A few weeks ago a bunch of us on Slack tried to put together a brief for journalists on why they should prefer iPhones. It's still a work in progress, as you'll see, but here's a draft:
My only qualm with recommending iPhone only is it doesn't take into account other countries where it's unaffordable for a journalist to own one. I know a group of journalists in Venezuela for whom an iPhone is simply far too expensive. Import controls in many countries make it this way. I know another group in another country where the exchange rate and low wages make even a $50/year VPN is unaffordable.
Would be great to see some good guides that take into account the challenges that others outside of the states will face. Perhaps these guides may not have that audience in mind though. Maybe if these guides had a link to a good guide for securing your Android device the best you can, it would serve help those who are financially restrained.
I appreciate this sentiment but I think that requires a specialized document since it'd be focusing on general encryption and data protection tools.
My limited understanding of the Android ecosystem is also that the fragmentation makes it very difficult to have a comprehensive guide for Android, since what is applicable on device A may not be applicable for device B, whereas with iOS, "turn on these settings" is applicable across the entire ecosystem.
I think it's just the difficulty of having a comprehensive and simple reference document for Android, regardless of cost. The same regional difficulties even for specific device recommendations makes such a comparable document difficult, as not all phones are easily purchasable in all regions.
So it's definitely something that needs attention, but the low-cost-secure doc may be more difficult than it seems at first blush.
Why would someone who's threat model includes the US government possibly want to trust a totally closed OS made by a US company?? Do you still not see the US government as a threat to journalists? If not how do you justify this position?
There are clueful people who disagree about Android vs. iOS for security (they're a minority, to be sure). But at this point: people who express shock, surprise, or outrage that security people are recommending iOS are demonstrating cluelessness.
The clueful people who argue in favor of Android start not by saying "you can't trust anything that isn't open source" (that would be especially silly if you're arguing for Google's Android phones, which are the only trustworthy phones), but by acknowledging the consensus that iOS is more secure and then challenging it.
On this thread alone, you've:
* Suggested that reverse engineering is a kind of arms race between the NSA and the "good guys", which it is not.
* Suggested that Tor is inextricable from Tor Browser.
* Complained about the suggestion that you might learn how reverse engineering works, because you're just a software developer.
I'm sorry, but comments the one upthread I'm replying to are indistinguishable from trolling to me. I know that's a bit of an aggro thing to say. But: do you honestly believe that the people who write advice like Matt Green in the story we're commenting on, or in the brief we're commenting on here, don't understand what open source is?
Please keep the personal attacks away from this forum. There is no place for them here.
EDIT
> "I'm sorry, but comments the one upthread I'm replying to are indistinguishable from trolling to me. I know that's a bit of an aggro thing to say."
If that not a personal attack I don't know what it is.
Oh and would you have time to address any of my questions? (In terms other than ios vs. android?)
What are the options for someone who wants a fully trusted supply chain? Is there a modern smartphone made with provably secure hardware (and which I can verify is actually running that hardware and not some behave-alike SOC)?
From my somewhat-naive perspective, it seems like the alternative is an Android phone made in China by a Chinese company, which seems not obviously superior.
> 1) Apple has shown substantial backbone in fighting against the US government when pressed to exploit a phone.
And the phone was exploited anyway. The only thing that was established is that Apple must not be forced to help.
> 2) The other choice is a device made by a Chinese or Korean company with a semi-open operating system made by a US company.
That makes both alike.
> 3) Either device will have a totally closed baseband chip.
This is the one the iPhone got right. On the iPhones, it is insulated by a closed interface.
> 4) Deploying and maintaining secure Linux environment on a Laptop is a full time job that requires expertise journalists don't have.
Ditto for Android, iOS, Windows, OS/2, AIX, GNU/Hurd... And anything else you may think about.
> 5) Open versus closed source is a red herring. Everyone is using pre-compiled binaries.
Open source is a necessary condition for securing against any targeted attack. It's just far from sufficient. Also, pre-compiled binaries can help you.
> 5) Open versus closed source is a red herring. Everyone is using pre-compiled binaries.
With a very salutary trend toward reproducible builds, which will help prove a connection between the source and binaries. (Though it's taking years to get there.)
> Why would someone who's threat model includes the US government possibly want to trust a totally closed OS made by a US company?? Do you still not see the US government as a threat to journalists? If not how do you justify this position?
