Hard Light Productions Forums
Off-Topic Discussion => General Discussion => Topic started by: karajorma on February 19, 2016, 01:43:30 am
-
Well kids, it looks like Cybersecurity's experiment in Ritalin deprivation has well and truly thrown his hat into the ring over the issue of the FBI trying to force Apple to hack the San Bernardino phone.
In an impressive speech he manages to mention Hitler, set back the public view of hackers to the early 80s and threaten to eat his own shoe on national TV. But don't take my word for it, read the whole thing on Ars (http://arstechnica.com/staff/2016/02/mcafee-will-break-iphone-crypto-for-fbi-in-3-weeks-or-eat-shoe-on-live-tv/).
And then afterwards we can have a serious debate about whether Apple should cave in to the government demands or not.
-
That poor shoe, what has it ever done to deserve being eaten....
-
Poor, poor shoe :(
Btw, what the hell's the Berdinando Phone?
-
It's an iPhone the FBI seized in a terrorism case. Since they can't crack it, they used an over 200 year old statute to force Apple to produce a firmware for that specific phone which would allow the FBI to submit pin codes to it electronically without triggering any of the auto-delete features these things have.
Apple is fighting this, because they believe (rightly so, IMHO) that the average user's right to privacy trumps the state's right to the information on that phone.
-
Poor, poor shoe :(
Btw, what the hell's the Berdinando Phone?
The phone belonging to one of the shooters in that attack in San Berninardino, California a few months ago. A few days ago, the DOJ specifically ordered Apple to create a custom piece of firmware to bypass the encryption on the device.
-
BTW, in case you hadn't noticed it, he's claiming that he's going to figure out the PIN code using social engineering. On a dead man's phone.
Yeah, even rubber-hose cryptanalysis isn't going to help you in this case.
-
Says the man who claims he faked heart attacks in a Guatemalan jail to avoid being questioned on the murder of his neighbor in Belize.
EDIT: Mcafee, that is, not Karajorma. I'm sure Karajorma's escapades in China with the MSS are equally entertaining, but he hasn't blogged about them to my knowledge.
-
EDIT: Mcafee, that is, not Karajorma. I'm sure Karajorma's escapades in China with the MSS are equally entertaining, but he hasn't blogged about them to my knowledge.
I could tell you, but then I'd have to kill you. :p
-
If apple doesn't do it for them, the DOJ/FBI is just going to do their own thing and have a team dedicated to cracking iPhones. I'm sorta surprised they don't already.
-
There's another article about the subject on Ars. It's quite interesting how what you'd think of as just casual PIN number level security is actually causing them such a problem. I mean it takes next to no work to watch someone and figure out their key, but if you don't have have it, then it's remarkably difficult to crack.
Basically they can't upload new software to the phone unless they have Apple's key. I assume they could simply upload a new OS and hope that they could recover data but they would also risk losing everything that way.
-
If it was as simple as uploading new firmware, they would have done it already.
-
Well once a new OS was uploaded you'd just need to scan the flash memory and try to recover files. I the case had gone against them, I suspect they'd try it since they'd have nothing to lose.
Of course if the phone memory was itself encrypted, you'd be screwed. And without the PIN number, there might be no way to know.
-
AIUI, iPhones use the PIN as one component of their decryption keys, so unless you have the PIN, you won't be able to decrypt the phones' content.
-
one would think the FBI for one of their biggest cases and national security would be able to disassemble the phone and retrieve the content of the phone's (encrypted) memory. without a very public spat with the phone's manufacturer. and we know there is a small town sized data center dedicated to cracking encryption owned by the NSA.
-
Can't they just brute-force it? It's a bloody 4-digit number (at least on my phone). How hard can that be? 9^4 equals 6561. A lot of tedious clicking, but hardly impossible even if you have to hire a human to do it, given a few days. Or do the Apple phones use some sort of feature to prevent that?
I don't like this situation because either way, it can establish a dangerous precedent. If the FBI gets their way, that means the government can force corporations to give up access to private data (admittedly, this wouldn't the first time it happened. Even Swiss banks were forced to do that). On the other hand, if Apple gets their way, that means corporations can get away with denying government directives. I think the latter case could potentially be worse, as corporations are much less accountable than all but the most dictatorial of governments.
