Tag Archives: FBI

JPMorgan Chase Tooth Fairy Hack

JPMorgan Chase is the latest victim of a cyber attack. The company announced that unknown hackers broke into their computer system and stole over 80 million customers’ names, addresses, phone numbers and email addresses. This is a really odd announcement for a serious company. Believing that a hacker broke into a bank’s system only to get what he can get from the White Pages is more naïve than believing in the Tooth Fairy. It’s like believing that a burglar broke into the house just to look at the clock because he lost his watch.
The company somewhat hedged its conclusion by stating that there’s no evidence of hackers stealing anything else, but still assuring their customers that there’s nothing to worry about.
The reality is that this tells us that whoever did it is a competent hacker. He either obtained all the financial data right away and covered his tracks well enough that neither JP Morgan nor the FBI could find anything, or left malware that will be sending him that data later. This type of malware is extremely difficult to detect, and the JP Morgan/FBI failure is typical.
This is also indicative of a well-heeled hacker who is financially already very comfortable and can afford to wait until a later date when he can safely start milking the golden cow.
The scariest part of this story is that if this hacker is so good technically and astute financially JPMorgan Chase and its millions of customers are in for a very interesting future. At this time most banks can afford to absorb losses from cyber fraud (but of course passing on the cost to us in interest and fees). It remains to be seen for how long this is going to be the case.

Apple-Google-FBI Phone Encryption Spat or Public Image Campaign?

Apple and Google announced encryption programs for their smartphones that supposedly increase their customers’ privacy. As a result we’ve just seen a very public privacy vs. security debate with Apple, Google, and the FBI making statements worthy of desperate pre-election politicians. An interesting aspect is that the debate rages around the technical issue of encryption, even though practically no technical information has been released. So no technical evaluation of the claims is feasible, but a closer look at the underlying issues seems in order.

First of all, the very basis of encryption as we know it is that every party privy to encrypted data has to have the key. Simply put, this means that there are always at least two keys involved. Even if you encrypt your files within your own computer with a password that you remember, there has to be a reciprocal key somewhere in you computer for validation. Otherwise, there is no encryption.

Apple and Google announced that they would no longer have a “master key,” or possibly a database of the passwords of all users on their servers. (A very interesting question pops up: how are they going to update software in your phone or computer? That wasn’t mentioned.) That sounds like they’re transferring your privacy destiny into you own hands. It’s just not so. Suppose they really aren’t going to have your password. What they’re really saying is that somebody else will have your password, presumably your mobile phone carrier. So the whole hoopla is really about them saying that they don’t want to deal with Government demands for massive amounts of our private data. They’re just saying that the Government has to deal with someone else.

The best case scenario here would be for Apple and Google encryption to be arranged in a way that your personal data such as your rolodex, your pictures and notes, etc. would be stored in your phone encrypted with your personal password, and your carrier would not have a copy of it.

Either way, the FBI has a difficult case to complain about. Their statement that encryption will hinder criminal investigation is clearly disingenuous. It’s not a matter of technical difficulty, it’s a matter of convenience and constitutionality. The only problem this would make for the FBI is that they couldn’t come to a company with a vague sweeping order for a vast amount of private data of a lot of their customers. They’d have to hack every suspect’s phone individually. This is certainly not difficult, and if they don’t know how to do it they can consult the NSA. They’d also have to go to court to obtain a search warrant for every individual suspect. Inconvenient, but that’s the way the Constitution meant it to be.