FBI Director Christopher Wray on Encryption: We Can’t Have an ‘Entirely Unfettered Space Beyond the Reach of Law Enforcement’

Encryption should not provide an "unfettered space" for criminals to hide behind, FBI Director Christopher Wray said today in an interview at the RSA conference, a cybersecurity event in San Francisco.

As noted by CNET, Wray said that while the FBI is not seeking backdoors in electronics, encryption needs to have limitations.

"It can't be a sustainable end state for there to be an entirely unfettered space that's utterly beyond law enforcement for criminals to hide," Wray said, echoing a position that law enforcement officials have taken on encryption time and time again.

Apple and other technology companies have been clashing with law enforcement agencies like the FBI and fighting anti-encryption legislation for years now. Apple's most public battle with the U.S. government was in 2016, when the Cupertino company was ordered to help the FBI unlock the iPhone used by Syed Farook, a shooter in the 2015 attacks in San Bernardino.

Apple opposed the order and said that it would set a "dangerous precedent" with serious implications for the future of smartphone encryption. Apple held its ground and the U.S. government backed off after finding an alternate way to access the data on the device, but Apple is continually dealing with additional law enforcement attempts to weaken encryption.

Multiple tech companies, Apple included, have formed the Reform Government Surveillance coalition to promote strong device encryption and fight against legislation calling for backdoor access into electronic devices.

Apple has argued that strong encryption is essential for keeping its customers safe from hackers and other malicious entities. A backdoor created for government access would not necessarily remain in government hands and could put the company's entire customer base at risk.

During the interview, Wray said that encryption is a "provocative subject" and he provided no additional insight into how tech companies might provide strong encryption for customers while also acquiescing to law enforcement demands for device access.

Wray did say that the U.S. is seeing an uptick in threats from "various foreign adversaries" that are using criminal hackers, which suggests the need for strong encryption is greater than ever.

Note: Due to the political nature of the discussion regarding this topic, the discussion thread is located in our Politics, Religion, Social Issues forum. All forum members and site visitors are welcome to read and follow the thread, but posting is limited to forum members with at least 100 posts.


This article, "FBI Director Christopher Wray on Encryption: We Can't Have an 'Entirely Unfettered Space Beyond the Reach of Law Enforcement'" first appeared on MacRumors.com

Discuss this article in our forums

How to Encrypt a USB Flash Drive in macOS Mojave

In macOS Mojave, you can choose to encrypt and decrypt disks on the fly right from the desktop. Using this convenient Finder option, we're going to show you how to encrypt a USB flash drive (or "thumb drive"), which is useful if you're traveling light and want to take sensitive data with you for use on another Mac.

Finder uses XTS-AES encryption, the same encryption that FileVault 2 uses to prevent access to data on a Mac's startup disk without a password. Note that the following method is only compatible with Macs – you won't be able to access data on the encrypted drive using a Windows machine.

If this is a requirement, you'll need to use a third-party encryption solution like VeraCrypt. With that in mind, here's how to securely encrypt your USB flash drive.


Attach the USB flash drive to your Mac and locate its disk icon on your desktop, in a Finder window, or in the Finder sidebar, then right-click (or Ctrl-click) it and select Encrypt "[USB stick name]"... from the contextual menu.

(Note that if you don't see the Encrypt option in the dropdown menu, your USB flash drive hasn't been formatted with a GUID partition map. To resolve this, you'll need to erase and encrypt the USB drive in Disk Utility – before that though, copy any data on the drive to another location for temporary safekeeping.)


When you select Encrypt, Finder will prompt you to create a password, which you'll need to enter the next time you attach the USB flash drive to a Mac. (Don't forget this, otherwise you'll lose access to any data stored on the USB drive!) Once you've chosen a password, verify it, add a meaningful hint if desired, and click Encrypt Disk.

The encryption process depends on how much data you have on the USB flash drive, but you'll know it's completed when its disk icon disappears and re-mounts. You'll now be able to access the contents of the USB flash drive as usual, but if you physically detach it and re-attach it to your Mac you'll be prompted to enter the password.


Note that the prompt includes an option for macOS to remember this password in my keychain. Check the box, and whenever you attach the USB stick to your Mac again you won't be prompted to enter the password and you'll have automatic access to it, just like any other drive.


