Apple Deluged By Police Demands To Decrypt iPhones

← Back to Stories (view on slashdot.org)

Apple Deluged By Police Demands To Decrypt iPhones

Posted by Soulskill on Saturday May 11, 2013 @03:11PM from the atf-struggles-with-slide-to-unlock dept.

New submitter ukemike points out an article at CNET reporting on a how there's a "waiting list" for Apple to decypt iPhones seized by various law enforcement agencies. This suggests two important issues: first, that Apple is apparently both capable of and willing to help with these requests, and second, that there are too many of them for the company to process as they come in. From the article: "Court documents show that federal agents were so stymied by the encrypted iPhone 4S of a Kentucky man accused of distributing crack cocaine that they turned to Apple for decryption help last year. An agent at the ATF, the federal Bureau of Alcohol, Tobacco, Firearms and Explosives, 'contacted Apple to obtain assistance in unlocking the device,' U.S. District Judge Karen Caldwell wrote in a recent opinion. But, she wrote, the ATF was 'placed on a waiting list by the company.' A search warrant affidavit prepared by ATF agent Rob Maynard says that, for nearly three months last summer, he "attempted to locate a local, state, or federal law enforcement agency with the forensic capabilities to unlock' an iPhone 4S. But after each police agency responded by saying they 'did not have the forensic capability,' Maynard resorted to asking Cupertino. Because the waiting list had grown so long, there would be at least a 7-week delay, Maynard says he was told by Joann Chang, a legal specialist in Apple's litigation group. It's unclear how long the process took, but it appears to have been at least four months."

174 of 239 comments (clear)

Min score:

Reason:

Sort:

Is Apple being compensated? by APE992 · 2013-05-11 15:15 · Score: 5, Interesting

If they're going to expect Apple to spend time doing their work for them are they are least compensating them for the time and energy necessary for this?
1. Re:Is Apple being compensated? by noh8rz10 · 2013-05-11 15:24 · Score: 4, Interesting
  
  i see this story as being a GOOD thing, generally speaking. the feds are stumped by my iphone. now the only people we need to cockblock are in cupertino...
2. Re:Is Apple being compensated? by Anonymous Coward · 2013-05-11 15:26 · Score: 4, Insightful
  
  You're kidding, right? The real issue is that Apple has a backdoor to decrypt its customers' private information. That is outrageous.
  It is irrelevant how much Apple spends to operate that backdoor.
3. Re:Is Apple being compensated? by Anonymous Coward · 2013-05-11 15:26 · Score: 1
  
  Why do you care?
4. Re: Is Apple being compensated? by Anonymous Coward · 2013-05-11 15:33 · Score: 5, Informative
  
  Now you know and knowing is half the battle. Don't buy iPhone.
5. Re: Is Apple being compensated? by fustakrakich · 2013-05-11 16:10 · Score: 5, Funny
  
  That's right. Steal somebody else's
  
  --
  “He’s not deformed, he’s just drunk!”
6. Re:Is Apple being compensated? by __aaltlg1547 · 2013-05-11 16:34 · Score: 5, Insightful
  
  You understand that in this case the police HAD a warrant. What's your complaint?
7. Re:Is Apple being compensated? by __aaltlg1547 · 2013-05-11 16:35 · Score: 2
  
  Did you receive documentation that said otherwise?
8. Re:Is Apple being compensated? by FuzzNugget · 2013-05-11 16:45 · Score: 5, Interesting
  
  You're deluding yourself if you think a backdoor is a good thing.
  No, this is overall a bad thing: Apple is able and willing to break the encryption on an iPhone, presumably through a backdoor or brute force.
  Then again, we could all be mistakenly conflating "encryption" with "lock screen", which really speaks to the level of (in)competence on the part of law enforcement.
  Hmmm, maybe this is a good thing (just not quite in the way you were thinking)
9. Re:Is Apple being compensated? by bytesex · 2013-05-11 16:59 · Score: 3, Interesting
  
  Maybe the backdoor isn't so much the crypto format itself - it's in the password to decrypt. After all - these companies have a thing for you sharing information 'in the cloud', right? What's to stop them from simply posting your password somewhere central - for recovery purposes on your (and apparently, other people's) behalf? I reckon 90% of users would find it super-convenient!
  
  --
  Religion is what happens when nature strikes and groupthink goes wrong.
10. Re:Is Apple being compensated? by node+3 · 2013-05-11 17:38 · Score: 4, Insightful
  
  You're kidding, right? The real issue is that Apple has a backdoor to decrypt its customers' private information. That is outrageous.
  It would be, were that the case. But it's all but certainly not. There's no way Apple would put an actual back door into their products.
  If you had read the article, you'd notice that the process takes four months. If they had a back door, it would take a few minutes. Also, had you read the article, you'd notice that Google will reset the password and send that to law enforcement.
  But I'm sure that's not outrageous. Lol!
  
  It is irrelevant how much Apple spends to operate that backdoor.
  That's true, but only if there was an actual back door.
  However, in all fairness, if you have proper evidence that Apple has a back door, I'll be right there with you. That would be wholly unacceptable.
11. Re:Is Apple being compensated? by blaster · 2013-05-11 17:50 · Score: 5, Interesting
  
  Apple does not have a backdoor per se. But Apple does have the device signing key and can thus completely compromise the chain of trust. The only thing stopping you from compromising a phone with a 4 digit passcode in seconds by brute forcing it is the fact that software rate limits attempts, and the option to have it delete its intermediary keys after 10 bad attempts. If you have the ability to load an arbitrary kernel it is trivial to bypass both of these, but only Apple has that capability, at least on devices without jailbreaks that can be executed them while locked.
  If you want to make sure your data is secure then use a full password and not a PIN, which will make Apple's ability to run code moot since brute forcing it will not be practical any more. You can look at https://acg6415.wikispaces.com/file/view/iOS_Security_May12.pdf/343490814/iOS_Security_May12.pdf for more info on the actual architecture.
12. Re:Is Apple being compensated? by Anonymous Coward · 2013-05-11 17:54 · Score: 2, Insightful
  
