FBI director: Unbreakable encryption is a “huge, huge problem”, failed to access 7000 encrypted smartphones

[captain_to_fire]

Sources: Ars Technica, BBC News via Bitdefender 

 

Quote

 

FBI Director Christopher Wray told a conference of law enforcement officials on Sunday that he and his colleagues have been unable to open nearly 7,000 digital devices in the first 11 months of the 2017 fiscal year.

 

 

To put it mildly, this is a huge, huge problem,” Wray said at the International Association of Chiefs of Police conference in Philadelphia, according to the Associated Press. “It impacts investigations across the board—narcotics, human trafficking, counterterrorism, counterintelligence, gangs, organized crime, child exploitation.” Wray’s remarks come less than two weeks after another top law enforcement official, Deputy Attorney General Rod Rosenstein, called for “responsible encryption”—a seemingly magical method by which only law enforcement would be able to defeat the encryption on a digitally locked device. “I get it,” Wray said. “There’s a balance that needs to be struck between encryption and the importance of giving us the tools we need to keep the public safe.” His speech did not focus exclusively on encryption but also touted the FBI’s partnerships with law enforcement locally and around the world.

I mean yeah, if they want to investigate something encryption can be a pain in the ass not to mention, encryption is used badly especially when cybercriminals create ransomware that either locks the user’s files or tamper the master boot record. At the moment, only a few ransomware has a publicly available decryption tools. [No More Ransom Project] 

Quote

Trade-off

 

"Encryption that frustrates forensic investigations will be a fact of life from now on for law enforcement agencies," he said.

"Even if the equipment manufacturers didn't build in such encryption it would be possible to obtain software that encrypted data in the same way." Referring to the trade-off between cyber-security and investigative hacking, the FBI director said: "I get it, there's a balance that needs to be struck between encryption and the importance of giving us the tools we need to keep the public safe."

Mr Wray was speaking at the International Association of Chiefs of Police conference in Philadelphia on Sunday.

But the thing is, anything you say can be used against you. That’s why in court hearings or during arrest by the police in most countries, the police reads the suspect’s Miranda Rights. Just imagine if the cops can read all outgoing and incoming emails via an encryption backdoor. Not only it is uncomfortable but for even something innocous and neutral message content can be used as a probable cause. Just as the San Bernardino iPhone 5c, it was just a pretense to grant the FBI unrestricted access to iPhone’s once they’re given a backdoor and even when they were able to unlock the iPhone 5c via a third party hacker, they found nothing. What’s disappointing is that even the current US DOJ calls weaker encryption as responsible encryption. What would happen if if the same weak encryption is used against the US government? What if someone like North Korea hacks US government databases? That’s why demanding for a backdoor or attenuated encryption is a gray area. This reminds me a video from Tom Scott who said that encryption backdoors are only as good if the current government is good. 

 

Edit: But then if I’m playing the devil’s advocate here, I would want a way to easily catch criminals. Let’s say I’m a cop organizing an investigation and my team arrested 10 criminals who are not only drug traffickers but also child pornographers. After arresting the crooks, my team found several computers that are using Full disk encryption. I could make a case in the court to demand let’s say Microsoft or Apple to produce a temporary backdoor to bypass Bit locker and File Vault. After decrypting ghe computers, my team found out their existing operations as well as phone numbers and IP addresses from other countries. The local cops can alert those countries that a bug gang of notorious criminals are with them so we basically put a criminal operation to an end.  

 

For more information about the NSA's spying playset, you can check out this video:

 

On the flip side, I’d want to hear POTUS45 to say “unbreakable encryption is a yuuuggge, yuuuggge problem.” ?

[bcguru9384]

even with backdoors as stated theres always third party software

this is a losing battle as even old school pen and paper can out cipher investigators so even with 0 encryption one could hand write message then cell phone pic email pic

its ciphered yet not with computer

 

[Vode]

What happened to good old fashioned police work?

 

Encryption backdoors are such a bad way to deal with it.

 

It opens a can of worms you don't want to open.

Botnets, Credit card fraud, digital identity theft.... just to name a few.

