A Fragile Balance

Trying to explain computer or cyber security can be like trying to explain how a nuclear reactor works – it’s complicated. Nonetheless, I want to take a moment with this post and share a letter that my company, Automattic, Inc., published today with respect to security and government requests as it relates to the recent case with Apple.

The greatest difference between the privacy one has in something like a diary and the privacy one has in the cyber world is a matter of speed and reach.

It’s simply not feasible to find the time and craft to sneak into everyone’s home in a city and look for their diaries, read them, then catalogue that information. On the other hand, if someone has a specific target and they spend the time preparing, they have a very high chance of sneaking in and getting what they want.

In the cyber world, however, things that would normally take weeks of planning and execution take place in milliseconds. Things happen so fast that we can’t feasibly spend the time planning to figure out what we want to find. Instead, it’s cheaper to just get in and take everything and then try to sort out the important findings later. In other words, even though the probability is low that we will get something valuable for any given break-in, we can repeat the experiment billions of times and hope for the best.

This is the difference between someone who takes a week to mold a key that fits your front door and then opens it easily and someone who has a ring with millions of keys on them and can try all of them out in seconds. Physically, we couldn’t try out that many keys that quickly, but electronically this happens all day every day around the Internet.

In related news, somebody recently discovered a security bug in a common piece of software that lots of other software in the industry relies on. The security relies on using very large prime numbers, but the one that had been used was discovered to be non-prime. Here is the number for reference.

143319364394905942617148968085785991039146683740268996579566827015580969124702493833109074343879894586653465192222251909074832038151585448034731101690454685781999248641772509287801359980318348021809541131200479989220793925941518568143721972993251823166164933334796625008174851430377966394594186901123322297453

When someone originally chose this number, they determined that there was a very low chance that it would turn out to be non-prime. In fact, that was a one-in-one-with-twenty-four-zeros-after-it chance that it would turn out to be non-prime, so there is very little blame to be given for the person who chose it. The fact that it’s not prime, however, means that the security behind the algorithm that was using it is severely crippled and it becomes trivial to break just by incorporating some simple math tricks.

The point of this is that computer and cyber security is a very fragile system and a small perturbation is more than enough to allow unintended parties to gain access to systems and data that were intended to be safe and private.Within a year of the release of DVDs to the mass markets and before there were even 10,000 DVDs sold globally, a 16-year-old hacker played a big role in cracking the security meant to prevent people from copying the films from the discs.

Today, the FBI and the Department of Justice is asking Apple to not only help them recover information from the iPhone of a terrorist, but they are asking Apple to build documented security flaws into the iPhone operating system. This is a fascinating and monumental case whose discussion is far broader than this post is able to cover. In short, the things the FBI wants would effectively eliminate any security mechanism built into Apple’s products and it would be no more than a short matter of time before other governments or malicious hackers got access to the same methods of access. Cyber security is a fragile thing and one weakness on one device is a major weakness to all related devices.

Apple has been doing all it legally can to refuse the request and protect its customers. We support their work and believe that the consequences of compliance will bring severe and broad risks to the protection of personal privacy, whether it protects those at risk of political retribution, embarrassing personal revelations, damaging financial misconduct, or even of the release of immodest pictures meant for specific audiences.

Following is the amicus brief published today by Automattic, Inc., alongside many other major technology companies who work hard to protect their customers.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s