  My complaint is that the police can fuck right off if they want to decrypt anything on mine.
13. Re: Is Apple being compensated? by Thor+Ablestar · 2013-05-11 18:33 · Score: 1
  
  Buy anything where you can install your preferred encrypted OS and any connectivity module. For instance, I'd buy some CDMA modem for my OQO2 because encrypted FreeBSD runs well on it.
  But IMHO problem is not that the smartphone contains something illicit. Problem is that after Microsoft bought Skype there is NO VoIP application which is fully anonymous so THEY can still compile your contact list from your traffic logs only and apply a rubberhose decryptor (We Russians say "Rectothermal decryptor") to all your contact list.
14. Re:Is Apple being compensated? by Thor+Ablestar · 2013-05-11 18:41 · Score: 1
  
  The expression "Apple does not have a backdoor per se" basically cannot be proven unless you have a full source code. Moreover, nothing will stop a real hackers from desoldering a flash and attaching it to reader. And also: I've never seen a modern device which does not have some JTAG or similar debug port that can be useful to program the very bootloader that verifies the digital signatures of bootable code. Times when BIOS was pluggable are gone.
15. Re:Is Apple being compensated? by SeaFox · 2013-05-11 18:50 · Score: 4, Informative
  
  i see this story as being a GOOD thing, generally speaking. the feds are stumped by my iphone. now the only people we need to cockblock are in cupertino...
  No, I'd say this is a bad thing. A back log of getting these requests fulfilled will only be used as justification for there to be a regular law-enforcement back door built into a later version of iOS. "This process is taking too long and Apple is being burdened with fulfilling these requests, if only we had a way of accessing an iPhone ourselves without needing their assistance it would make things easier for all parties when investigating terrorism and child pornography..."
16. Re: Is Apple being compensated? by Fjandr · 2013-05-11 19:14 · Score: 1
  
  Unless you use a BES server hosted by someone else, a Blackberry fits the bill. Their communications can only be decrypted if you use the Blackberry servers. That's very easy to avoid.
17. Re:Is Apple being compensated? by tlhIngan · 2013-05-11 19:28 · Score: 1
  
  The expression "Apple does not have a backdoor per se" basically cannot be proven unless you have a full source code. Moreover, nothing will stop a real hackers from desoldering a flash and attaching it to reader. And also: I've never seen a modern device which does not have some JTAG or similar debug port that can be useful to program the very bootloader that verifies the digital signatures of bootable code. Times when BIOS was pluggable are gone.
  Except around the 3Gs era, Apple started hard-encrypting the flash to prevent that very attack.
  And JTAG ports can be disabled by software - I've worked on devices where once a fuse was blown, the JTAG lines were disconnected internally and thus inaccessible.
  And yes, Apple is the only one that can do it because they hold the keys. If you need to load out special software, only Apple has the private key to sign and run whatever tools they have. And they can probably read out the filesystem, figure out what the keys are and brute force what they need to brute force.
  Of course, the article doesn't say Apple has any success at all - perhaps they can crack the 4 digit passcodes that bypass the 10 code self-lockout and erasure. But you can enable a more secure form using a complex passcode. And supposedly you can enable even more sophisticated encrypted and protections.
  Or hell, we don't even know how may phones are in the queu or how long it takes Apple, It could take Apple 4 months to decrypt the iPhone. Or they may have a backlog because only one person is decrypting them and he can only do one a day or something.
18. Re:Is Apple being compensated? by blaster · 2013-05-11 20:00 · Score: 5, Interesting
  
  Would you have preferred if I had written "Apple does not actually need a backdoor per se in order toto perform the actions mentioned in the article?" My point was that what law enforcement is asking does not require a backdoor, since a lot of posters seem to think it implies there must be one. Furthermore, security researchers can and do look and see how all the signing keys etc are structured on running systems even without source code access. Is there a chance there is still something hidden, sure, but there is also a chance someone snuck a root exploit into an innocuous looking commit in an important open source project. Source code access generally does lead to more trustworthy code, but it isn't so black and white as you claim. In the end we depend on people to validate what we use, and just having the source available is not in and of itself validation.
  As for the rest of the your comments, you simply don't know what you are talking about, but you would if you had actually read the PDF I linked. First off, rewriting the bootloader via JTAG is not an option on a lot of SoC's and embedded devices once they have had some of their internal fuses blown. From the PDF:
  "When an iOS device is turned on, its application processor immediately executes code from read-only memory known as the Boot ROM. This immutable code is laid down during chip fabrication, and is implicitly trusted. The Boot ROM code contains the Apple Root CA public key, which is used to verify that the Low-Level Bootloader (LLB) is signed by Apple before allowing it to load."
  So the stuff in flash might be rewritable, but it won't be executed unless it is signed. Reading the raw flash is also completely useless, because all data written to it is AES encrypted via a DMA engine in the SoC that uses various different keys, but all of them are tied to or derived from values fused into the processor and not readable via software or JTAG (they are routed directly to the DMA block and never exposed). That means the brute force needs to be attempted on the SoC in that particular iPhone, or you need to drastically increase the search space. A suitably advanced attacker code probably also obtain the SoC keys by decapping the chip, dying it, and looking at the fuses with a scanning electron microscope, but I generally don't worry about an attacker with sorts of resources; they would probably just beat my PIN out of me...
19. Re: Is Apple being compensated? by thegarbz · 2013-05-11 20:10 · Score: 2
  
  But ask them for the encryption key first.
20. Re:Is Apple being compensated? by gd2shoe · 2013-05-11 20:22 · Score: 3, Informative
  
  The summary implies that it did only take a couple of minutes... after months of sitting on a shelf while Apple dealt with the backlog of other phones needing to be unlocked by law enforcement.
  