-
Can't they just brute-force it? It's a bloody 4-digit number (at least on my phone). How hard can that be? 9^4 equals 6561. A lot of tedious clicking, but hardly impossible even if you have to hire a human to do it, given a few days. Or do the Apple phones use some sort of feature to prevent that?
Several things about this: iPhones slow down passcode entries if too many false ones are entered sequentially; in addition, if too many passcode entry attempts fail, iOS may wipe the phone. The FBI wants Apple to provide them with a firmware that disables any autodeletion features and that additionally allows them to use WiFi or Bluetooth or USB or whatever to submit pin codes to the device electronically, bypassing the timeout mechanisms in the process.
Furthermore, it is unknown what exactly the passcode is. It could be a 4-digit pin; it could be 6 digits, or it could be this (https://twitter.com/yossy1999116/status/662880539880194048).
I don't like this situation because either way, it can establish a dangerous precedent. If the FBI gets their way, that means the government can force corporations to give up access to private data (admittedly, this wouldn't the first time it happened. Even Swiss banks were forced to do that). On the other hand, if Apple gets their way, that means corporations can get away with denying government directives. I think the latter case could potentially be worse, as corporations are much less accountable than all but the most dictatorial of governments.
What the latter case actually means is that corporations would be forced to build backdoors into their devices. This completely undermines their basic security, and is thus undesirable; You are endangering sensitive data of millions of people just to have a way to get at the data of a couple hundred. This is not a proportional response.
Secondly, consider that one of the minor points of contention between the US and China at this moment is the US' insistence that Chinese vendors should stop adding backdoors into systems shipped to the US. Do you want to live in a world where the US is allowed to do this, but everyone else isn't? Or worse, a world where no device can ever be considered trustworthy enough for sensitive information?
-
Calling this a 'backdoor' seems dramatic. Rule 1 of netsec is that an attacker with physical access always wins. I'm frankly amazed that the FBI apparently can't just pull the data out of the phone and brute force it without needing Apple's help; possibly they're just leaning on Apple first because it's easier.
If your private data is vulnerable to brute-force attacks like this, it isn't securely private in the first place.
-
I mean, the basic fact of the matter is that the keys to backdoor your phone already exist. Are you really saying Apple can be trusted with them any more than the government can?
-
Calling this a 'backdoor' seems dramatic. Rule 1 of netsec is that an attacker with physical access always wins. I'm frankly amazed that the FBI apparently can't just pull the data out of the phone and brute force it without needing Apple's help; possibly they're just leaning on Apple first because it's easier.
If your private data is vulnerable to brute-force attacks like this, it isn't securely private in the first place.
Please read this (https://www.apple.com/business/docs/iOS_Security_Guide.pdf).
Every piece of information of interest here is encrypted in AES-256 or better, using keys based on the crypto hardware in the device itself. Without retrieving the hardware keys (which ultimately requires having the passcode for the device), it's doubtful that a brute-force attack on the encrypted data would succeed in reasonable time.
So yes. Leaning on Apple is definitely easier than trying to break AES.
I mean, the basic fact of the matter is that the keys to backdoor your phone already exist. Are you really saying Apple can be trusted with them any more than the government can?
Ultimately, yes. Unless, of course, it's in Apple's business interest to use weak security.
-
Here's an article from Ars Technica (http://arstechnica.com/apple/2016/02/encryption-isnt-at-stake-the-fbi-knows-apple-already-has-the-desired-key/) to back up my stance: the FBI are asking for help with brute-forcing the PIN, not the master keys for the encryption on every Apple device.
And come on, man, telling me we should trust corporations because 'it's against their business interests to **** us over' is classic libertarian bull****. At least the government is nominally accountable to the people.
-
There's a reason why I use a rooted android phone :)
-
The more serious answer here is that I rate the security of my data higher than the ability of law enforcement to access it. Ultimately, this is yet another attempt to put the genie of widely available strong encryption back in the bottle, and I am absolutely convinced that we need those tools to be available, even if it means that criminals may communicate freely.
I do recognise that what the FBI is asking for here is extraordinarily limited. They specifically asked for a firmware that only runs on that specific phone; not some sort of FBiOS they can slap onto any device they want. They are to be commended for the restraint shown, absolutely. But equally absolutely, someone needs to object to this, the powers of the writ the FBI used here need to be continually re-examined.
