Is the DEA Lying About iMessage Security? 195
First time accepted submitter snobody writes "Recently, an article was posted on Slashdot about the claim that law enforcement made about being frustrated by their inability to decrypt messages using Apple's iMessage. However, this article on Techdirt suggests that the DEA may be spewing out disinformation. As the Techdirt article says, if you switch to a new iDevice, you still are able to access your old iMessages, suggesting that Apple has the key somewhere in the cloud. Thus, if law enforcement goes directly to Apple, they should be able to get the key."
Are you kidding? (Score:5, Insightful)
The mere fact that you even have to ASK such a question means the answer is "Yes."
It's American company so the answer is obvious (Score:5, Insightful)
Re: Who cares (Score:5, Insightful)
Probably talking about two different things... (Score:5, Insightful)
Unless the DEA is actively 'leaking' in order to attempt to move people into a vulnerable channel with a false sense of security(not impossible; but I'm inclined to suspect that the higher level drug runners take their paranoia seriously, or they wouldn't have lasted long enough to level up, and the lower level ones are probably more often foiled by the fact that they need to solicit customers, any one of which could be a plant), I'd be inclined to a more prosaic explanation.
With SMS, architectural security during transmission is somewhere between pitiful and nonexistent and the entity that handles the messages during their voyage is the phone company, which has substantial legal incentives to, and a long history of, supine cooperation with the authorities.
With iMessage, it looks pretty much like SMS on the handset; but it's all just data to the telco, and Apple presumably included some SSL/TLS or similar implementation that isn't totally broken, meaning that going through the telco is totally useless(this would also be why the leaked memo specifically mentioned that iMessages sent to non-Apple devices, which would be crunched into SMS at some stage, were still often recoverable).
The fact that Apple can, apparently, retrieve your iMessage history for you suggests that, indeed, a subpoena of Apple would leave you in the open; but I imagine that the DEA is much more familiar with, and pleased by, the 'service-oriented' attitudes of the phone companies, who are extremely forthcoming with customer information, with very low bars to clear, and minimal pesky judicial process.
Certainly not a good idea to trust anything that the service operator can 'recover' or 'restore' for you to be secure(since it can't possibly be); but the DEA jackboots probably do encounter significantly greater hassle with a message that is never available to the notoriously friendly telcos. You are still up shit creek if they are building a case against you specifically(or if Apple caves and starts providing bulk access at some future time); but casual fishing is likely to be more difficult.
Re:Key in cloud != Key accessible by Apple (Score:3, Insightful)
Yes, that COULD be. In reality there are password reset methods and no company will ever tell a customer that they have just lost all their messages, photos, etc. because they forgot their password. Wake the fuck up.
Re:Are you kidding? (Score:5, Insightful)
Betteridge is probably right. The messages are likely technically interceptable but not through the means the DEA tried; they didn't ask the right people the right questions.
Re:Are you kidding? (Score:5, Insightful)
don't know about imessage (Score:4, Insightful)
But they've never lied about the effects of drug usage, right?
Right?
Um, right?
DEA can't TAP it (Score:5, Insightful)
The issue is not that the DEA cannot lawfully acquire the messages... It's that THEY HAVE TO ASK , EVERY TIME.
Most taps are just "wide open" until the warrant expires and the telco turns the tap off... There is very little oversight. Many online services give law enforcement more of an "open ticket" to keep coming back for email or Facebook as often as they need. While the line isn't "tapped" LEOs can refresh every twenty minutes if they want.
They are attepting to bully Apple into allowing a MITM or wide open ticket to people's accounts. The first post on this very carefully NEGLECTED to mention that Apple COMPLIES with lawful requests. Which they most certainly would. The issue is that Apple won't open a giant backdoors and look the other way while LEOs look up their ex-girlfriends, or people with fancy cars to pick on. Apple is probably making them request transcripts with dates and times... And then APPLE SENDS it to them.
Re:Are you kidding? (Score:5, Insightful)
Contrary to Betteridge, the answer to almost any question of the form "is the DEA lying" is yes. They're a worse propaganda machine than every other alphabet-soup agency put together, which is saying something.
Re:Are you kidding? (Score:5, Insightful)
This is probably the crux of their complaint - they can't intercept the messages without going through proper procedures, getting a warrant, and leaving a paper trail. This is precisely how things should work.
Re:Closed proprietary software is NEVER secure! (Score:2, Insightful)
Correct. As long as I cannot verify the encryption, then I cannot say it is secure; secure being relative to my needs and concerns. As the U.S. government is one party I would want to keep my encrypted information from, the DOD or any other agency having potential access means that their encryption cannot be considered seriously for my interests.
Re: Who cares (Score:5, Insightful)
I was with you until you said this:
Worst that could happen is everyone walking out calmly and in order.
That is far from the worst that can happen. That is in fact the best case scenario outside of no one believing them and there truly not being a fire. Provoking people into violent acts of desperation by instilling the immediate fear of death into them, such that their rationality is severely compromised is outright negligent. This is why we have things like temporary insanity and heat of passion defenses.
I feel that you should be perfectly free to shout "Fire!" in a theater. However I also feel that if you end up causing a situation where someone is injured, you should be held liable for your negligent actions. Freedom of speech should not mean freedom from responsibility of that speech.
What if you told a blind person that the light at an intersection was green and there was no traffic, causing them to walk into the street and get run over? Would you push the free speech argument? You didn't kill him; the guy behind the wheel of the car did. That doesn't mean you weren't immensely negligent as a result of what you said.