Let's be honest, if your adversary is the US government, I suspect that there is no electronic equipment you can use.
Most journalists, however, are more in fear of their lives or communications when outside the US. For that, an iPhone is provably a much better choice.
> Most journalists, however, are more in fear of their lives or communications when outside the US.
I've upvoted you because of the first sentence but the second one leaves me a bit puzzled. There are plenty of places where the threat level against journalists is equivalent to the US and quite a few where it is actually less.
In fact, the current 'head-of-state' of the United States is on the record for saying the press is the enemy of his administration.
> There are plenty of places where the threat level against journalists is equivalent to the US and quite a few where it is actually less.
While your point is well taken, I haven't seen any US administration execute a journalist for quite a while.
Russia and China don't have quite so much restraint. And most of the petty dictatorships and theocracies make Russia and China look perfectly reasonable.
The fact that the US is not a bastion of moral rectitude does not automatically grant moral equivalence to bad or worse actors.
I am perfectly capable of condemning the actions of the US government and working to make it better even while acknowledging that it is better than most and worse than some.
"But he does it, too!" is not a valid argument for justification. But neither is it a valid reason to refrain from reasoned comparison.
The FBI / iPhone controversy shows that US government access to those devices is clearly limited to certain agencies.
This is increasingly important as it's now really obvious that the different agencies have different politics and may end up investigating each other to see who's been compromised to the Russians.
(also, you have to pick something: telling a journalist not to use a phone is a total non-starter)
At the end of the day, the FBI has to win cases in court. What are they going to do with this elaborately orchestrated secret? "Your honour, everyone thought we could not extract evidence from an iPhone but... Psych! We totally can!"
What you described is Standard Operating Procedure for FBI, DEA, and intelligence services if the method is too good to give up. What they do in those situations is try to come up with alternative methods tgat can justify how they obtained the information. That process is called parallel construction. FBI and local departments have even been intentionally losing cases to avoid light being shed on some of their tools, esp stingrays.
Not saying it's happening here. Just reminding you they do this.
I understand that but my point is that the FBI is not like an intelligence service - fundamentally, their endgame takes place in the public sphere and under public scrutiny. Yes, they have legal means at their disposal to protect their methods and sources. The operative term being 'legal'. They can't lie to a federal judge to try to compel Apple to help them do something they can already do. If they did, and it came out (which it certainly would), it would be at a massive political shitstorm with fired directors and congressional investigations as an absolute minimum. It would make their actual job a zillion times harder to do. It's just not in their interest at all.
"They can't lie to a federal judge to try to compel Apple to help them do something they can already do. "
You nust have missed the whole Snowden leaks where they were all lying to Congress, courts, and so on. Far as the FBI, here's what they say: "That pertains to highly classified matters of national security. Im afraid I can't discuss that here." (Keep repeating.)
They've also been lying about their counterterrorism cases. That one expose showed they're paying undercovers $100,000 or so to convince harmless people to try something. Even financing, equiping, and training them. They sell it in court as them stopping what was already going on. Despite one informant recording them, nobody leading the FBI is fired or doing time. Deception is business as usual.
You said they dont lie about their capabilities in courts Snowden leaks showed they partnered with NSA on backdooring US companies crypto while lying in court about how they could do nothing about crypto. Esp in the Apple case. It is a good time to modify your ckaims to fit that data or quit.
specific case -> 'Snowden leaks' -> NSA ->? is not really an argument, it's rhetoric. I don't have to modify my claims in the face of the apparent impossibility to pin yours down to anything specific.
You still on this? The Snowden revealed the FBI lied about tons of things they could do. So did the NSA. Piles of them. If you need specifics, start with "Core Secrets" by The Intercept as it includes the slides saying FBI "compelled" companies to "SIGINT-enable" their products/networks. Which means forced backdoors through secret means.
So, in courts, FBI said that targets using encryption by U.S. companies was impossible to do anything about. They needed expanded powers under things such as All Writs Act to get at the information in such devices. In secret, they were backdooring U.S. companies' products with NSA. They and the DEA were getting actionable information from those programs that they had to hide from courts under a process called parallel construction. They had to create a second trail of evidence that made it look like they found the person another way. Then, get the conviction through that second trail of evidence. The FBI was also willing to dismiss cases any time its claims were tested in court presumably because the claims were lies and methods unconstitutional.