If you ever want to decrypt the USB flash drive in future, right-click (or Ctrl-click) its disk icon, select Decrypt "[USB stick name]" from the contextual menu, and enter the password to turn off encryption protection.

How to Encrypt a USB Flash Drive in Disk Utility

Before proceeding, make sure you've copied any data on the USB flash drive to a safe location, like your Mac's internal disk.
  1. Launch Disk Utility, located on your Mac in Applications/Utilities.

  2. In the Disk Utility toolbar, click the View button and select Show All Devices if it isn't already ticked.

  3. Select your USB flash drive in the sidebar by clicking its top-level device name (i.e. not the volume name that's listed beneath it).

  4. Click the Erase button in the toolbar.

  5. Give the USB flash drive a name.

  6. Next, click the Scheme dropdown menu and select GUID Partition Map. (It's important to do this first before the next step, otherwise you won't see the encryption option in the Format dropdown.)

  7. Now click the Format dropdown menu and select Mac OS Extended (Journaled, Encrypted).

  8. Click Erase.

  9. Enter your new password, enter it once more to verify, include a password hint if desired, then click Choose.

  10. Click Erase once again, and wait for your disk to be formatted and encrypted.
Once the process is complete, copy across your sensitive data to the blank USB flash drive, where it will be automatically encrypted and secured with a password.


Discuss this article in our forums

Australia Passes Controversial Encryption Bill Despite Opposition From Apple and Other Tech Companies

The Australian parliament on Thursday passed controversial encryption legislation that could result in tech companies being forced to give law enforcement access to encrypted customer messages.

As we reported in October, Apple opposed the legislation in a seven-page letter to the Australian parliament, calling the encryption bill "dangerously ambiguous" and wide open to potential abuse by authorities.


Advocates of the bill, officially titled "Assistance and Access Bill 2018," argue it is essential to national security because encrypted communications are used by terrorist groups and criminals to avoid detection.

CNET provided a breakdown on the Australian bill and the three tiers of law enforcement and state agency assistance it covers:
  • Technical assistance request: A notice to provide "voluntary assistance" to law enforcement for "safeguarding of national security and the enforcement of the law."

  • Technical assistance notice: A notice requiring tech companies to offer decryption "they are already capable of providing that is reasonable, proportionate, practicable and technically feasible" where the company already has the "existing means" to decrypt communications (e.g. where messages aren't end-to-end encrypted).

  • Technical capability notice: A notice issued by the attorney general, requiring tech companies to "build a new capability" to decrypt communications for law enforcement. The bill stipulates this can't include capabilities that "remove electronic protection, such as encryption."
The Australian government insists that the laws don't provide a backdoor into encrypted communications, however Apple says says the language in the bill permits the government to order companies who make smart home speakers to "install persistent eavesdropping capabilities" or require device makers to create a tool to unlock devices.

Likewise, the joint industry lobby group DIGI, which includes Amazon, Facebook, Google, Oath, and Twitter, said they were willing to work with the government to promote public safety, but the laws could "potentially jeopardize the security of the apps and systems that millions of Australians use every day."

Apple has fought against anti-encryption legislation and attempts to weaken device encryption for years, and its most public battle was against the U.S. government in 2016 after Apple was ordered to help the FBI unlock the iPhone owned by Syed Farook, one of the shooters in the December 2015 attacks in San Bernardino.

Apple opposed the order and claimed that it would set a "dangerous precedent" with serious implications for the future of smartphone encryption. Apple ultimately held its ground and the U.S. government backed off after finding an alternate way to access the device, but Apple has continually had to deal with further law enforcement efforts to combat encryption.

Note: Due to the political nature of the discussion regarding this topic, the discussion thread is located in our Politics, Religion, Social Issues forum. All forum members and site visitors are welcome to read and follow the thread, but posting is limited to forum members with at least 100 posts.


Discuss this article in our forums

Apple Criticizes Proposed Anti-Encryption Legislation in Australia

The Australian government is considering a bill that would require tech companies like Apple to provide "critical assistance" to government agencies who are investigating crimes.

According to the Australian government, encryption is problematic because encrypted communications "are increasingly being used by terrorist groups and organized criminals to avoid detection and disruption."