 

But the governments around the world just don't seem to understand that. They don't understand the technology.

[dfsdfgfkjsefoiqzemnd]

They just don't get it, do they?

 

If you weaken encryption, every regular law-abiding person is more vulnerable while the bad guys still will have access to unbreakable encryption.  The math is out there, it's really not that hard to make a properly secure encryption tool and sell it on the black market. 

 

"If you outlaw unbreakable encryption, only outlaws will have unbreakable encryption". 

[Teddy07]

Too many dangerous new folks out here in Germany. Need more police because I don't feel safe anymore at night.

 

--> weaken encryption

[LAwLz]

I feel safe knowing that the FBI struggles with decrypting phones. If they can't do it then other criminals most likely can't do it either.

 

You would think that all the people who blindly trust the government with this incredible power would become at least slightly skeptical to it after Trump became president. Like you said, even the people who think backdoors are useful in the hands of the right people must realize those people will be swapped out for someone you might consider to be a bad person.

 

Were you OK with letting Obama see all the private information about your life? Then you must also be OK with letting Trump do it, or letting Putin see it for Russian citizens.

Once you implement a backdoor, access to it will be handed to someone you don't like at some point.

[Arika]

i can see both side of it. while yes privacy is a major point in this whole debate. but they should be able to access devices on a warrant basis with a good reason as to why the need the access in the same way that they can't just barge into your home without a warrant and take your desktop computer.

 

only only be able to obtain information relevant to what they are searching for instead of 100% unrestrained access, kind of like subpoenaing bank records from the provider

 

Quote

What if someone like North Korea hacks US government databases? That’s why demanding for a backdoor or attenuated encryption is a gray area. 

i don't agree with this at all. Let's say NK does manage to hack the US government and obtain the decryption algorithm to access your device, There's going to be MUCH MUCH bigger problems than North Korean officials seeing your nudes or stupid meme filled group messages

[samcool55]

Good, this means encryption is doing its job exactly as it should.

[Senzelian]

2 minutes ago, Vode said:

What happened to good old fashioned police work?

 

Encryption backdoors are such a bad way to deal with it.

 

It open a can of worms you don't want to open for criminals:

Botnets, Credit card fraud, digital identity theft.... just to name a few.

 

But the governments around the world just don't seem to understand that. They don't understand the technology.

And you don't understand the police. 

'Good old fashion police work' is not like they show it in the TV. 

[Vode]

1 minute ago, Senzelian said:

And you don't understand the police. 

'Good old fashion police work' is not like they show it in the TV. 

How do you know what I mean by police work and why did you imply I think it's anything like on TV?

 

lol

[Trik'Stari]

4 minutes ago, Senzelian said:

And you don't understand the police. 

'Good old fashion police work' is not like they show it in the TV. 

They managed to get that one guy by following and waiting for him to login to his account, then basically tackling him and arresting him.

 

IIRC that was the guy who was running Silk Road.

[Rolling Potatoe]

If you put in backdoors criminals will find them, it is inevitable.

The FBI already has enough tools on its hand, it is not like they cannot do their job because a couple thousand phones per year cannot be cracked.

What is next, demanding that law enforcement can track everybodys location at every time and listen to their conversations?

After all, that would make persecuting criminals easier.

[Senzelian]

3 minutes ago, Vode said:

How do you know what I mean by police work and why did you imply I think it's anything like on TV?

 

lol

How do you know that I imply that you think its anything like on TV? 

 

We can play this game forever, but we wont get anywhere. 

[LAwLz]

12 minutes ago, Sierra Fox said:

i can see both side of it. while yes privacy is a major point in this whole debate. but they should be able to access devices on a warrant basis with a good reason as to why the need the access in the same way that they can't just barge into your home without a warrant and take your desktop computer.

Warrants don't work in practice.

The FISA court has literally only denied 12 out of 35529 warrant requests.

When you approve 99.97% of warrant requests you might as well just remove it altogether.

 

But like you said the bigger issue is that exploits and backdoors gets leaked all the time. There is a very high risk of any backdoor implemented leaking. I mean, ever heard of WannaCry?