-
If you seriously think that brute-forcing a 4-digit PIN is at risk of putting the encryption genie back in the bottle you've severely misunderstood the status quo. Strong encryption is not in any way threatened by what the FBI are asking for; the only way this is putting your privacy at risk is if you trusted 13 bits of entropy to keep it secure, in which case it never actually was.
-
There is something to that argument.
I may need a bit to reevaluate my opinions in this matter.
-
Yeah but it's not just the simple PIN encryption that is at stake here. The fact that the FBI are pushing the camel's nose into the tent is when you should protest. The rest of the camel will be much harder to complain about.
-
Having reevaluated, and having read this article on Ars Technica (http://arstechnica.com/apple/2016/02/encryption-isnt-at-stake-the-fbi-knows-apple-already-has-the-desired-key/), I've come to the conclusion that I've been arguing for the wrong team here. PH is right; I was wrong.
The thing to consider here is that this request by the FBI isn't actually a new thing; Apple has in the past agreed to similarly scoped requests. Their turnaround here seems to be more of a PR ploy than anything else.
-
Yeah but it's not just the simple PIN encryption that is at stake here. The fact that the FBI are pushing the camel's nose into the tent is when you should protest. The rest of the camel will be much harder to complain about.
Google and Apple both redesigned the security schemes on their phones so that they didn't have the ability to break them, because they were regularly unlocking devices whenever asked to by law enforcement. The camel's been in the tent for a long, long time.
-
I honestly think this is about establishing precedent rather than the FBI actually being unable to crack this phone.
-
The precedent of tech companies working with law enforcement to crack their devices has been around for a long, long time. This is a publicity stunt by Apple more than anything else.
-
I don't completely disagree with you there. The problem is that Apple have designed a phone that they can hack. And now they have to save face when it comes to being required to hack it.
They should design a phone that they can't hack.
But nonetheless it is still an issue because I suspect the reason the FBI brought the case was very little to do with this particular phone, and more to do with establishing precedent.
-
there is a difference between a precedent of cooperation and a precedent of obligation.
-
Not that much, I suspect. "Hey baby, our booty-call setup has been working great, sooooo how's about we move in together and start going antiquing?"
-
So this is kind of interesting...
San Bernardino Shooter's iCloud Password Changed While iPhone was in Government Possession (http://abcnews.go.com/US/san-bernardino-shooters-apple-id-passcode-changed-government/story?id=37066070&nwltr=abcn_tco)
If I've understood correctly, the FBI is requesting that Apple create a new, signed firmware/version of the OS that allows brute force attacking the PIN code, rather than having the phone wipe itself clean after ten failed attempts.
But, and this is a big but, I've also seen claims that brute forcing the PIN is already possible by turning the phone off after a failed attempt, then turning it on, and trying a new number. If that is correct, then there is no real need for Apple to make it easier for the FBI or other officials to brute force their way through the PIN code and gain access to the phone data.
Again, assuming that information is correct, it does seem to me that the FBI's agenda is to create a legal precedent for forcing technology companies to create intentional backdoors on their technology so that law enforcement (and intelligence) agencies can basically use these backdoors whenever they have "need" for accessing that information.
Based on previous examples, these agencies tend to play fast and loose with things like wire tapping and other legally sanctioned breaches of privacy, and I don't believe this would be an exception.
This particular case of asking (or ordering?) Apple to help with accessing the phone might even be justified, but if they do create some kind of solution, who's to say that is the only case that solution could be used on? After the Pandora's Box is open, you can't easily close it.
Also, would be kind of tragicomic if they did crack the phone's PIN open and found that any potentially worthwhile information on it is behind another layer of encryption...
-
They would still have to deal with delays that might incur. I imagine that it might even be possible to create an image of all data on the phone, then after it erases the data, just upload the backup and try again. However, all those measures raise the time needed for brute forcing to unacceptable levels. It could probably be done, but at an enormous cost of money, time and effort.