So, the Snowden leaks, the San Bernardino case, and activity around things such as Stingrays shows the FBI will lie to courts to achieve political or legal ends. They'll even sacrifice their own court cases to protect their illegal methods. So, your claim that they won't lie in court or that court has some power over their corrupt activities is false. They consistently mislead everyone they can about both encryption and backdoors. They even exit courts when caught without any criminal penalties whatsoever. James Comey is in fact still free and directing the FBI despite caught in tons of lies from Congress to courts to media.
FBI will lie about these topics in court. They've done it consistently for over a decade now and nobody there has been imprisoned for it. QED.
This detail does not support 'FBI lies to federal judiciary in psyop to mislead everyone about their iPhone-cracking capabilities' in any meaningful way.
I agree that's a silly scenario. That didn't stop it from being their exact position in San Bernardino. They were using it to prop up the All Writs Act as a tool to force any telecom to provide backdoors or exploits for them. They wanted it as a precedent. It would make their job so much easier. They bullshitted the courts saying they needed Apple's help, Apple resisted well, they backed off, and then then they suddenly could crack it anyway. Tada!
Unlikely. First, we know what they paid for the hack, and secondly, the iphone involved was an old model without a secure enclave - multiple researchers suggested different attacks.
Smartphones shouldnt be trusted in such a scenario. Many journalists will use them anyway. In that scenario, Apple is probably better since they're not a surveillance company and it's harder to load malware.
So a journalist should use a dumbphone, where every text and call is transmitted in the clear, and the contents of the address book is stored unencrypted, rather than buy an iPhone and leave it at home when attending sensitive meetings?
The policy of most domestic TLA's is to watch for encrypted calls. Those targeting journalists will likely have the journalist's main number in their system. Disposable, dumb phones on both sides are safer. Although the NSA can detect that, I havent heard that many others do or easily.
Typical advice applies, too. Keep batteries out. Drive away from normal location to somewhere with plenty of people in cell radius but off camera. Batteries in, make call. Prearranged times or periods.
Lots of executives and lay people that value privacy. I've met many. In this scenario, the journalist really just needs to be able to receive the call. The need for the OPSEC is mostly on the person leaking stories. They can do less if they don't mind consequences, though.
If your threat model includes an adversarial nation-state that is known to engage in passive mass surveillance, using burner phones while transmitting all communication unencrypted is a terrible idea.
But the OP doesn't go around saying one branch of smart phones are the best of a bad bunch - he goes around saying that they are good. How does he know? Is he better as reverse engineering than everyone as the NSA put together? (And that's not even taking into account all the potential wrench attack targets at a large US company?)
It means on what basis can you stand and say to people who's lives may be at risk that you trust apple's press releases?
Please don't respond with the strawman you keep using of Iphone vs. Android. I am not arguing that Android is more secure. I am saying that taking either to meet an at risk source is bad. Your advice on this forum will contribute to journalists feeling comfortable doing this.
I want to preface this with an apology, because I don't think there's a way to say this without sounding cliquish. For that, I apologize in advance, but because your account appears to be relatively new, I feel like this is somewhat necessary. If this account is a re-roll of a previous one, then I doubly apologize.
Things you probably don't know (whether based on account age or admissions within this thread):
* tptacek has been an exceedingly active member of this forum for many, many years
* tptacek has been giving us all free security advice for as long as I can recall
* tptacek has founded at least two successful companies primarily dealing with security
* tptacek has, in the past, given much advice that I've considered questionable at the time, but which has proven to be right to me after I've learned enough to realize my errors
And because that all sounds very much like an appeal to authority, I apologize again, but here's the thing -- the comments he made that you object to, and consider to be trolling? They're spot on. I'm not saying that you should believe him because he has a history of making believable claims. What I am saying is that you should believe him because he's far more versed on the subject at hand than you are, and that's by your own admissions within this thread.
It's worth taking a step back here and asking yourself how well you actually know the things you think you know in regards to this thread. I am honestly not savvy enough on mobile security anywhere near capably enough to suggest that he's right and that you're wrong, so please don't assume that's what I'm doing here -- but many of the people you're arguing with in this thread are people who have the requisite bona fides to make their claims with confidence, and while you are boldly asserting the opposite, you acknowledge that this is not your field of expertise, and that you haven't bothered to learn reverse engineering.