As a closer example to the theater, what if in that same situation you screamed in front of a blind man "Everyone get out of the way! A car is heading straight for us!" causing him to jump out of the way and into actual traffic? Would you still feel like you were completely free of the burden of responsibility?
Re:Are you kidding? (Score:5, Insightful)
Exactly. The problem (as far as the DEA is concerned) is that they might be forced to actually obey the law themselves for a change. They much prefer tapping what they want with no oversight.
The DEA (Score:5, Insightful)
The DEA lies about everything else. Why would this be any different? The very fact that the DEA exists is an affront to personal liberty; We have decades of detailed records of them spreading falsehoods, destroying families, in general doing far more harm than drugs ever did or ever could.
DEA Informers: They lie about who they are, what they do, what their intent is -- and just about anything else they're asked. This is who they are. Liars. But that's not all they are. They're also as dangerous as any government agent you can imagine, wholly without concern for anyone but themselves.
DEA agents: They lie about where the danger comes from; they lie about toxicity; they lie about addictiveness. They lie about consequences (they ARE the primary consequences), and they have been known to attempt to trade your personal honor for your freedom if you fall into their hands. They created the violence underlying the black market drug trade; they created the black market itself. They're not shy of interfering with other sovereign countries, nor of playing fast and loose with our own "justice" system.
So when a DEA "anything" tells you something, you're best off assuming they're lying. It's what they do. Aside from destroying families, that is. If they're not lying, they're likely trying to hurt you some other way. Get away and stay away. Nothing truly good can ever come of contact with people so bereft of personal honor -- or so outright stupid -- that they would work for the DEA.
To heck with them. And the laws they rode in on. And those who made the laws. And those in the general population who thought, and perhaps still think, agencies like the DEA were ever a good idea.
The drug war: It's a war on you and your family and your friends.
Re:The DEA (Score:3, Insightful)
Good grief. Ok, here's the obvious example: You can sell, or smoke, a joint - a light intoxicant which does far less harm (probably none at all in most cases) than alcohol - and go to jail for years for these acts. After which, you are often considered a felon, which pretty well puts paid to your future. I'm sure you know this and you're just being disingenuous.
You're confusing your uninformed state with the idea that my statements are unfounded.
Go spend some time with Google. The DEA's actions and policies are largely a matter of record, as is the massive amount of harm they have caused.
Re:The DEA (Score:3, Insightful)
Go spend some time with Google.
I don't disagree with you, but digging up citations to support your argument is your job, not the readers.
Re:PGP (Score:5, Insightful)
Suppose the darkest inner circles of government intelligence agencies actually can crack widely-used and trusted encryption like PGP. If you're merely an international drug dealer and child slave trader (or peaceful anti-war protestor, whichever the FBI loathes more), the tiny cabal of people within the FBI who have the clearance to know about the PGP crack aren't going to do anything that remotely risks leaking such information. Your secrets are perfectly safe with them, because they've got more important targets (like all the Top-Secret-equivalent info from foreign governments and corporations) that they'd lose covert access to if even a vaguely credible hint of a PGP crack leaked to lower levels of government law enforcement (and from there to other countries' intelligence operatives). A PGP crack would simply be too important an asset for covert intelligence to risk exposing on whatever mildly nefarious plots your encrypted emails are hiding.
Re:Are you kidding? (Score:4, Insightful)
I'm pretty sure you're wrong. PGP uses RSA and IDEA. If RSA was breakable, particularly in realtime, there would be a lot more screaming. Some older versions of PGP had some bugs that were theoretically exploitable, but I don't think any of them have actually been exploited, never mind reliably or in real time. There have been several incidents over the years suggesting that authorities cannot decrypt PGP encrypted data.
It's possible that some early RSA encrypted messages using very short keys are technically decryptable, but you'd have to be a highly motivated government agency to do so, and you still wouldn't be doing it in anything close to realtime.
Yesterday's munitions are... pretty much unchanged today, except that you can be extra paranoid and use longer keys now.
Re:The DEA (Score:4, Insightful)
something that would be unlikely to happen with alcohol
It's also unlikely to happen with marijuana. It's even unlikely to happen with LSD, although probably more likely. Unfortunately, unlike tobacco and alcohol, there is no requirement to put warning labels on marijuana when it's sold. It is also difficult to do detailed studies on the effects of the drug, and it is not possible to go to a doctor and be tested for the latent conditions that can be triggered by certain chemicals, if those chemicals happen to be illegal.
Re:The DEA (Score:4, Insightful)
This is not a reasonable argument against pot. There are people out there who can't drink milk; who can't eat bread; who can't take aspirin, etc. The correct response to that reality is not to make milk and bread and aspirin illegal, and then to escalate such that someone who sells milk or bread or aspirin, or consumes them, goes to prison, etc.
There are people who will have severe reactions if they see flashing lights. Should we therefore make flashing lights illegal? What about peanuts? I like peanuts on my sundaes; but they will really hose some people. Should we outlaw peanut butter and all other peanut products? And then go shooting people on sight if they grow or sell peanuts?
It is an unreasonable argument to assert that these things are bad because some small percentage of the population has trouble with them. The reasonable conclusion, in fact, is that there's something unusual about that small percentage, and that is certainly worth looking at. But that's darned difficult to do when the whole thing is massively illegal and has its own ultra-violent specialized military to enforce that illegality.
It's harmless for the vast majority. We're quite sure of that, because the number of people who have indulged is extremely large. Pretending that your wife's experience, even if correctly attributed to marijuana use, is sufficient to categorize marijuana as generally harmful is very poor procedure. It is exactly the same kind of cognitive error that would categorize peanut butter as generally harmful because occasionally someone is found to have an adverse reaction to peanuts.