Again, this is not a backdoor. What they are asking for is more akin to telling Apple to remove metal plates from the front gate so they can ram through it. Nothing is being compromised except that particular phone. Sure, if they can do with that one, they can do so with any other one, but they'd have to physically acquire it first. Generally, it's common sense to consider any device that you don't have exclusive physical access to to be potentially compromised. Any device that is seized, stolen or lost is compromised, period. Also, this firmware would be useless for any phone but this particular one, because even though it can be modified to run on another one, Apple would have to re-sign that new version (as the signing system's entire point is to prevent unauthorized alterations like that).
There is no way to misuse software written specifically for a single device, one that they already have in their possession, to boot. It's hardly likely for them to misuse even the ability to force Apple to do this, because in the end, they'd still need physical access to the device in question. They might have been heavy-handed with wire tapping, but actually seizing someone's belongings is a much rarer occurrence.
-
Okay, here's the question then. What do Apple do when they are approached by say, the Iranian government to do the same?
As I said before, this is kinda Apple's fault for writing the software in a way that made this possible.
-
There is a lot of really serious misunderstanding of what's actually going on in this thread. Read the Ars article The E linked.
This isn't a backdoor, it doesn't make it any easier for the FBI to access properly-secured data, it's not setting a precedent because this exact practice has already been routine for years.
What this actually is is Apple's CEO noticing that privacy is a hot political issue right now and taking the opportunity to grandstand.
-
There is a lot of really serious misunderstanding of what's actually going on in this thread. Read the Ars article The E linked.
This isn't a backdoor, it doesn't make it any easier for the FBI to access properly-secured data, it's not setting a precedent because this exact practice has already been routine for years.
What this actually is is Apple's CEO noticing that privacy is a hot political issue right now and taking the opportunity to grandstand.
I won't deny that there is grandstanding going on. As I pointed out, it's because of the fact that Apple have made a phone that is basically insecure against their own actions. But as you pointed out yourself Apple deliberately changed things from the way they were in earlier models to avoid having to do this sort of hack. So it's obvious that they didn't want to be hacking phones in this way.
-
The old "it's been happening for a while so it's fine" argument. That DOES NOT make it okay. And the fact that Apple is using this for publicity doesn't negate the fact that it's what they SHOULD do. I don't want a corporation OR the government having unfettered access to my data (which is part of the reason I don't have a smartphone). But if I had to pick one, it would be the corporations. The government has proven time and time again that they don't give a flying **** about civil liberties. It's easier to resist corporations by not buying their **** than it is the government, who can and do change the rules to suit them.
-
I don't think either should have access. If Apple had taken the same care over the USB port that they did with the fingerprint scanner (http://www.bbc.co.uk/news/technology-35611756), this wouldn't be an issue.
-
As I pointed out, it's because of the fact that Apple have made a phone that is basically insecure against their own actions.
That's completely untrue. The encryption is still (as far as I know) rock hard; the only thing that Apple can circumvent is the rate limiter on passcode guesses. If you aren't using secure, high-entropy passcodes on your encrypted data then that's what made it vulnerable, not Apple or the government.
Also I'm not sure a lot of you quite grasp that encryption is a very, very, very exceptional instance of the state not being able to access your private information. Law enforcement are allowed to look at whatever they want if they have a warrant, this is a very old and probably reasonable principle; encryption is only and uniquely able to disrupt it by being physically impossible to breach without your consent.
-
Like, look at it this way: presumably the San Bernardino guy left the door locked on his apartment. When the police showed up there should they have just jiggled the knob and said 'welp, can't violate his privacy!'? Or when they asked the landlord for the key, should he have gone straight to the press and decried this sinister erosion of civil liberties? If you don't think law enforcement should ever be able to search anyone's belongings, how do you expect crimes to be solved? If the state is allowed, after appropriate due process, to lock someone in a jail cell for years on end, why can't they look at a phone even after due process?
-
I don't really care much about the details - they're asking Apple to provide assistance in breaking into one of their customer electronics devices. That means they're expected to undermine their own security solutions and, in doing so, make it at least theoretically possible for other parties to replicate the feat. Even if it's just facilitating easier brute force attack on a simple numerical PIN code. Of course the same won't work on strong passwords, but it's the underlying principle that disturbs me.
No company should ever be expected to do that and even if they've done this in the past, it's quite reasonable for them to say, "We don't want to do this".
