The FBI does not think FBI vs. Apple iPhone security court case sets a precedent – mind blowing.  The problem with posing the dilemma of code vs. free speech is that it forces confrontation between tech industry and government.  Perhaps the question was unavoidable, still posing the dilemma means an answer will be provided.  What will happen in the US and the world if tech industry looses?  Every electronic service and device in the world, your smart phone, computers and printers in your home, the Nest thermostat on your wall, your WIFI enabled car, every and all devices and electronic information sources, actively surveilled by every government in the world without search warrants or limits of any kind.  Companies will be compelled to sign code with their own digital certificates, a demand that completely undermines public trust in X.509 certificates and PKI.  What are we talking about?  That blue/green lock in your web browser means your secure right?  Nope, not if this case looses.  The freedom and privacy decisions at stake would shock even George Orwell.

This is the most interesting court case for security and privacy in my lifetime.

[1] Balkanization of US Products and Services Technology Accelerates, if Apple looses this case this article presents a possible course of action and outcome for US businesses.

*Animated image excerpt from commercial.

Apple responds to the courts order on two primary fronts.

First Amendment Violation
Compelled software code and code signing is “…compelled speech…in violation of the First Amendment”.

Fifth Amendment Violation
“…conscripting a private party…to do the government’s bidding…” violates Fifth Amendment rights

Article on Motherboard along with copy of Apple’s Motion to Vacate filing with the court.  I’m not a lawyer but two points I find interesting, 1) software code and signing of software coding is argued as protected speech protected under Constitution, 2) major corporations have constitutional rights just as US citizens do (I didn’t realize this).

Are you confused over the battle between the FBI and Apple over the iPhone?  On the surface it seems un-American that Apple does not wish to provide [2] the FBI information it requires for a terrorism investigation.  A deeper review shows the FBI interests are more broad than a terrorists iPhone.  The FBI and the court[1] are demanding Apple weaken strong iPhone security features used on all iPhones.  Let’s review the court and FBI demands.

“…bypass or disable the auto-erase function…”, this is a security feature on the iPhone that wipes data if there are too many failed password/pin attempts to unlock the phone.  It’s disabled by default and optionally enabled by iPhone owners.

“…enable FBI to submit passcodes to the SUBJECT DEVICE for testing electronically…”, the FBI desires to attempt many passcode/pin’s rapidly to unlock a device.  In security parlance this is known as a Brute-Force Attack.  FBI wants to be able to brute force iPhones.

“…device will not purposefully introduce any additional delay between passcode attempts…”,  this security feature introduces an increasing delay between successive failed passcode attempts which adds a growing penalty to the attacker for bad passcode/pin guesses.  This is another Apple security feature designed to prevent brute force attacks.  The FBI wants this removed.

“…SIF[Software Image File] will load and run from the Random Access Memory (“RAM”) and will not modify the iOS on the actual phone…”, this change helps the FBI avoid detection of it’s iPhone monitoring activities while preventing unintentional tampering of forensic evidence that may be used in a trial.

If the FBI requested the information on the terrorists phone their motives would appear more creditable.  Instead they requested security features, used across all iPhones, purposefully weakened.

The order includes provisions to limit or lock the request to only the SUBJECT DEVICE.  On the surface it appears as though this demand is applicable to only a single named phone used by terrorists.  Weakening security on a single iPhone is the governments method to eat an elephant one piece at a time.  Initially the FBI compels Apple to make code changes supporting their agenda.  As time passes the FBI along with other government agencies will make increasingly more demands that use the previous assistance as a leverage point, opening a pandora’s box.  If the FBI requested the information on the terrorists phone their motives would appear more creditable.  Instead they requested security features, used across all iPhones, purposefully weakened.  The public can only assume this court order is the FBI’s attempt to gauge tech industries reactions for future information requests and continue their crusade on security backdoors.

[1] California District Court Order compelling Apple to assist FBI
[2] A Message to Our Customers, letter from Apple to customers on security

Legislation was introduced on December 17, 2015 that, if passed, improves security transparency on corporate boards for publicly traded companies.  Many companies recognize the need for a security executive and appoint a Chief Security Officer(CSO) or a Chief Information Security Officer(CISO) to lead corporate programs.  While some consensus exists around the security executive role and title there’s little agreement around leveling security with other business functions.  A result is that security executives are often not on equal footing with other business functions which negatively impacts corporate security posture.  The Cyber Security Disclosure Act of 2015 (SB.2410) brings increased transparency and accountability to security by requiring security expertise on corporate boards.

“(1) to disclose whether any member of the governing body, such as the board of directors or general partner, of the reporting company has expertise or experience in cybersecurity and in such detail as necessary to fully describe the nature of the expertise or experience; and

(2) if no member of the governing body of the reporting company has expertise or experience in cybersecurity, to describe what other cybersecurity steps taken by the reporting company were taken into account by such persons responsible for identifying and evaluating nominees for any member of the governing body, such as a nominating committee.”
Corporate boards are directed to identify board level information security expertise along with qualifications or alternatively to describe their actions to identify an expert.  Some subtle implications of this bill are the following, 1) final accountability for information security rests with the board, 2) all publicly traded companies will have an appointed cyber security leader/expert or keep looking until they find one, 3) The security executive will have board level visibility/accountability.  CSO/CISO’s will be leveled like other C-level execs since they will have direct board level accountability.  This is a shift from today where CEO are increasingly held accountable for security and must balance business execution with security concerns.  Balance the wrong priority and may be fired.  Competition for resources between CEO’s and CISO’s could be fierce in the future under SB.2410 but some CEO’s may consider the loss of overall accountability for security as a benefit.
google-communitiesI have been experimenting with Google Community pages for a little while.  I have a community page that’s open to everyone interested in security.  My blog is a great tool for me to communicate news or thoughts on security but the blog is not the best collaboration tool.  I wanted a community page to facilitate posting photos, videos, questions, opinion polls, and more.  Another reason for a community page is that there are sometimes little gems of news too small for a full blog post but still interesting for everyone.  Google Communities platform fills an interesting gap, a little more room for expression than Twitter but with a better interface over Facebook.  Feel free to follow along or post your cool content.