  --
  I won't join Slashcott. OTOH, If Beta goes live, I just won't be back until it's fixed. Sorry Dice.
21. Re:Is Apple being compensated? by AmiMoJo · 2013-05-11 20:31 · Score: 4, Informative
  
  The iPhone is FIPS 140-2 certified.
  
  --
  const int one = 65536; (Silvermoon, Texture.cs)
  SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
22. Re:Is Apple being compensated? by pitchpipe · 2013-05-11 20:36 · Score: 1
  
  The real issue is that Apple has access to its customers' private backdoor, and that they don't like lube.
  You had some words switched around there.
  
  It is irrelevant how much Apple spends to operate that backdoor.
  Agreed.
  
  --
  Look where all this talking got us, baby.
23. Re:Is Apple being compensated? by AmiMoJo · 2013-05-11 20:40 · Score: 4, Insightful
  
  No, the backlog is 4 months. Nobody knows how long actual decryption takes, but the nature of these things is that it will either be minutes or thousands of years with a supercomputer dedicated to the task. Apple claims that it uses AES with a 128 bit key, so if they can unlock it that quickly they MUST have a backdoor to the encryption key.
  This is absolute proof that they have your encryption key on file somewhere. Others have already verified that they do indeed use AES 128.
  To cover themselves legally Apple will have to evaluate every request that comes in, handle the evidence securely (maintaining the chain of custody) and then handle the potentially sensitive and illegal decrypted data in a way that doesn't expose its staff. It's no wonder there is a backlog.
  
  --
  const int one = 65536; (Silvermoon, Texture.cs)
  SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
24. Re:Is Apple being compensated? by Runaway1956 · 2013-05-11 20:52 · Score: 1
  
  Except - the PDF linked to specifically states that the encryption is dependent on the silicone within the device. The chip identifiers on the device are part of the encryption. Storage removed from the device are unreadable, until the storage media is returned to the device.
  "The content of a file is encrypted with a per-file key, which is wrapped with a class key
  and stored in a file’s metadata, which is in turn encrypted with the file system key. The
  class key is protected with the hardware UID and, for some classes, the user’s passcode.
  This hierarchy provides both flexibility and performance. For example, changing a file’s
  class only requires rewrapping its per-file key, and a change of passcode just rewraps
  the class key."
  Without the UID, soldering that storage media into anything at all renders the data unreadable, and unrecoverable.
  
  --
  "Windows is like the faint smell of piss in a subway: it's there, and there's nothing you can do about it." - Charlie Br
25. Re:Is Apple being compensated? by Arancaytar · 2013-05-11 21:30 · Score: 1
  
  An encryption that someone needs to wait only seven weeks to get broken by the manufacturer is not, in any sense, a useful encryption.
26. Re: Is Apple being compensated? by jimicus · 2013-05-11 21:39 · Score: 3, Informative
  
  Doesn't need to be a back door - forensics products to crack phones already exist:
  http://www.msab.com/app-data/downloads/Release_Notes_(English)/XRY_release_notes_6.5_EN.pdf
27. Re:Is Apple being compensated? by Cyberax · 2013-05-11 21:44 · Score: 1
  
  Are you stupid? Apple holds your encryption keys in escrow so you can restore them if you accidentally forget them. Everybody with a couple of functioning brain cells should know that if a company can restore password for you then they can do this for law enforcement as well.
28. Re:Is Apple being compensated? by Cyberax · 2013-05-11 21:45 · Score: 2
  
  Dudes, Apple holds your encryption key in escrow to allow device restores. That's even disclosed in their freaking policy.
29. Re: Is Apple being compensated? by deains · 2013-05-11 21:48 · Score: 1
  
  Or better yet, don't store sensitive data on your smartphone. Android/Windows Phone are likely to have their own backdoors as well, so simply avoiding Apple doens't necessarily solve the problem.
30. Re:Is Apple being compensated? by MxMatrix · 2013-05-11 21:53 · Score: 1
  
  i see this story as being a GOOD thing, generally speaking. the feds are stumped by my iphone. now the only people we need to cockblock are in cupertino...
  It might explain the popularity of iPhones among certain people.
  
  --
  Bach says it all.
31. Re:Is Apple being compensated? by kasperd · 2013-05-11 21:58 · Score: 4, Informative
  
  Apple claims that it uses AES with a 128 bit key, so if they can unlock it that quickly they MUST have a backdoor to the encryption key.
  The input provided by the legitimate user for decrypting the content has way less than 128 bits of entropy. So they just need to brute force that input. What Apple can do, which the forensics people might not know how to do, is to extract the encrypted data and put it on a computer, where brute forcing can happen without each input having to be entered through a touch screen. Any security one might think this adds, is nothing but security-through-obscurity. Real security of the encryption could only be achieved by the user entering some sort of password with sufficient entropy. A 39 digit pin code would be sufficient to make AES be the weakest point. But would anybody use a 39 digit pin on their phone? Anything less would make the pin be easier to brute force than AES.
  
  You can shift the balance a bit by iterating the calculation which produces a key from the pin code. A million iterations would probably be acceptable from a user experience perspective, but that would only reduce the required number of digits from 39 to 33. A milliard iterations would not be good for the user experience, since they now have to wait quite some time after entering a pin. And with the pin still needing to be 30 digits in length, they'll often need to re-enter it multiple times, before they get it right.
  
  --
  
  Do you care about the security of your wireless mouse?
32. Re:Is Apple being compensated? by beelsebob · 2013-05-11 22:36 · Score: 1
  
  Right... because changing the password hash on the disk totally changes how all the data is encrypted. Wait... no.
33. Re:Is Apple being compensated? by AmiMoJo · 2013-05-11 23:04 · Score: 1
  
  I don't know about the iPhone but Android lets you enter a password for encryption, not just a PIN. You enter it once when the phone is turned on, so it isn't a big inconvenience to pick a secure one.
  It isn't a question of if Apple can unlock the phone due to the user choosing a poor password. They can always unlock it. Someone else can confirm if they were just stupid and only allowed you to enter a PIN number instead of a real password, or if they have a copy of the key.
  