As noted by TechCrunch, Apple today penned a seven-page letter to the Australian parliament criticizing the proposed legislation.

In the letter, Apple calls the bill "dangerously ambiguous" and explains the importance of encryption in "protecting national security and citizens' lives" from criminal attackers who are finding more serious and sophisticated ways to infiltrate iOS devices.
In the face of these threats, this is no time to weaken encryption. There is profound risk of making criminals' jobs easier, not harder. Increasingly stronger -- not weaker -- encryption is the best way to protect against these threats.
Apple says that it "challenges the idea" that weaker encryption is necessary to aid law enforcement investigations as it has processed more than 26,000 requests for data to help solve crimes in Australia over the course of the last five years.

According to Apple, the language in the bill is broad and vague, with "ill-defined restrictions." As an example, Apple says the language in the bill would permit the government to order companies who make smart home speakers to "install persistent eavesdropping capabilities" or require device makers to create a tool to unlock devices.

Apple says additional work needs to be done on the bill to include a "firm mandate" that "prohibits the weakening of encryption or security protections," with the company going on to outline a wide range of specific concerns that it hopes the Australian parliament will address. The list of flaws Apple has found with the bill can be found in the full letter.

Apple has been fighting against anti-encryption legislation and attempts to weaken device encryption for years, and its most public battle was against the U.S. government in 2016 after Apple was ordered to help the FBI unlock the iPhone owned by Syed Farook, one of the shooters in the December 2015 attacks in San Bernardino.

Apple opposed the order and claimed that it would set a "dangerous precedent" with serious implications for the future of smartphone encryption. Apple ultimately held its ground and the U.S. government backed off after finding an alternate way to access the device, but Apple has continually had to deal with further law enforcement efforts to combat encryption.

Note: Due to the political nature of the discussion regarding this topic, the discussion thread is located in our Politics, Religion, Social Issues forum. All forum members and site visitors are welcome to read and follow the thread, but posting is limited to forum members with at least 100 posts.


Discuss this article in our forums

‘Five Eyes’ Governments Urge Tech Companies to Build Backdoors into Encrypted Services

Five nations including the U.S. and the U.K. have urged tech companies to comply with requests to build backdoors into their encrypted services, or potentially face legislation requiring them to do so by law.

The statement is a result of a meeting last week between the "Five Eyes" intelligence sharing countries, which include the U.S., the U.K., Canada, Australia, and New Zealand.

In a published memo, the governments claim that the use of such backdoors for accessing encrypted data would respect personal rights and privacy, and be limited only to criminal investigations by law enforcement.
Privacy laws must prevent arbitrary or unlawful interference, but privacy is not absolute. It is an established principle that appropriate government authorities should be able to seek access to otherwise private information when a court or independent authority has authorized such access based on established legal standards. The same principles have long permitted government authorities to search homes, vehicles, and personal effects with valid legal authority.
The memo goes on to note that each of the Five Eyes jurisdictions will consider how to implement the statement principles, including "with the voluntary cooperation of industry partners", while adhering to lawful requirements for proper authorization and oversight.

The statement of principles underlines the fractious relationship between some governments and tech companies regarding encryption over the last few years, in which the popularity of digital messaging services has exploded.

The U.K. government has long argued that encrypted online channels such as WhatsApp and Telegram provide a "safe haven" for terrorists because governments and even the companies that host the services cannot read them.

In 2016, Apple and the FBI were involved in a public dispute over the latter's demands to provide a backdoor into iPhones, following the December 2015 shooter incidents in San Bernardino.

Apple refused to comply with the request, saying that the software the FBI asked for could serve as a "master key" able to be used to get information from any iPhone or iPad - including its most recent devices - while the FBI claimed it only wanted access to a single iPhone.

In another potential test case, Facebook is currently contesting a demand from the U.S. government that it break the encryption of its popular Messenger app so that law enforcement can listen in to a suspect's conversations as part of an ongoing investigation into a criminal gang.

Note: Due to the political nature of the discussion regarding this topic, the discussion thread is located in our Politics, Religion, Social Issues forum. All forum members and site visitors are welcome to read and follow the thread, but posting is limited to forum members with at least 100 posts.