The question isn't whether companies can, or are allowed to, offer such assistance. Rather, the question is should it be possible for the law enforcement or intelligence organizations to force them into giving that assistance by a court order (under threat of fines, sanctions, or even personal criminal consequences). If that were to happen, then it could become a worrisome precedent case - if it were to be held up in the supreme court, when the case inevitably ends up there.
So far, though, it appears this is not much more than FBI being pissed that Apple is not jumping to render the assistance they think they're entitled to, and that's causing some waves in social media as well as in the US legislative functions (senate/congress).
Like, look at it this way: presumably the San Bernardino guy left the door locked on his apartment. When the police showed up there should they have just jiggled the knob and said 'welp, can't violate his privacy!'? Or when they asked the landlord for the key, should he have gone straight to the press and decried this sinister erosion of civil liberties? If you don't think law enforcement should ever be able to search anyone's belongings, how do you expect crimes to be solved? If the state is allowed, after appropriate due process, to lock someone in a jail cell for years on end, why can't they look at a phone even after due process?
No, see, the analogy is this: The terrorist's house has a special lock that requires a specific key to open. The terrorist has rigged his entire house to explode if someone tries to break in, and there's no other way to defuse it than to legitimately open the lock. So FBI goes to the lock company and asks for them to help them gain access to the house.
The lock company can make a key, but that same key will - if someone gets access to it - make it possible for anyone to open any of those other locks around the world. Lock company doesn't feel comfortable with the situation, and explains that they don't think they should make that key in the first place, much less entrust it to FBI, or anyone for that matter.
Of course the analogy fails because digital information is much easier to protect with passwords and encryption, while physical evidence is impossible to hide in such a way. That's why the police doesn't need to ask for the lock company to open the door - they can just break in and enact their search warrant.
-
You've apparently read nothing I've said. Would it be wrong for the FBI to require, with a court order, that the shooters' landlord give them access to their apartment?
-
I was including your latest comment in my post to avoid double posting, it just took a while to type.
It's a different situation, and getting the landlord to open the door doesn't compromise the lock security of the rest of the population - it's just done to keep the door intact.
-
This measure does not compromise the phone security of the rest of the population. If your phone security is contingent on a 4-digit passcode the thing compromising it is reality, not the government.
-
This measure does not compromise the phone security of the rest of the population. If your phone security is contingent on a 4-digit passcode the thing compromising it is reality, not the government.
This particular measure, maybe not. As I said, the details are not the crux of this matter.
The problem is in the principle of the thing - should the government be allowed do force companies to compromise the security in their devices for law enforcement or intelligence access in general?
And before you say that the measure doesn't compromise the phone security, I would argue that yes, it theoretically does. It might be unlikely, but it would be in theory possible for someone to gain access to the new firmware that allows easier brute force attacks on the PIN code.
You're correct that a longer, stronger password would probably frustrate any brute force attack within human life time, but again - it's the principle of the thing. If FBI gets approval to force Apple into rendering this assistance, that could easily end up becoming a precedent case if it were to be upheld in the supreme court. Supreme court decisions tend to be interpreted almost like laws in themselves, after all.
-
They are asking for a tool to allow for a faster retry of your PIN number which, as someone else showed in this very thread:
It could be a 4-digit pin; it could be 6 digits, or it could be this (https://twitter.com/yossy1999116/status/662880539880194048).
If you allow brute force approaches to be faster you ARE weakening security.
-
And before you say that the measure doesn't compromise the phone security, I would argue that yes, it theoretically does. It might be unlikely, but it would be in theory possible for someone to gain access to the new firmware that allows easier brute force attacks on the PIN code.
Except it doesn't compromise it even theoretically. See this article (already posted on the previous page):
http://arstechnica.com/apple/2016/02/encryption-isnt-at-stake-the-fbi-knows-apple-already-has-the-desired-key/
There's nothing stopping an independent hacker from writing the same thing FBI wants Apple to write. The entire purpose of the Apple's digital signature system is to prevent such unauthorized updates from being applied. The thing that only Apple can do is authorizing that particular phone to install the altered firmware. Any modifications (needed to make it run on other phones) would invalidate the signature, making the software useless.
This situation is pretty much analogous to asking for a master key to search someone's house. Very much justified in here, I think that FBI should have the ability to search someone's phone if they have a warrant (which they do).