  --
  const int one = 65536; (Silvermoon, Texture.cs)
  SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
34. Re:Is Apple being compensated? by Charliemopps · 2013-05-11 23:05 · Score: 5, Insightful
  
  You understand that in this case the police HAD a warrant. What's your complaint?
  That encryption is not encryption if Apple can "undo" it.
35. Re: Is Apple being compensated? by CastrTroy · 2013-05-11 23:25 · Score: 2
  
  At least with Android it seems like it would be possible to install 3rd party tools that would encrypt the data such that it would not be accessible by a back door. You can completely replace many aspects of the operating system. It would probably be not-too-difficult to install different applications to deal with email, SMS, contact lists, and anywhere else sensitive information might be stored on your phone. Windows and iOS are too closed to do this in a dependable way.
  
  --
  
  Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
36. Re:Is Apple being compensated? by Mojo66 · 2013-05-11 23:38 · Score: 1
  
  presumably through a backdoor or brute force.
  I doubt there is a backdoor because if there was then it wouldn't take them so long. Probably brute-force.
37. Re:Is Apple being compensated? by PopeRatzo · 2013-05-12 00:30 · Score: 1
  
  If they're going to expect Apple to spend time doing their work for them are they are least compensating them for the time and energy necessary for this?
  They are being compensated by not being prosecuted for tax evasion. I seriously doubt that Apple's claim that 2/3 of its profits come from outside the U.S. would stand up to any serious scrutiny.
  Even putting aside the issue of Apple keeping all it's patents in offshore shell corporations that are nothing but mail-drops.
  
  --
  You are welcome on my lawn.
38. Re: Is Apple being compensated? by Thor+Ablestar · 2013-05-12 00:30 · Score: 1
  
  Once more: I wrote not about ENCRYPTED application but about ANONYMOUS VoIP application. The attacker should be unable to FIND the FACT of communication, since if he has this fact he can torture both sides of communication or all your contact list to reveal the message.
  You propose solution that is neither anonymous (the server writes logs that can be extorted) nor VoIP (it transfers messages and files ONLY, NOT the live speech, at least I have such an impressionafter reading Wikipedia).
39. Re:Is Apple being compensated? by Impy+the+Impiuos+Imp · 2013-05-12 00:39 · Score: 5, Interesting
  
  Is it a user's password or is it Apple's? Is there a back door in the algorithm? Is it an inherently weak algorihm, but the police don't know what it is so they can't launch an attack?
  Inquiring minds want to know!
  
  --
  (-1: Post disagrees with my already-settled worldview) is not a valid mod option.
40. Re:Is Apple being compensated? by DJRumpy · 2013-05-12 00:40 · Score: 2
  
  Yes you can set it to accept any input, not just a 4 number pin. I use it myself.
41. Re: Is Apple being compensated? by Nerdfest · 2013-05-12 00:40 · Score: 2
  
  With CyanogenMod, etc, you have the source and can verify that there isn't a back door.
42. Re:Is Apple being compensated? by Thor+Ablestar · 2013-05-12 00:43 · Score: 1
  
  Because some kinds of tree "must be refreshed from time to time". Yes, if you are proud to be American you have understood me.
43. Re:Is Apple being compensated? by sribe · 2013-05-12 00:55 · Score: 3, Informative
  
  No, this is overall a bad thing: Apple is able and willing to break the encryption on an iPhone, presumably through a backdoor or brute force.
  Brute force. 10 failed attempts at the lock screen results in the phone being wiped. But Apple can copy out the encrypted contents, and then keep guessing until they find the code, no matter how many tries.
  
  Then again, we could all be mistakenly conflating "encryption" with "lock screen", which really speaks to the level of (in)competence on the part of law enforcement.
  On the iPhone, same thing--when you set up the lock screen, it sets up a random key which is used to encrypt/decrypt data in-flight to the flash, so that nothing is stored decrypted. The passcode is used to de-scramble the key, which is stored in a special location...
44. Re:Is Apple being compensated? by sribe · 2013-05-12 00:56 · Score: 1
  
  Maybe the backdoor isn't so much the crypto format itself - it's in the password to decrypt. After all - these companies have a thing for you sharing information 'in the cloud', right? What's to stop them from simply posting your password somewhere central - for recovery purposes on your (and apparently, other people's) behalf? I reckon 90% of users would find it super-convenient!
  If that were the case, there wouldn't be a backlog ;-)
45. Re:Is Apple being compensated? by sribe · 2013-05-12 00:57 · Score: 1
  
  You're kidding, right? The real issue is that Apple has a backdoor to decrypt its customers' private information. That is outrageous.
  They don't have a backdoor. They just have the skills to get a copy of the encrypted data so they can bypass the 10-failure limit at the lock screen and brute-force the pass code.
46. Re: Is Apple being compensated? by sribe · 2013-05-12 01:01 · Score: 4, Informative
  
  Now you know and knowing is half the battle. Don't buy iPhone.
  Right, because, as the article points out:
  
  Google takes a more privacy-protective approach: it "resets the password and further provides the reset password to law enforcement," the materials say, which has the side effect of notifying the user that his or her cell phone has been compromised.
  Oh, good for google! Wait, why doesn't Apple just reset the password and provide the new password to law enforcement. Oh, yeah, right, better security--they can't just reset the password. And boy, how much better it is for the suspect's privacy that google notifies him. Let's see, he's been arrested, his phone seized, a warrant obtained to examine its contents--I'm sure he'd be so much more relieved if he were to get email from Apple when his pass code is cracked, because by god that is so important to his privacy!
47. Re:Is Apple being compensated? by sribe · 2013-05-12 01:04 · Score: 1
  
  No, the backlog is 4 months. Nobody knows how long actual decryption takes, but the nature of these things is that it will either be minutes or thousands of years with a supercomputer dedicated to the task. Apple claims [apple.com] that it uses AES with a 128 bit key, so if they can unlock it that quickly they MUST have a backdoor to the encryption key.
  It would be proof only if the user had to enter the 128-bit key to access the phone, but that of course is not the case. The user only enters a short passcode, so the key is stored somewhere in the device, protected only by whatever encryption/scrambling they can do to it with a relatively short passcode.
  