Discuss this article in our forums

Facebook Fights US Government Demand to Break Messenger Encryption in Criminal Case

Facebook is contesting a demand from the U.S. government that it break the encryption of its popular Messenger app so that law enforcement can listen in to a suspect's conversations as part of an ongoing investigation into the MS-13 gang.

The U.S. Department of Justice's demand is in relation to a case proceeding in a federal court in California that is currently under seal, so public files are unavailable. However, Reuters' sources said the judge in the case heard arguments on Tuesday on a government motion to hold Facebook in contempt of court for refusing to carry out the surveillance request.

Facebook says it can only comply with the government's request if it rewrites the code relied upon by all its users to remove encryption or else hacks the government's current target, according to Reuters.

Legal experts differed over whether the government would likely be able to force Facebook to comply. However, if the government gets its way in the case, experts say the precedent could allow it to make similar arguments to force other tech companies to compromise their encrypted communications services.

Messaging platforms like Signal, Telegram, Facebook's WhatsApp and Apple's iMessage all use end-to-end encryption that prevents communications between sender and recipient from being accessed by anyone else, including the service providers.

Tech companies have pushed back against previous attempts by authorities to break encryption methods, such as the FBI's request that Apple help it hack into the iPhone owned by Syed Farook, one of the shooters in the December 2015 attacks in San Bernardino.

In February 2016, a U.S. federal judge ordered Apple to help the FBI, but Apple opposed the order in an open letter penned by Tim Cook, who said the FBI's request would set a "dangerous precedent" with serious implications for the future of smartphone encryption.

Apple's dispute with the FBI ended on March 28, 2016 after the government found an alternate way to access the data on the iPhone with the help of a private contractor and withdrew the lawsuit.

Note: Due to the political nature of the discussion regarding this topic, the discussion thread is located in our Politics, Religion, Social Issues forum. All forum members and site visitors are welcome to read and follow the thread, but posting is limited to forum members with at least 100 posts.


Discuss this article in our forums

Australia Prepares Laws Forcing Tech Companies to Help Police Access Encrypted Data of Criminals

Australia is gearing up to release new laws that will force Australian telecommunications companies and global tech companies to comply with law enforcement agencies, when such agencies ask for access to encrypted data on the smartphones of suspected criminals (via ABC News Australia). The laws are the latest in an ongoing global data battle that hit a fever pitch in the United States in early 2016 when the FBI asked Apple for a backdoor into the smartphone of one of the San Bernardino shooters.

Specifics in regards to the Australian laws have not yet been shared, but they are said to affect companies like Apple, Facebook, and Google, which would face "significant fines" if they choose not to comply with encrypted data requests. Australian telecommunications companies affected under the law include Telstra and Optus.


Cyber security minister of Australia Angus Taylor was asked if the laws would allow surveillance codes to be implanted into smartphones and "avoided directly answering," stating a lack of preparation to get into technical details.

Notably, one detail Taylor did confirm is that the government would not ask companies to install a backdoor into their apps and equipment, nor would they be asked to "provide law enforcement agencies with an encryption key." Because of this, it's unclear exactly how the Australian government's demands would need to be met by companies.
"There's been ideas around for decades that you should create some kind of key that law enforcement can get access to, to access any data at any time — that's not what we're proposing here," Mr Taylor said.

"But at the same time we must ensure that law enforcement doesn't lose access to the data and the information they need to pre-empt terror attacks and crimes, and to hold criminals and terrorists to account."
Taylor explained that the new proposals are an update to antiquated laws in Australia: "Those laws should be extended to a situation where messages are being sent through an app, or via any other means, in ways that the current laws hadn't anticipated," he said. "It's not appropriate to have a world where we can do this for analogue data, analogue communication, but we can't do it in the digital world."

In the United States, last month an anti-surveillance coalition, including Apple, condemned recent proposals for backdoor access into electronic devices. The coalition previously published a core principle pledging to ensure device security through strong encryption and calling on governments to avoid taking actions that would require companies to "create any security vulnerabilities in their products and services."

The news came as law enforcement officials were said to be revisiting proposals that would require tech companies to build backdoor access into devices for better access to data in criminal investigations. Apple continued enhancing user security in the recent iOS 12 beta, where a new setting was discovered that prevents USB accessories from connecting to the iPhone when it's been more than an hour since the device was unlocked.