The old "it's been happening for a while so it's fine" argument. That DOES NOT make it okay. And the fact that Apple is using this for publicity doesn't negate the fact that it's what they SHOULD do. I don't want a corporation OR the government having unfettered access to my data (which is part of the reason I don't have a smartphone). But if I had to pick one, it would be the corporations. The government has proven time and time again that they don't give a flying **** about civil liberties. It's easier to resist corporations by not buying their **** than it is the government, who can and do change the rules to suit them.
Have you ever tried boycotting a giant, multinational corporation like Apple or Google? Here's a hint. It doesn't work. Corporations are less vulnerable to public opinion than just about any form of government short of a military dictatorship (yes, even an absolute monarch is, by some measures, more accountable). Have you seen the things they get away with? The government must be careful about changing the rules, or it's going to, well, stop being the government. A corporation may lose customers, but it'd take a lot more to put a dent in it, especially as they tend to be spread over multiple nations. Not to mention that in many cases you'd have to stop using their services altogether, as opposed to directly paying them. Google gets a huge amount of money from its search engine, despite it not costing a regular user a single cent (and IIRC, even getting it to find your website is free). Not even a violent revolution against them is feasible, since they're not located in any particular place nor headed by a particular person (both the headquarters and the CEO are important, but ultimately replaceable). Government regulations are the only thing keeping them in check (relatively speaking).
-
What the FBI is effectively asking for here is for a landlord to open the door to a suspect's home. The privacy implications are the same, the legal framework is in principle the same; the only difference here is that the landlord in question has more money than most to burn on lawsuits.
-
Not really, the landlord actually owns the property being searched. This case is more akin to a safe maker being asked for an easier way to crack their safes.
-
And Apple still owns the software running on the iPhone, according to the EULA.
-
And before you say that the measure doesn't compromise the phone security, I would argue that yes, it theoretically does. It might be unlikely, but it would be in theory possible for someone to gain access to the new firmware that allows easier brute force attacks on the PIN code.
Except it doesn't compromise it even theoretically. See this article (already posted on the previous page):
http://arstechnica.com/apple/2016/02/encryption-isnt-at-stake-the-fbi-knows-apple-already-has-the-desired-key/
There's nothing stopping an independent hacker from writing the same thing FBI wants Apple to write. The entire purpose of the Apple's digital signature system is to prevent such unauthorized updates from being applied. The thing that only Apple can do is authorizing that particular phone to install the altered firmware. Any modifications (needed to make it run on other phones) would invalidate the signature, making the software useless.
That doesn't seem internally consistent.
True - a malicious hacker could write the same thing FBI wants Apple to provide for them. It is also true that to get it to work, they would have to do the extra work of perfectly spoofing Apple's digital signature system. That would be required to authorize the software update.
The former part is more likely than the latter - the best chances of spoofing Apple's digital signatures is to hack (or social engineer) Apple and gain the required information.
The same method could, in theory, be used to gain access to the specific software that enables brute forcing through the PIN code layer of security. Or they could hack FBI or whichever law enforcement organization received the software for their use (their security is probably worse than Apple's because FBI doesn't need to protect their profit margins). In that case, the malicious hacker doesn't even need to do any work besides that required to gain the information, which they can then use to brute force their way into any phone that is compatible with the modified OS.
And before anyone says, I fully acknowledge that it would require quite a convoluted chain of "ifs" to be fulfilled before the proposed "brute force" attack enabling version of the OS could be used for any malicious purposes by a third party. But it is theoretically possible.
But, once again, the details of *this particular case* are not really what interests me.
The core issues is that Apple is asked to undermine their own security solution on their devices. Question is, should the government be allowed to make such requests into demands or orders instead of just politely asking if they would like to help in this matter.
This situation is pretty much analogous to asking for a master key to search someone's house. Very much justified in here, I think that FBI should have the ability to search someone's phone if they have a warrant (which they do).
It isn't anywhere close to analogous because of the differences between digital security and real life security, like doors and locks.
And, by the way, I fully agree that in this particular case, it might well be justified to use any means necessary to open the phone. But the implications of forcing Apple into doing it could be much bigger than are acceptable.
The real question, in my opinion, remains: Should governments be allowed to force IT companies to undermine their own security solutions?