  This is absolute proof that they have your encryption key on file somewhere. Others have already verified that they do indeed use AES 128.
  It is proof of no such thing; your statement is absolutely wrong.
48. Re:Is Apple being compensated? by AmiMoJo · 2013-05-12 01:21 · Score: 1
  
  The user only enters a short passcode
  Can you absolutely confirm that you must enter a short passcode, rather than an arbitrary length password? Android allows the latter. If iOS only allows short numerical codes then... well, it's shit.
  
  --
  const int one = 65536; (Silvermoon, Texture.cs)
  SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
49. Re:Is Apple being compensated? by sribe · 2013-05-12 01:39 · Score: 1
  
  Can you absolutely confirm that you must enter a short passcode, rather than an arbitrary length password? Android allows the latter. If iOS only allows short numerical codes then... well, it's shit.
  By "short", I meant significantly shorter than the hex (or base-64) version of a 128-bit key--not 4 or 6 digits. Default is 4 digits, but simply clicking the "simple passcode" option to off gets you a full keyboard for entry.
50. Re:Is Apple being compensated? by king+neckbeard · 2013-05-12 02:00 · Score: 1
  
  Couldn't law enforcement copy out the encrypted contents as well?
  
  --
  This is my signature. There are many like it, but this one is mine.
51. Re:Is Apple being compensated? by sribe · 2013-05-12 02:13 · Score: 1
  
  Couldn't law enforcement copy out the encrypted contents as well?
  You'd think so. My guess: they could get the encrypted flash contents, but maybe the encrypted key is harder to get, since it has to be stored in a special location (maybe even deliberately hard to get). Get that key, and you're brute-forcing a 4 (or 8, or 10 maybe) character passcode to decrypt it. Get only the encrypted flash content, and you're brute-forcing the 128-bit key.
52. Re: Is Apple being compensated? by Anonymous Coward · 2013-05-12 02:17 · Score: 1
  
  ... modulo a verified compiler and hardware plus a decent enough specification to allow verification.
53. Re:Is Apple being compensated? by king+neckbeard · 2013-05-12 02:21 · Score: 1
  
  Surely its not all that difficult to load the data from the internal storage elsewhere and decrypt it.
  
  --
  This is my signature. There are many like it, but this one is mine.
54. Re:Is Apple being compensated? by whoda · 2013-05-12 02:50 · Score: 1
  
  15% profit on revenue combined with minimal tax liability.
  They are being compensated just fine.
55. Re:Is Apple being compensated? by KGIII · 2013-05-12 03:03 · Score: 1
  
  The article indicates that they are the police and it goes without saying that the police are there to serve both companies and the people. We could argue the point of their ability or willingness to serve but, again, that's hardly the point. The point was that it was, and remains, an invalid complaint.
  
  --
  "So long and thanks for all the fish."
56. Re: Is Apple being compensated? by ewieling · 2013-05-12 03:03 · Score: 1
  
  Truecrypt for Android would be awesome.
  
  --
  I really shouldn't have used someone else's email address for this account.
57. Re:Is Apple being compensated? by gtirloni · 2013-05-12 03:15 · Score: 2
  
  I salute your effort to have a rational conversation. Unfortunately this is Slashdot.
  
  By the way, does anyone have suggestions for discussion sites that try to follow basic discussion rules (like forming sound arguments) as a philosophy?
  
  --
  none
58. Re:Is Apple being compensated? by BasilBrush · 2013-05-12 03:36 · Score: 3, Interesting
  
  Apple can't "undo" encryption. But a lockscreen pin code is 4 digits long. Guess how many tries they on average and as a maximum in order to brute-force it?
  Reduce that average time, because some passcodes are used more often than others. (0000,9999,1234, numbers that spell out various 4 letter words)
  After 6 attempts, you have to wait a minute before trying again. At some point there will be a complete lockout, but even that can be reset via iTunes.
  So brute-forcing is by no means impossible. But it will take time and, realistically, automation. Hence why law enforcement have to wait once they've issued Apple with a warrant.
  Those who are Android fans should bear in mind that Google will also retrieve data from Android devices if the Police issue them with a warrant.
  The smartphone of choice for those people who need to protect their phone data from the Police is still the Blackberry.
59. Re: Is Apple being compensated? by Cwix · 2013-05-12 03:44 · Score: 4, Informative
  
  https://code.google.com/p/cryptonite/
  this looks like it could help
  
  --
  You are entitled to your own opinions, not your own facts.
60. Re:Is Apple being compensated? by therealkevinkretz · 2013-05-12 03:44 · Score: 1
  
  Blackberry is not the device to go with to keep data from LEO. While the network traffic between device RIM BES is encrypted, data on the device is easily accessed. If you search for forensic products available to law enforcement and others, you'll see that hardware exists that can - in the field - pull emails, SMS, etc from most or all BB models.
61. Re:Is Apple being compensated? by BasilBrush · 2013-05-12 03:54 · Score: 1
  
  OK, thanks for that. So basically no phone is safe, if you're trying to hide it's data from the police.
  And most people would say that's not a bad thing. Though Slashdot posters are more likely to err on the side of the criminal than the law, there being a lot of libertarians here.
62. Re:Is Apple being compensated? by scarboni888 · 2013-05-12 03:57 · Score: 1
  
  Although it was misspelled it was quite easy for me to understand the intended words I wonder what your problem was?
63. Re:Is Apple being compensated? by TheCarp · 2013-05-12 04:01 · Score: 2
  
  My complaint is that Apple is even capable of complying. If I buy a device, its mine, if I encrypt that device, I, and whoever I give the key to, should be the only people able to decrypt it (key weakness and cryptanalsys not withstanding, obviously).
  If this is not the case, then it should be made explictly obvious up front, and not even just buried in the fine print, because this, in reality, is a HUGE difference between expectation and reality.
  But.... I have already exercised my right as a consumer in this area, I have not and willnot buy an ijail.
  