Law enforcement officials use USB access to iOS devices to connect accessories like the GrayKey box, a tool that plugs into the Lightning port of an iPhone and uses the data connection in an attempt to brute force a passcode. With the new setting, an iPhone's Lightning port data connection will not work with the GrayKey box if it's been more than an hour since a passcode was entered, rendering it effectively useless unless used immediately after an iPhone is obtained from a suspect.

In Australia, draft legislation of the new laws will be presented "in weeks" so more details about the plans should emerge soon. Ahead of the launch, Taylor said that the government is "very sympathetic to the concerns that the tech service providers have had" in regards to forced compliance with data gathering on electronic devices.

Note: Due to the political nature of the discussion regarding this topic, the discussion thread is located in our Politics, Religion, Social Issues forum. All forum members and site visitors are welcome to read and follow the thread, but posting is limited to forum members with at least 100 posts.


Discuss this article in our forums

Russia Demands Apple Remove Telegram From Russian App Store

The Russian government has asked Apple to help it block Telegram, the secure messaging app that's highly popular in the country, reports WCCFTech.

A Russian court in April ordered carriers and internet providers in the country to block Telegram back in April, after Telegram refused to provide Russia with backdoor access to user messages.


Telegram, for those unfamiliar with the app, offers end-to-end encryption for secure messaging purposes. With end-to-end encryption, no one, not even Telegram, can access the messages that are sent between users.

Despite issuing the block order back in April, Russia has only been able to disrupt Telegram's operations in the country by 15 to 30 percent.

Given the government's inability to block the app, Roskomnadzor, the division of the government that controls media and telecommunications, has demanded that Apple remove the Telegram app from the Russian App Store. The group first asked Apple to remove the app in April, but is appealing to Apple again.

"In order to avoid possible action by Roskomnadzor for violations of the functioning of the above-mentioned Apple Inc. service, we ask you to inform us as soon as possible about your company's further actions to resolve the problematic issue," the regulator wrote.

Roskomnadzor has given Apple one month to remove the Telegram app from the App Store. Roskomnadzor's director Alexander Zharov said he did not want to "forecast further actions" should Apple not comply with the request following the 30 day period.

The Russian government said that it needed access to Telegram to read messages and prevent future terror attacks in the country.

Note: Due to the political nature of the discussion regarding this topic, the discussion thread is located in our Politics, Religion, Social Issues forum. All forum members and site visitors are welcome to read and follow the thread, but posting is limited to forum members with at least 100 posts.


Discuss this article in our forums

Researchers Discover Vulnerabilities in PGP/GPG Email Encryption Plugins, Users Advised to Uninstall Immediately

A warning was issued by European security researchers this morning about critical vulnerabilities discovered in PGP/GPG and S/MIME email encryption software that could reveal the plaintext of encrypted emails, including encrypted messages sent in the past.


A joint research paper, due to be published tomorrow at 07:00 a.m. UTC (3:00 a.m. Eastern Time, 12:00 am Pacific) promises to offer a thorough explanation of the vulnerabilities, for which there are currently no reliable fixes.


Details remain vague about the exploit, but it appears to involve an attack vector on the encryption implementation in the email client software, rather than the encryption method itself. A blog post published late Sunday night by the Electronic Frontier Foundation said:
"EFF has been in communication with the research team, and can confirm that these vulnerabilities pose an immediate risk to those using these tools for email communication, including the potential exposure of the contents of past messages."
In the meantime, users of PGP/GPG and S/MIME are being advised to immediately disable and/or uninstall tools that automatically decrypt PGP-encrypted email, and seek alternative end-to-end encrypted channels such as Signal to send sensitive content.

MacRumors has compiled a separate guide to removing the popular open source GPG Tools plugin from Apple Mail. Other popular affected clients include Mozilla Thunderbird with Enigmail and Microsoft Outlook with GPG4win. Click the links for EFF's uninstall steps.


Discuss this article in our forums

Anti-Surveillance Coalition That Includes Apple Condemns Proposals for Device Backdoors

The Reform Government Surveillance coalition, which includes several major tech companies who have teamed up to lobby for surveillance law reform, this week released a statement condemning recent proposals for backdoor access into electronic devices and reaffirming a commitment to strong encryption.

