying individuals and agencies are picking sides between Apple or the FBI.

The FBI or any other government agency, here in North America or elsewhere, should never be given "back door" access to technology in general as that would enable them to bypass the required checks and balances which the courts and the public must be able to provide in a democratic society.  I have absolutely no respect for the position that suggests they should have no barriers to their investigations, as I do not believe democracy and the required separation of power between agencies can ever be claimed to be a barrier to protecting a democracy.


Keep reading:  My use of computer security and encryption

Sunday, April 3, 2016

First look at Bell's CraveTV

While I am not a fan of Bell as a company or their harmful politics, I decided to give CraveTV as a technology a quick look given they un-tied it to their BDU and Internet services since I wrote about it in January.

Technology

The service works on few devices, nowhere near what is available for Netflix.

While their site listed Samsung SmartTV, the model I have appears to be too old for their immature app. This makes it unlikely my wife will be interested in watching video on CraveTV as she finds the other options far less convenient than just using the remote control that came with the TV -- there is so much from Netflix, YouTube, and Ted Talks that all work great on the SmartTV option to bother looking elsewhere.

My first successful try with CraveTV was with what I would most often be using, which is my Chromebook and Chromecast devices.  The website was sufficient, but not inspiring.  Their "My cravings" menu allowed you to play the next video in a series, but using that interface you couldn't pull up information about the shows like you can in the other listings or after a search.  There is no recommendation engine, rating system, or other features that really bring you the modern video watching experience.  It felt kinda flat like traditional broadcast TV, only with more of a PVR experience where you can watch when you want rather than only when someone else scheduled it.

The play/pause button is not well implemented with Chromecast.  While you can open a new video on the website it does not switch which video the Chromecast is playing, and it will leave you stuck in the previous title.  There is no "stop" button which disconnects from the previous video and allows you to play a new one -- you are stuck going to the cast tab and stop casting before you can cast the next episode or switch titles.

The app for Android worked similar to the site with the Chromebook, with my phone also able to control a Chromecast device.

I tried on my desktop.   On Chrome it brings up all the widgets as if it is going to play video, and even gives that little spinning circle that they display when they are filling buffers, but no video or audio ever plays.  No indication why is ever displayed.   The little Chromecast button sits in the bottom-right corner, and interestingly it will connect to the Chromecast and play the video.  Possibly useful if you wanted to use a laptop as a remote control to a Chromecast, but not very useful otherwise.

First attempt with Firefox displayed a suggestion that I install a non-existent upgrade to the Adobe Flash plug-in.  I am already running the latest that is available for my Ubuntu 14.04 desktop (version 11.2.202.577 as I write this).  Second attempt after upgrading every package that had an update didn't get that far, with the site displaying a connection problem : "It appears there was  problem completing your request.  Please refresh this page.".  The page I was trying to go to was http://www.cravetv.ca itself, so that is a pretty bad sign.  I exited the browser and tried again, and again got the claim that "To watch video, you need an Adobe Flash Player Update" with a link to the Adobe site that only confirms I'm on the latest.

General impressions is that this is a beta service that they are marketing as if they were ready for general audiences.  I hope they realize the immature level of their site and plan to invest in finishing it.  Even ignoring my political problems with Bell I would not recommend this service to less technical users who would be frustrated having to fiddle and do odd things to try to get the video going.  The site is workable for technically literate people who can work their way around bugs in beta websites.

This site is improvement over  Rogers on Demand Online from 2009 which implemented commercials so poorly as to make programming unwatchable.  Then again, that might only be because they aren't trying to put commercials into the stream.

Content

It is the content that made me look at CraveTV rather than Shomi.   I'm not interested in the regular "reality" TV, sitcoms, or excessively light drama that the lowest-common-denominator brought to broadcast television.  CraveTV has a number of titles that are more to my liking, the type of stuff that would normally be on Space.ca (about the only channel I miss from my Cable TV days) as well as titles from HBO (Although, no Game of Thrones or even True Blood for whatever reason).  12 titles went into the "My Cravings" listing pretty quickly, and even though I only started my free trial yesterday I've already watched several episodes of The Librarians and Penny Dreadful.

It is typical of Bell that they are relying on questionable legal/business tactics like exclusive regional licensing to force people to their services, rather than offering competitive services using technology that would be considered of "release" quality by modern Internet era companies.  The only reason I would use their service is to access content I'm not legally able to get elsewhere, and I expect I will always have to put up with technology from them that is generations behind what modern companies like Netflix are offering.   It is sad that HBO and other cable-era content companies like it see Netflix as a competitor and Bell as a partner, rather than the other way around. I think far more people would be paying to access that content if it were untied from lesser distribution services and providers.