  --
  "I opened my eyes, and everything went dark again"
64. Re:Is Apple being compensated? by L7_ · 2013-05-12 04:04 · Score: 1
  
  You can crack the 4 digit lock screen in like 2-4 minutes.
  Most likely these phones are using long alphanumeric strings.
  Strange how so many people don't know that they can use arbitrary length alphanumeric unlock codes.
65. Re:Is Apple being compensated? by KGIII · 2013-05-12 04:05 · Score: 2
  
  This is the internet. I'm afraid you're shit out of luck. ;)
  (Trying Opera, again. I used it before Firefox. Someone mentioned extensions in another thread so I installed it again. So far it is pretty speedy.)
  Anyhow, I'd be interested in a site where logic rules the day and the topic was technology. I'd like something similar to what I recall Slashdot as having been. I am slightly worried that I am remembering Slashdot of yore through the haze of rose colored glasses though.
  
  --
  "So long and thanks for all the fish."
66. Re:Is Apple being compensated? by AmiMoJo · 2013-05-12 04:08 · Score: 1
  
  In that case it is up to the user to enter a sufficiently long password. A 20 character password with mixed case, digits and symbols can easily hit 128 bits of entropy.
  
  --
  const int one = 65536; (Silvermoon, Texture.cs)
  SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
67. Re:Is Apple being compensated? by therealkevinkretz · 2013-05-12 04:10 · Score: 2
  
  We're not "err[ing] on the side of the criminal". We support the rights of the individual and (most of us) dismiss or at least skeptical of the suggestion that we need to give those up to make it easier for law enforcement.
  Back to which phones are "safe" - I don't want to mention specific sites or products but they're easy to find, along with what data on what phones they're able to access. Some phones seem harder to access than others. Recent iPhones seem strong (unless, as described in the article, Apple assists).
68. Re:Is Apple being compensated? by gnasher719 · 2013-05-12 04:15 · Score: 1
  
  You can crack the 4 digit lock screen in like 2-4 minutes.
  _You_ can't, at least not easily, because _you_ can't access the encrypted contents of the iPhone. The maker of the flash memory probably could. Apple can. It seems that up to the iPhone 4, other companies could be exploiting some vulnerability that was fixed on the iPhone 4S.
  
  Once you can access the encrypted contents, it's all a matter of brute forcing. It's made a bit harder because trying each key takes substantial amount of time, but with ten thousand keys as you said it is no problem. You can use more digits, or a password with keys and laters. About 8 truly random digits and characters should make it unbreakable.
69. Re:Is Apple being compensated? by slick7 · 2013-05-12 04:21 · Score: 1
  
  If they're going to expect Apple to spend time doing their work for them are they are least compensating them for the time and energy necessary for this?
  Sure they're being compensated, by not being placed on "no fly" lists, surveilled by drones/predator drones, felt up by TSA, or dealing with the attitude inspectors at the department of human sacrifice. What did you expect, privately printed non-redeemable fiat currency?
  
  --
  The mind conceives, the body achieves, the spirit manifests.
70. Re:Is Apple being compensated? by gnasher719 · 2013-05-12 04:26 · Score: 1
  
  You're kidding, right? The real issue is that Apple has a backdoor to decrypt its customers' private information. That is outrageous.
  What's really outrageous is that you post stuff here that you totally pulled out of your arse. There is plenty of documentation out there how Apple's full disk encryption works. It is quite obvious that with a four digit passcode, brute forcing should be possible without any backdoor. I could do it in a few hours manually if if you didn't use the "erase after ten attempts" feature. And it should be obvious that Apple would be capable of preventing the erase. I would think that the manufacturer of the flash memory would capable to remove the flash, copy it to another chip, and then disable writing on the new chip and put the new chip back in.
  
  Four digit passcode is just insecure if someone seriously wants to get the data.
71. Re:Is Apple being compensated? by Anomalyst · 2013-05-12 04:27 · Score: 1
  
  silicone within the device.
  hipster geek paradise, an iDevice with DD boobies.
  
  --
  There is no right to feel safe thru security vaudeville at the expense of everyone's freedom, privacy and tax money.
72. Re:Is Apple being compensated? by gnasher719 · 2013-05-12 04:29 · Score: 1
  
  This is absolute proof that they have your encryption key on file somewhere. Others have already verified that they do indeed use AES 128.
  If that is "absolute proof" to you, then you are the worst idiot posting here ever. There's a four digit passcode by default, which is what most people, including most criminals and most crime suspects will be using. There's no need to break AES 128 when all you need is try out 10,000 different passcodes.
73. Re:Is Apple being compensated? by gnasher719 · 2013-05-12 04:31 · Score: 1
  
  You can shift the balance a bit by iterating the calculation which produces a key from the pin code. A million iterations would probably be acceptable from a user experience perspective, but that would only reduce the required number of digits from 39 to 33.
  