Are they entitled to do so? If yes, to what degree? Will the limit be just making brute force attacks feasible and hoping for a weak password? Or would more complicated demands, like fully developed backdoors, be considered? And in what context would these tools be used? Regular criminal cases? Terrorism investigations? Issues of national security? How to guarantee no warrantless access, or access by third parties?
-
The real question, in my opinion, remains: Should governments be allowed to force IT companies to undermine their own security solutions?
Are they entitled to do so? If yes, to what degree? Will the limit be just making brute force attacks feasible and hoping for a weak password? Or would more complicated demands, like fully developed backdoors, be considered? And in what context would these tools be used? Regular criminal cases? Terrorism investigations? Issues of national security? How to guarantee no warrantless access, or access by third parties?
The current law seems to be (IANAL) that requests or orders like this have to be extremely limited. An order to unlock a device or account is OK, an order to unlock every device is not.
Similarly, a law that would make comprehensive encryption solutions illegal would also not be OK.
-
If apple doesn't do it for them, the DOJ/FBI is just going to do their own thing and have a team dedicated to cracking iPhones. I'm sorta surprised they don't already.
They do.
There are a number of techniques law enforcement has for cracking into encrypted devices, but they're getting fewer with each passing day and so the calculation of risk-reward plays into it. Do they potentially burn a cracking technique to access one device, especially one as relatively unimportant as this?
I honestly think this is about establishing precedent rather than the FBI actually being unable to crack this phone.
You are correct. Law enforcement organizations around the world have been increasing unhappy about the withdrawal of tech corporations from providing readily-accessible, often warrantless, access to encrypted or otherwise-sensitive electronic systems. Of course, the authorities in this case also apparently burned the iCloud backup and made their job a lot harder in the process, so it wouldn't surprise me if they genuinely need assistance getting into this particular phone.
-
Yeah, the iCloud fiasco was kinda funny. You can imagine someone in the FBI office shouting "Goddamnit Carl!" over that one.
-
Well, to be blunt I support Apple in this case because the FBI screwed up and is now asking Apple to clean up their mess.
It sets both a dangerous legal precedent for police abuse AND weakening security, as let's be honest, if Watergate and the FBI screwing with Martin Luther King, Jr and Johnny Cash have shown us, the FBI is all too human. My take is that we're simply giving the government too much leeway, and the All Writs Act is being used carte blanche for the government equivalent of a secret order to unlock encryption systems.
The very fact the FBI didn't "freeze" the data and consult Apple first before breaking into the phone nearly blew my mind.
Some of you are saying that Apple has to be complicit in abetting the government in essentially retrieving evidence THEY, THE FBI, screwed up. Criminally speaking, the government has committed a minor form of perjury by not properly isolating and procuring the evidence, and that has wide and dangerous implications for the legal system.
-
carte blanche for the government equivalent of a secret order to unlock encryption systems.
It's not carte blanche, or secret. The order is very specific to this one phone and this one phone only.
Criminally speaking, the government has committed a minor form of perjury by not properly isolating and procuring the evidence, and that has wide and dangerous implications for the legal system.
Um, no. That's not even remotely correct.
-
Okay, I've changed my mind now that it's clear that the iPhone is obviously a doomsday weapon containing a lying-dormant cyber pathogen (http://arstechnica.com/tech-policy/2016/03/what-is-a-lying-dormant-cyber-pathogen-san-bernardino-da-wont-say/)
-
:shaking: Is it ChickenPox?
-
To get back to the OP: John McAfee really has no idea what he's talking about (http://arstechnica.com/security/2016/03/john-mcafee-better-prepare-to-eat-a-shoe-because-he-doesnt-know-how-iphones-work/).
Now I'll probably lose my admission to the world hackers' community, however, I'm gonna tell you. You need a hardware engineer and a software engineer. The hardware engineer takes the phone apart and it [sic] copies the instruction set, which is the iOS and applications [sic] and your memory, and then you run a piece, a program called a disassembler which takes all the ones and zeroes and gives you readable instructions. Then, the coder sits down and he reads through, and what he's looking for is the first access to the keypad, because that's the first thing you're doing when you input your pad. It'll take half an hour. When you see that, then you reads the instruction for where in memory this secret code is stored. It is that trivial. A half an hour.
To quote Ars: It's true that Apple could have designed the iPhone this way, if Apple was staffed exclusively by idiots.