If the government were to actually make backdoors mandatory then I would not be surprised if we saw attacks as big as WannaCry a few times every year.

That's why even the most naive person who 100% believes in the Government should still be strongly against backdoors. You don't make things unsecure by design.

 

 

Besides, backdoors won't stop crimes. In a best case scenario it will help prosecute a suspect. We already have reports of police and other government agencies saying that they collect too much information to actually process. Using this to stop criminals is like finding a needle in a haystack, and implementing backdoors is like dumping more hay on the stack.

[captain_to_fire]

27 minutes ago, Vode said:

But the governments around the world just don't seem to understand that. They don't understand the technology.

The problem is that most politicians in power regardless of the country has very little understanding of technology because they're old. Science and technology has become something politicians choose to believe, not something they try to understand.

27 minutes ago, Sierra Fox said:

i don't agree with this at all. Let's say NK does manage to hack the US government and obtain the decryption algorithm to access your device, There's going to be MUCH MUCH bigger problems than North Korean officials seeing your nudes or stupid meme filled group messages

Well DPRK hacked Sony in 2014 because their leader Kim Jong-Un is thin skinned and oversensitive. In response, the US introduced a DDOS attack on DPRK plunge them further away from the internet. But North Korea nearly hacked NY Federal Reserve but it turned to be a failed heist because of a spelling error. That is why an encryption backdoor is not effective since it can be used against them. https://www.nytimes.com/2017/10/15/world/asia/north-korea-hacking-cyber-sony.html

 

What the US government should be investing in is to further improve their resilience against cybersecurity attacks.

[mr moose]

58 minutes ago, Vode said:

What happened to good old fashioned police work?

 

Encryption backdoors are such a bad way to deal with it.

 

It opens a can of worms you don't want to open.

Botnets, Credit card fraud, digital identity theft.... just to name a few.

 

But the governments around the world just don't seem to understand that. They don't understand the technology.

 

Old fashion police didn't have all their evidence locked in a phone they can't access.    

 

At least this guys admits there is a legit reason for encryption and that criminals will simply obtain there own software,  so forcing a backdoor won't work.  Too bad there are so many fatalists on this forum.  We get it, backdoors don't work and no one thinks the court system or government is in any way capable of being above board/transparent, so whats the solution? 

 

EDIT: oh and politicians do understand, they aren't stupid, they either just don't care or are weighing up which basket they would rather see spilled.  Some of them are willing to risk an exploit because in their grand plan of control,  such an exploit would lead to more arrests anyway. 

[LAwLz]

11 minutes ago, mr moose said:

Old fashion police didn't have all their evidence locked in a phone they can't access.

I wonder how many cases actually has that these days.

All we know is that 7000 phones have not been cracked yet. Considering how common burner phones are, and just talking face to face, chances are very few of them contain solid evidence.

 

Also, not all evidence is locked inside a phone. They need some evidence to even have a suspect. They aren't just picking up random phones to decrypt in the phones of picking the right person.

 

 

11 minutes ago, mr moose said:

so whats the solution?

There is no solution other than good old fashion police work.

You might call me a fatalist, but I think of myself as a realist.

Backdoors = Makes everything worse without actually having any benefits.

No backdoors = The situation we are in right now.

 

How about trying to prevent crimes from happening to begin with?

[captain_to_fire]

17 minutes ago, mr moose said:

EDIT: oh and politicians do understand, they aren't stupid, they either just don't care or are weighing up which basket they would rather see spilled.

I wonder how many politicians do you know understand even the basics of cybersecurity. [Here, here and here] I bet many politicians don’t even use 2fa or don’t know how to securely set up a new wifi router

Edited October 25, 2017 by hey_yo_

[captain_to_fire]

13 minutes ago, mr moose said:

Old fashion police didn't have all their evidence locked in a phone they can't access.

I’m pretty sure increased police visibility and faster responses to emergency calls can avert crime so much better than implementing an encryption backdoor which makes investigations look like a needle in a haystack. 

[mr moose]

5 minutes ago, LAwLz said:

I wonder how many cases actually has that these days.