The coalition is made up of multiple tech companies who have taken a strong stance against weakening encryption, including Apple, Google, Microsoft, Dropbox, Snap, Evernote, LinkedIn, Oath (owned by Verizon) and Facebook.
Reform Government Surveillance recently announced a new core principle on encryption that will guide our advocacy efforts, and we continue to believe that strong encryption helps protect the security and privacy of individuals and companies around the world. We have consistently raised concerns about proposals that would undermine encryption of devices and services by requiring so-called "exceptional access" for law enforcement. Recent reports have described new proposals to engineer vulnerabilities into devices and services - but they appear to suffer from the same technical and design concerns that security researchers have identified for years. Weakening the security and privacy that encryption helps provide is not the answer.
As ZDNet points out, the statement comes following a WIRED article profiling Microsoft chief technical Ray Ozzie and his suggestion for a solution called "Clear" that would supposedly provide law enforcement with access to encrypted data with less security risk.

Ozzie's proposal uses a public key and a private key (housed and protected by a company like Apple) that are used to encrypt and decrypt a PIN generated on the device. No one is meant to be able to decode and use the PIN to unlock the device aside from the vendor, using the aforementioned private key.
So, say the FBI needs the contents of an iPhone. First the Feds have to actually get the device and the proper court authorization to access the information it contains--Ozzie's system does not allow the authorities to remotely snatch information. With the phone in its possession, they could then access, through the lock screen, the encrypted PIN and send it to Apple.

Armed with that information, Apple would send highly trusted employees into the vault where they could use the private key to unlock the PIN. Apple could then send that no-longer-secret PIN back to the government, who can use it to unlock the device.
Ozzie demonstrated his "Clear" solution to representatives from tech companies that included Apple, Google and Facebook, according to WIRED, but unsurprisingly, none of them had "any interest whatsoever" in voluntarily implementing that kind of access into their devices and services.

The coalition Apple is a part of in April published a core principle pledging to ensure device security through strong encryption and calling on governments to avoid taking actions that would require companies to "create any security vulnerabilities in their produces and services."
Strong encryption of devices and services protects the sensitive data of our users - including individuals, corporations, and governments. Strong encryption also promotes free expression and the free flow of information around the world. Requiring technology companies to engineer vulnerabilities into their products and services would undermine the security and privacy of our users, as well as the world's information technology infrastructure. Governments should avoid any action that would require companies to create any security vulnerabilities in their products and services.
The renewed activity from the Reform Government Surveillance group follows reports that have suggested law enforcement officials are quietly revisiting proposals that would require tech companies to add backdoor access into electronic devices for use by law enforcement officials.

FBI and DOJ officials have been meeting with security researchers with the aim of developing approaches that would offer "extraordinary access" to encrypted devices like the iPhone, with DOJ officials reportedly "convinced" there is a way to create a backdoor without weakening a device's defense against hacking.

Apple software engineering chief Craig Federighi recently said that this kind of backdoor access would "inject new and dangerous weaknesses into product security."

"Weakening security makes no sense when you consider that customers rely on our products to keep their personal information safe, run their businesses or even manage vital infrastructure like power grids and transportation systems," Federighi said.

Apple vehemently opposes backdoor solutions like the one Ozzie proposed because they have the potential to weaken device encryption and provide new ways for bad actors to access device data.

Apple's strong stance against weakened device protections for the sake of law enforcement access was highlighted in the 2016 Apple vs. FBI conflict that saw Apple refuse to create a backdoor access solution to allow the FBI to crack the iPhone 5c owned by San Bernardino shooter Syed Farook.

GrayKey iPhone unlocking box via MalwareBytes

Without device backdoors, law enforcement officials have still found ways to crack devices like iPhones through other means. At the current time, for example, agencies like the FBI and DOJ have access to an iPhone unlocking box called GrayKey, which is capable of unlocking Apple's most recent iPhones running modern versions of iOS.

Note: Due to the political nature of the discussion regarding this topic, the discussion thread is located in our Politics, Religion, Social Issues forum. All forum members and site visitors are welcome to read and follow the thread, but posting is limited to forum members with at least 100 posts.


Discuss this article in our forums