FBI vs. Apple: the Impact on Software Developers and You

A software developer looks at the dilemma facing the FBI and Apple and the encrypted iPhone of Syed Farook.

At Art & Logic, I wear many hats … a likely consequence of having numerous interests: I am passionate about software and the development process; I am passionate about IT operations; I am passionate about information security, cryptography, privacy, and how those topics intersect when our customers seek our services. It does not surprise many of my colleagues to learn I have been closely following the legal battle between the US Dept. of Justice and Apple over an encrypted iPhone 5c … but they are often surprised by why. This case has potentially far-reaching implications for those of us who write software for a living. Equally, so might it affect our customers; companies who seek to use custom software for their own business goals.

Make No Mistake, This Is Not Just about One iPhone

The outcome of the legal debate around the case will not merely affect just the San Bernardino suspect’s iPhone. It will serve to shape legal precedent, policy, and very likely the form of ‘secure’ technology in the future. We build technology – frequently with necessary security properties requested by our customers.

If you have not been following the case, there are a couple of key facts that have emerged. One is that the work phone of suspect Syed Farook is currently protected by Apple’s OS using encryption and a four-digit PIN. That last bit is important: Neither Apple nor the FBI has the ability to undo the encryption on the phone without the key (which is partly derived from the user’s four digit PIN). Unfortunately, it appears that the key was only known by the deceased suspect. The case aside, it is a good thing that a person without the key cannot get into the phone. Encryption has so many subtle yet important uses in modern computing … if it were possible to trivially break it, our digital world could have a host of troubles. E-commerce and online banking, for example, are built on trust that our details for exchanging money are kept private between the parties involved in the transaction. Software updates for your phone, tablet, and computers rely on the ability to deliver them to the machine without tampering. Of course, there’s a desire to communicate privately between two people. All of these rely on encryption to accomplish their tasks… and require that we can trust that encryption in the first place. (more…)

Crypto So Easy My Mother Uses It

Image of Raven by Tuchodi

Raven by tuchodi

If you’ve been around the blog for a while, you know that I’m a big fan of the use of encryption for the sake of privacy.  I’ve ranted about PGP and S/MIME, tried to break steganography and complained about the privacy issues I face as a Gmail user.  This post is to let you know about a tool for securing your communication that is so simple to use, my mother uses it on a daily basis.  This tool is TextSecure from Open Whisper Systems.  Go install it right now.

It used to be that encrypting your communications required installing and learning a strong, user-proof tool like GnuPG or some random IM client with an OTR plugin.  Now that apps are the unit of software and users routinely install apps, it is a trivial thing to tell someone to install a new app.  It’s so easy that I’m only allowing two excuses for not securing your everyday instant messaging with TextSecure:

  1. You don’t use an Android smartphone or
  2. You don’t communicate with anyone over any sort of instant messaging.

That’s all.  Other excuses are invalid.  (When the iOS version is available even fewer of you will have a valid excuse.)  Now go install it.


Book Review: An Introduction to Cryptography

Image of book of old times by titouan russo from Flickr

In my quest for more knowledge of cryptography, I’ve started reading actual books (instead of just reading API reference documents.) If you’re like me, and you’ve decided that going deeper than just making the code work is a good thing, read on. (more…)

Encrypting Your Messages With OpenPGP.js


Terrible mashup of OpenPGP.js logo and source code by the author (because
nothing says “Where’s the source?” like a bad logo.)

Last time I wrote, I showed you how to use Braintree.js to encrypt form values. I even built a contact form to do it. It occurred to me that there might be a better technology for encrypting contact form data. (There is.) Of course, I’m not the first person to have this idea.


Securing Your Forms With Braintree.js

Photo of ENIGMA Rotor Set by brewbooks

Think back to the web of fifteen years ago. Most of the web sites of the time consisted of a few pages of content along with a contact page (and maybe even a guestbook.) Most often that contact page was backed by a script that mailed the results to a fixed e-mail address. Is anyone willing to admit to using formmail.pl? In the least, we can admit that we didn’t move data around in the most secure way.