  Apple does that; the number of iterations is set so that it takes an iPhone about 100 milliseconds to try out one key, about the maximum that the user won't notice.
74. Re: Is Apple being compensated? by GoogleShill · 2013-05-12 04:34 · Score: 4, Informative
  
  There is no copying of data. The data is /always/ encrypted on the device, it's the encryption key that is password protected.
  It's actually very simple. When the device is initially set up, a symmetric key is generated and all the user data is encrypted using that key. When you set a lock screen password, the encryption key is then encrypted using the password and stored in flash. Unlocking the device with the valid password decrypts the key into RAM so that the user data can be decrypted. Locking the device removes the decrypted key from memory, thus leaving all of the data in flash in a secure state.
  If the device is configured to self-erase after too many failed password attempts, the device simply deletes the encryption key from flash and the device is effectively wiped.
75. Re:Is Apple being compensated? by BasilBrush · 2013-05-12 04:51 · Score: 1
  
  We support the rights of the individual and (most of us) dismiss or at least skeptical of the suggestion that we need to give those up to make it easier for law enforcement.
  There's no such right. Police with a search warrant are allowed to search your possessions, your documents, your computers. There's nothing special about mobile phones that protect them from the general right of search with a warrant.
76. Re:Is Apple being compensated? by Savage-Rabbit · 2013-05-12 05:00 · Score: 3, Interesting
  
  Is it a user's password or is it Apple's? Is there a back door in the algorithm? Is it an inherently weak algorihm, but the police don't know what it is so they can't launch an attack?
  Inquiring minds want to know!
  Apparently you encrypt an iOS device when you enable the pass code option. The default pass code is numerical and is only 4 digits, which is very weak. You can activate a 'pass phrase' option that gives more security but the pass phrase should be at least 12 characters long. An 8 char password can, for example apparently be cracked (brute forced presumably) in under 2 hours. Since the iPhone defaults to a 4 digit numerical code I don't suppose cracking 98% of these devices will be terribly hard. However, as always, it appeals far more to the Apple haters here to jump to the conclusion that iOS devices phone home to Apple and send them your encryption keys and pass phrases in clear-text. I am not so sure about that myself, I know of a criminal case where a FileVault image was sent to Apple for decryption but they returned after a while saying that their people had failed to crack it.
  
  --
  Only to idiots, are orders laws.
  -- Henning von Tresckow
77. Re:Is Apple being compensated? by Joce640k · 2013-05-12 05:08 · Score: 2
  
  Is it a user's password or is it Apple's? Is there a back door in the algorithm? Is it an inherently weak algorihm, but the police don't know what it is so they can't launch an attack?
  Inquiring minds want to know!
  If there's a "seven week delay" they're probably brute-forcing something.
  
  --
  No sig today...
78. Re:Is Apple being compensated? by SuperTechnoNerd · 2013-05-12 05:32 · Score: 1
  
  That will be passed on to the consumer.. Don't worry..
79. Re:Is Apple being compensated? by Time_Ngler · 2013-05-12 05:37 · Score: 1
  
  It's more likely a CYA thing. No one wants to be responsible for trying to hack your iPhone and bricking it, so if they offload it to Apple, they can't be blamed.
80. Re:Is Apple being compensated? by kasperd · 2013-05-12 06:15 · Score: 1
  
  I don't know about the iPhone but Android lets you enter a password for encryption, not just a PIN.
  If you were to go from just digits to alphanumeric characters you could reduce the number needed from 39 to 25 or even only 22, if it was case sensitive. But entering case sensitive passwords on a touch screen is annoying. So it would be much more convenient to enter the 25 characters needed to avoid that requirement. But seriously, typing such a long password is hard to get right every time, even if you are using a keyboard. Those small on screen keyboards do increase the error rate.
  
  On my computer I do use a password with 130 bits of entropy. I made the password a bit longer than strictly needed, such that I could throw in a bit of error correcting code. That way a typo or two in the password doesn't prevent it from being recognized. It does mean I have 32 characters to type though, but typing 32 characters, where a couple of typos are allowed, seems easier than typing 22 where no errors are allowed.
  
  I don't see myself using anything like that on my phone.
  
  --
  
  Do you care about the security of your wireless mouse?
81. Re:Is Apple being compensated? by sribe · 2013-05-12 07:09 · Score: 1
  
  In that case it is up to the user to enter a sufficiently long password. A 20 character password with mixed case, digits and symbols can easily hit 128 bits of entropy.
  Well, that's a problem--you not only have to remember this passcode, you have to enter it into your phone every time you want to use it. This certainly biases cell phone passcodes to be less secure than users' average passwords, which is pretty bad.
  But nonetheless, Apple gives you the ability to do so, and it's up to you to choose the compromise between security and convenience.
82. Re:Is Apple being compensated? by AmiMoJo · 2013-05-12 07:13 · Score: 1
  
  Well, that's a problem--you not only have to remember this passcode, you have to enter it into your phone every time you want to use it.
  Er, no, just when you turn it on. My phone hasn't been rebooted for at least a month.
  
  --
  const int one = 65536; (Silvermoon, Texture.cs)
  SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
83. Re:Is Apple being compensated? by therealkevinkretz · 2013-05-12 07:38 · Score: 2
  
  I think you're just being argumentative for the sake of being argumentative. First, I didn't describe a specific right, only "the rights of the individual". In my country, at least, there are several such recognized rights.
  And if I were being specifc about privacy rights re: smartphones, there are still individual rights. See "The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures ...", etc.
84. Re:Is Apple being compensated? by therealkevinkretz · 2013-05-12 07:48 · Score: 1
  
  (sorry) re-reading it, I missed your obvious and clear point that there's no legal right against a warranted search.
85. Re:Is Apple being compensated? by node+3 · 2013-05-12 08:17 · Score: 2
  
  Actually, even in the summary, the relevant part is here:
  "Because the waiting list had grown so long, there would be at least a 7-week delay, Maynard says he was told by Joann Chang, a legal specialist in Apple's litigation group. It's unclear how long the process took, but it appears to have been at least four months."
  It says that the waiting list is 7 weeks, and the process takes four months. However, even so, the entire article is quite vague. The only thing that's not is that there's no way there's as back door in Apple's encryption. At the very least, you'll need more than vague claims to support such a case.
86. Re:Is Apple being compensated? by node+3 · 2013-05-12 08:21 · Score: 1
  
  No, the backlog is 4 months.
  "Because the waiting list had grown so long, there would be at least a 7-week delay, Maynard says he was told by Joann Chang, a legal specialist in Apple's litigation group. It's unclear how long the process took, but it appears to have been at least four months."
  The backlog is 7 weeks, the process takes at least four months. The article is poorly worded.
  
