MESSAGE
| DATE | 2016-03-23 |
| FROM | Ruben Safir
|
| SUBJECT | Subject: [Hangout-NYLXS] FBI and Hacking the iphone
|
http://www.nytimes.com/2016/03/23/technology/apple-policy-on-bugs-may-explain-why-hackers-might-help-fbi.html?_r=0
SAN FRANCISCO — After a third party went to the F.B.I. with claims of
being able to unlock an iPhone, many in the security industry said they
were not surprised that the third party did not go to Apple.
For all the steps Apple has taken to encrypt customers’ communications
and its rhetoric around customer privacy, security experts said the
company was still doing less than many competitors to seal up its
systems from hackers. And when hackers do find flaws in Apple’s code,
they have little incentive to turn them over to the company for fixing.
Google, Microsoft, Facebook, Twitter, Mozilla and many other tech
companies all pay outside hackers who turn over bugs in their products
and systems. Uber began a new bug bounty program on Tuesday. Google has
paid outside hackers more than $6 million since it announced a bug
bounty program in 2010, and the company last week doubled its top reward
to $100,000 for anyone who can break into its Chromebook.
Apple, which has had relatively strong security over the years, has been
open about how security is a never-ending cat-and-mouse game and how it
is unwilling to engage in a financial arms race to pay for code exploits.
The company has yet to give hackers anything more than a gold star. When
hackers do turn over serious flaws in its products, they may see their
name listed on the company’s website — but that is it. That is a far cry
from what hackers can expect if they sell an Apple flaw on the thriving
underground market where a growing number of companies and government
agencies are willing to pay hackers handsomely.
Advertisement
Continue reading the main story
The disclosure by the United States government on Monday that an unknown
third party had approached it — and not Apple — to help open a
controversial iPhone only highlights how the giant company approaches
bug-hunting efforts and security differently from the rest of the tech
industry.
But security experts, especially those with a stake in such bug
programs, said Apple could now be doing more, especially in this day and
age where the conventions of finding bugs and fixing them have changed.
Continue reading the main story
Advertisement
Continue reading the main story
Just this week, researchers at Johns Hopkins University uncovered a flaw
that would allow attackers to decrypt the contents of photos and videos
attached in Apple’s iMessage program. The researchers turned that flaw
over to Apple for patching.
“Especially with the stakes being as high as they are, if Apple wants to
continue to compete in the modern world, they have to modernize their
approach,” said Katie Moussouris, a chief policy officer at HackerOne,
which companies like Yahoo, Dropbox and now Uber pay to manage their bug
bounty programs.
The identity of the third party that approached the F.B.I. with the
possible way to unlock the iPhone — which was used by one of the
attackers in a mass shooting in San Bernardino, Calif., last year —
remained unknown on Tuesday. The emergence of the third party halted, at
least temporarily, a contentious case between Apple and the United
States government over whether the company should weaken the security of
its iPhone to help law enforcement.
The Justice Department has declined to name the third-party person or
organization, or to describe the proposed method for breaking into the
device. The third party may not have approached Apple for many reasons.
In the past, Microsoft’s systems were a more frequent target for
malicious-minded hackers, largely because of the prevalence of its
products. But as Microsoft began to embrace the hacking community, its
security improved.
Breaking Down Apple’s iPhone Fight With the U.S. Government
The technology company has been locked in a major legal battle against
law enforcement officials over privacy and security.
As Apple’s desktops and mobile phones have gained more market share, and
as customers began to entrust more and more of their personal data to
their iPhones, Apple products have become far more valuable marks for
criminals and spies.
Advertisement
Continue reading the main story
An Apple spokeswoman referred to an editorial by Craig Federighi, the
company’s senior vice president for software engineering, in which he
wrote, “Security is an endless race — one that you can lead but never
decisively win.”
“Our team must work tirelessly to stay one step ahead of criminal
attackers who seek to pry into personal information,” Mr. Federighi
said. “Despite our best efforts, nothing is 100 percent secure.”
Apple has long been less visible in the security community compared with
other tech companies. The company has shied away from bug bounty
programs and instead relied on large testing programs and the work of
its security team to spot vulnerabilities, partly because it is
disinclined to keep up with a financial arms race of paying for bugs,
according to three former and current employees, who spoke on the
condition of anonymity because they were not authorized to speak
publicly about security matters.
Apple has said it will fight to know more about the flaw in the software
or hardware that the third party has presented to law enforcement. A
senior executive said in a conference call with reporters Tuesday that
if the government found the method did not work and tried to force Apple
to help break into the phone, Apple would have questions about what was
tried, in order to keep its products as secure as possible.
If the third-party method does work, the government may dismiss a court
order demanding that Apple weaken its security, but keep the process it
used to break into the phone under seal. In that case, Apple would have
no way of knowing how the government broke into its software or hardware.
Exploits in Apple’s code have become increasingly coveted over time,
especially as its mobile devices have become ubiquitous, with an
underground ecosystem of brokers and contractors willing to pay top
dollar for them.
Flaws in Apple’s mobile devices can typically fetch $1 million. Last
September, a boutique firm in Washington, called Zerodium, which sells
flaws to governments and corporations, announced a $1 million bounty for
anyone who would turn over an exploit in Apple’s iOS 9 mobile operating
system — the same operating system used to power the iPhone used by the
San Bernardino shooter. By November, Zerodium said a team of undisclosed
hackers had successfully claimed the bounty.
Chaouki Bekrar, the founder of Zerodium, said his company was not the
outside party referred to in the government’s court filing on Monday.
But Mr. Bekrar added that even if Zerodium had helped the F.B.I., he
would not disclose it.
Advertisement
Continue reading the main story
“For every Zerodium, there are a thousand other organizations like
Zerodium that are far less vocal about doing what they do and will pay
researchers who find this stuff to keep it a secret,” said Casey Ellis,
the founder of BugCrowd, a company in San Franciso that helps vendors
manage bug bounty programs.
The heated battle between the United States government and Apple over
breaking into the iPhone used by the San Bernardino gunman may have
inadvertently catalyzed the underground market for Apple code flaws.
With the F.B.I. pushing Apple to help unlock the device with a court
order and publicizing that it has been unable to get into the iPhone,
hackers realized there was a blank check for them if they could
accomplish it, said Jon Oberheide, the chief technology officer of Duo
Security, a cloud security company.
Some security researchers said no bounty Apple could offer now would
match the reward they could expect from the underground market. Apple
has waited so long that the black market for its flaws has become
extremely lucrative, perhaps making any bug bounty program the company
would create seem late to the game.
“Apple can embrace security researchers, or try to facilitate programs
that will secure its operating system, but it’s never going to be able
to compete with what is going on behind the scenes in the black market,”
said Jay Kaplan, a former N.S.A. analyst and co-founder of Synack, a
company that deploys hackers to weed out vulnerabilities in clients’
systems. “It’s just not going to happen.”
A version of this article appears in print on Mar
--
So many immigrant groups have swept through our town
that Brooklyn, like Atlantis, reaches mythological
proportions in the mind of the world - RI Safir 1998
http://www.mrbrklyn.com
DRM is THEFT - We are the STAKEHOLDERS - RI Safir 2002
http://www.nylxs.com - Leadership Development in Free Software
http://www2.mrbrklyn.com/resources - Unpublished Archive
http://www.coinhangout.com - coins!
http://www.brooklyn-living.com
Being so tracked is for FARM ANIMALS and and extermination camps,
but incompatible with living as a free human being. -RI Safir 2013
_______________________________________________
hangout mailing list
hangout-at-nylxs.com
http://www.nylxs.com/
|
|