Again, if this seems harsh, please know that it isn't intended to. Language is clumsy, and I'm not its best handler on the best of days, but while you might be 100% correct in every one of the claims you've made, the consensus seems to be otherwise, and you haven't done a good job of convincing me that you should be believed over someone who literally pays their bills through the dispensation of their subject matter expertise on this type of material.
Because of the fantastic community, it's obvious that HN is a great place to teach and to learn. Knowing which to do, and when isn't always so obvious. Most of us have made that mistake in the time. Consider whether or not you may be making it now, or figure out how to better support your claims so as to teach more effectively, but cat-pawing at each other throughout the entire thread isn't doing anyone any favors.
Thanks, but I'm not even asking him to trust me in this particular subthread. The point he made, about the NSA having better reverse engineers than everyone else, really does seem to me to be a non-sequitur.
Reverse engineering isn't zero sum. The benefit you get from reverse-engineering a closed platform doesn't vanish when someone else reverse-engineers the platform, just like your ability to read open source code isn't damaged by NSA's ability to read it faster.
Please provide some references to back up any of your claims in this or other threads. By references I mean articles by other reputable researchers (preferably peer reviewed). Blog posts and summaries of your chat logs do not count. As you are a researcher this will not be hard (a quick search in your reference manager software should suffice) - or a link to one of your articles from which I can follow the citations.
I've been on here for years. I just don't tend to remember my passwords very well :).
I am very familiar with the OPs posts. I do not want this to become personal. If you re-read this thread (and others in this discussion you might notice that.)
A strong, domestic TLA should be assumed to hack or intercept all of them if companies are local. Then game changes to the caller hiding their identity. Text-to-speech and burner phones can do that. However, messaging and email over WiFi's on devices bought with cash hides voice, has better clarity, allows file transfers, and can still do voice as an attachment.
Good for people I told to keep their burners off unless transmitting from semi-anonymous locations. That's their best privacy technique if they're non-technical.
And how well did they follow this advice? Would you know if they didn't turn their burner off, or even bother with a burner? "They didn't die in a prison camp, so they must have done things right"? Lay people who value privacy can fuck up their opsec pretty bad without noticing consequences. This is getting in to tiger repelling rocks territory, where it's no measure of one's stealth skills by hiding when nobody's looking.
It boils down to two areas of trust: a computer that's potentially malicious against a nation-state with stuff like QUANTUM; their ability to go somewhere remote/crowded and make calls. Im thinking lay people can do the latter because they have for ages. The latter also takes HUMINT to counter which is a precious resource they can't throw at all the reporters simultaneously like electronic attacks.
Given that Apple spent a lot of money last year resisting USG efforts to decrypt their smartphones, it would seem they're an especially trustworthy steward.
Except the part where they immediately agreed to help the US Government, only to find that incompetence had made the problem much harder than it should have been. They then resisted having to do a large amount of unpaid labor to continue to help. Plus, a PRISM member.
To avoid confusion for any readers, you should clarify what this means: Apple has an automated process for serving data in response to any approved FISA court orders from the FBI.
It's not even clear that PRISM implies an automated process. It appears to just be the NSA's internal name for the process of using the FBI to request stored data from service providers.
And to make this clear: U.S. companies must comply with valid court orders. Being a "PRISM member" is not optional.
Thanks for doing this. As much as the conclusion may be unpalatable to me, I think that's where any honest evaluation will end up.
Worst case, this will make people with sensitive information and without technical expertise more secure. Best case, it will compel Google and Android device manufacturers to step up.
Please recommend Silent Circle's Blackphone. We need to promote phones that secure the second operating system in every phone (BaseBand radio processors). We need to encourage open source and security hardened by people dedicated to make it completely secure.
There is probably no better hardware and platform security team in the world than the one that works at Apple (and no software platform security team in the world better than the one employed by Google).
Pretty much the only thing Silent Circle has going for it is a commitment to open source. All else being equal, open source is better than closed source. But all else is nowhere close to equal in this case.
Can you put some citations in the final version? I'd love to read that.
EDIT
Rate lime :( so replying here. any ideas on where one can get started with a literature review on this? There is so much misinformation and big egos in this field so it would be nice to know from an expert where to start.
https://gist.github.com/anonymous/9f789aabd7e8681dec0cf5781a...