Security

Apple/FBI saga: The only winners may be cybercriminals

The US government vs. Apple debate just got even more interesting and complicated. It seems mandated backdoors are so yesterday.

Image: CNET

When headlines like FBI to Apple: We don't need your iPhone hack appear, the US government vs. Apple encryption debate takes on a whole different complexion.

The following quote is from the FBI filing submitted to a California federal court:

"On Sunday, March 20, 2016, an outside party demonstrated to the FBI a possible method for unlocking Farook's iPhone. Testing is required to determine whether it is a viable method that will not compromise data on Farook's iPhone. If the method is viable, it should eliminate the need for the assistance from Apple Inc."

In the filing, the FBI asked that the scheduled court hearing be canceled and that any proceedings are suspended until April 2016 at the earliest. Until that news broke, only conspiracy theorists were convinced the US government did not need a backdoor for encryption, and that they only wanted the law to make things easier for federal law enforcement agencies.

SEE: If the FBI found its own iPhone backdoor, should it show Apple?

High-level view

To get some perspective with the release of new information, let's look at what we know.

Point 1: Apple created a digital messaging system they felt was cryptographically secure. And word has it, they are working to ensure that will again be the case technically and legally.

Point 2: The US government, represented by various agencies, has publicly admitted that current encryption schemes are affecting national security and the fight against terrorism.

Point 3: Cryptologists and cryptographers, by nature, are overly cautious when asked whether something is cryptographically secure. More often than not, crypto wizards prefer speaking in terms of how many years it will take to crack the encryption process in question.

One of the experts, Roger G. Johnston (Ph.D. in physics), who spent 23 years securing the US government's Argonne and Los Alamos laboratories, and now runs a security consulting business called Right Brain Sekurity said to me during an interview:

"The ease of defeating a security device or system is proportional to how confident and or arrogant the designer, manufacturer, or user is about it, and to how often they use words like 'impossible' or 'tamper-proof.'"

Point 4: History backs up the experts. If individuals or organizations are so inclined, have enough time, and are financially supported, they will eventually be successful in doing what was thought impossible: defeat the encryption process.

To summarize: There are two sides to the debate: those for adding backdoors to encryption schemes, and those against any compromising of encryption. Then there is the actual encryption process — the Apple iPhone's, in this case — which according to new reports may be vulnerable to sophisticated bypass methodology negating the current need for a built-in backdoor.

Just hinting of a way past encryption by the FBI has to excite the heck out of every bad guy on the planet. Bruce Schneier speaks to this on his site:

"[R]emember that attacks always get easier. Technology broadly spreads capabilities, and what was hard yesterday becomes easy tomorrow. Today's top-secret NSA programs become tomorrow's Ph.D. theses and the next day's hacker tools. Soon this flaw will be exploitable by cybercriminals to steal your financial data. Everyone with an iPhone is at risk, regardless of what the FBI demands Apple do."

SEE: Apple executive: FBI is 'taking the side of hackers' in iPhone unlock case

What if?

Even more interesting, what if the debate goes away? What if the US government returns to silent mode and leverages those scary smart decryption experts that give cryptologists and cryptographers nightmares?

Or, what if it comes to pass the US government does enforce a backdoor policy on companies developing encryption technology? Would bad actors and cybercriminals quickly devise encryption technology — maybe even selling the backdoor-free encryption in their underground markets to defray their costs?

As this story unfolds, it might be time for all concerned parties to step back, take a breath, and act like we've made some progress since calling caves home. No disrespect intended, but the only individuals who win this kind of heated battle are adversaries who do not have the public's best interest in mind.

Also see

About

Information is my field...Writing is my passion...Coupling the two is my mission.

Editor's Picks