All we know is that 7000 phones have not been cracked yet. Considering how common burner phones are, and just talking face to face, chances are very few of them contain solid evidence.

 

Also, not all evidence is locked inside a phone. They need some evidence to even have a suspect. They aren't just picking up random phones to decrypt in the phones of picking the right person.

 

 

There is no solution other than good old fashion police work.

You might call me a fatalist, but I think of myself as a realist.

Backdoors = Makes everything worse without actually having any benefits.

No backdoors = The situation we are in right now.

 

How about trying to prevent crimes from happening to begin with?

One would assume many of the phones they have were found on people in the act of committing a crime. 

 

Just because not "all" evidence is locked in a phone doesn't mean none is.  The only way to know how much evidence is in said phones is to crack them.  That ain't going happen anytime soon,  so speculating about the amount doesn't change the problem.

1 minute ago, hey_yo_ said:

I wonder how many politicians do you know understand even the basics of cybersecurity. [Here, here and here] I bet many politicians don’t even use 2fa or how to securely set up a new wifi router

 

If they don't they have advisors and specialists.  As I said, they either don't care or it doesn't weigh in enough to change their plans.  There is more to these decisions than just the security side of it that we see. 

[mr moose]

1 minute ago, hey_yo_ said:

I’m pretty sure increased police visibility and faster responses to emergency calls can avert crime so much better than implementing an encryption backdoor which makes investigations look like a needle in a haystack. 

 

That really depends on the type of crime,  however the issue here was not about averting crime, but accessing evidence (which may lead to averting crime or it might just resolve the open cases they have).

[captain_to_fire]

Just now, mr moose said:

That really depends on the type of crime,  however the issue here was not about averting crime, but accessing evidence (which may lead to averting crime or it might just resolve the open cases they have).

If you read the OP where I played the devil’s advocate, I understand as to why a backdoor could be useful but how can we be sure that such backdoors is not going to be abused by authorities? How can we be sure that the backdoors can’t be used by cybercriminals? Just look at the San Bernardino iPhone 5c. Even when the FBI was able to hack the iPhone, they found nothing. 

[mr moose]

1 minute ago, hey_yo_ said:

How can we be sure that the backdoors can’t be used by cybercriminals? Just look at the San Bernardino iPhone 5c. Even when the FBI was able to hack the iPhone, they found nothing. 

we can't, I don't think anyone has argued otherwise, however like I said before, finding nothing in one case is not proof that evidence doesn't exist at all on other devices. 

 

And my question still remains, what's the solution?  We can't continue to be fatalistic about this.  Decrying any attempt to find a solution will only leave us in the shit. Because as much as many don't trust the politicians and the police etc, they are the only barrier between organised crime and us. 

 

 

 

[LAwLz]

15 minutes ago, mr moose said:

And my question still remains, what's the solution?  We can't continue to be fatalistic about this.  Decrying any attempt to find a solution will only leave us in the shit. Because as much as many don't trust the politicians and the police etc, they are the only barrier between organised crime and us. 

Well I don't see anyone proposing any solutions.

As we have already established, backdoors would have 0 benefits and a ton of drawbacks.

Do you have any solution? It's not about being fatalistic, it's about being realistic.

[captain_to_fire]

1 minute ago, mr moose said:

And my question still remains, what's the solution?  We can't continue to be fatalistic about this.  Decrying any attempt to find a solution will only leave us in the shit. Because as much as many don't trust the politicians and the police etc, they are the only barrier between organised crime and us. 

Then it all boils down to what causes people to engage in criminal behavior and addressing the cause for each criminal behavior requires a different solution which is now outside the scope of this thread. But mass surveillance is not only a violation against the laws on personal privacy (e.g. 4th amendment) but ineffective because it’s basically looking at a needle in a haystack. 

 

9 minutes ago, mr moose said:

we can't, I don't think anyone has argued otherwise, however like I said before, finding nothing in one case is not proof that evidence doesn't exist at all on other devices.

Most devices especially smartphones have protections in place against brute force attacks. Als, most criminals know how to hide their tracks so implementing a backdoor is simply futile.