  This is absolute proof that they have your encryption key on file somewhere. Others have already verified that they do indeed use AES 128.
  Absolutely not. Although I'lll grant that even a whisper of a hint is "absolute proof" of bad things around here, so long as it involves Apple.
  This sounds to me more like they are hacking the encrypted key, not merely bypassing the encryption with a back door.
87. Re:Is Apple being compensated? by node+3 · 2013-05-12 08:23 · Score: 1
  
  Dudes, Apple holds your encryption key in escrow to allow device restores. That's even disclosed in their freaking policy.
  Doubtful, but if you'd be so kind as to link to that portion of their freaking policy? Surely if you know it's there, it can't be that difficult.
  Otherwise, this is simply yet another baseless claim, like all the rest.
88. Re:Is Apple being compensated? by node+3 · 2013-05-12 08:27 · Score: 1
  
  It isn't a question of if Apple can unlock the phone due to the user choosing a poor password.
  
  No, it's a question of people such as yourself jumping to unsupported conclusions, merely because they hate Apple.
  
  They can always unlock it.
  
  Citation needed.
  
  Someone else can confirm if they were just stupid and only allowed you to enter a PIN number instead of a real password, or if they have a copy of the key.
  Earlier you claimed this was "absolute proof", and that's the problem. There are far too many simpler explanations than that Apple has put in a back door.
  If it is a back door, this needs to be proclaimed broadly and loudly. But before that happens, you need to quite being so credulous, simply for it supporting your lame fanboy bullshit.
89. Re: Is Apple being compensated? by Eunuchswear · 2013-05-12 08:32 · Score: 1
  
  Problem is that after Microsoft bought Skype there is NO VoIP application which is fully anonymous
  Are you so insane that you think Skype was "fully anonymous" before Microsoft bought them?
  Are you so stupid that you can't work out how to do an anonymised encrypted SIP?
  Are you so paranoid that you think you need such a thing?
  Oh, you're a Russian. Maybe the answer is "yes". (The question is left to the prejudice of the reader).
  
  --
  Watch this Heartland Institute video
90. Re:Is Apple being compensated? by Cyberax · 2013-05-12 08:32 · Score: 1
  
  Right here: http://images.apple.com/iphone/business/docs/iOS_Security_Oct12.pdf - grep for the 'keybag' section.
91. Re:Is Apple being compensated? by node+3 · 2013-05-12 08:40 · Score: 1
  
  The user only enters a short passcode
  Can you absolutely confirm that you must enter a short passcode, rather than an arbitrary length password? Android allows the latter. If iOS only allows short numerical codes then... well, it's shit.
  As usual, jumping to the most anti-Apple conclusion. Since we are comparing iOS to Android, Android doesn't even encrypt your OS by default, iOS does. Were I a fanboy like yourself, I'd claim that makes Android shit. I'd never do that, though. Android supports encryption, which is good, and I personally believe it should be enabled by default, but what the hell, right, not everything has to operate exactly the way I determine.
  And the article even points out that Google goes much further than Apple in helping law enforcement. They simply reset the password and give the government the new password!
  The sad thing here is that every single conclusion you've jumped to without sufficient evidence has been both the least favorable towards Apple, and wrong. Well, "here", that's probably not sad, in fact it'll gain you plenty of mod points. Though *that's* sad, so it all works out in the end.
92. Re:Is Apple being compensated? by Eunuchswear · 2013-05-12 08:42 · Score: 1
  
  the PDF linked to specifically states that the encryption is dependent on the silicone within the device.
  
  Wow. I hope it's not PIP
  (Sorry, recovering chemist. This "error" realy grates).
  
  --
  Watch this Heartland Institute video
93. Re: Is Apple being compensated? by secolactico · 2013-05-12 10:02 · Score: 1
  
  What's stopping them from dumping the phone memory, run it into an emulator and try it there, ignoring the calls to erase data or the minute delay imposed after six attempts.
  Or perhaps bypassing the entire passcode, which maybe it's only that and not an encryption key at all.
  
  --
  No sig
94. Re:Is Apple being compensated? by fluffy99 · 2013-05-12 11:05 · Score: 1
  
  Once you can access the encrypted contents, it's all a matter of brute forcing. It's made a bit harder because trying each key takes substantial amount of time, but with ten thousand keys as you said it is no problem. You can use more digits, or a password with keys and laters. About 8 truly random digits and characters should make it unbreakable.
  Once you have read the encrypted memory directly, the brute forcing takes place outside of the device so you're not speed limited by pressing keys or waiting for the timeouts.
95. Re: Is Apple being compensated? by fluffy99 · 2013-05-12 11:14 · Score: 2
  
  There is no copying of data. The data is /always/ encrypted on the device, it's the encryption key that is password protected.
  It's actually very simple. When the device is initially set up, a symmetric key is generated and all the user data is encrypted using that key. When you set a lock screen password, the encryption key is then encrypted using the password and stored in flash. Unlocking the device with the valid password decrypts the key into RAM so that the user data can be decrypted. Locking the device removes the decrypted key from memory, thus leaving all of the data in flash in a secure state.
  If the device is configured to self-erase after too many failed password attempts, the device simply deletes the encryption key from flash and the device is effectively wiped.
  Ding, ding, ding, ding! We finally have a poster who understands how this works! This is how almost all disk-encryption works. This is also how MS disk and file encryption works. This method also allows you to have multiple keys to the same file or disk partition, as the real key encryption simply gets encrypted using each individual key and stored with the file. I'm willing to bet IOS saves another copy of the encryption key that's encrypted with their pubic key, and they have the ability to unencrypted it using their private key.
  Also note that the algorithm used to unlock the encryption key, may not be the same algorithm as used to encrypt the data. There have been examples of software and usb drives claiming AES encryption, but it turned out that only applied to the stored key and the actually encryption was very easy to break (in some instances it was literally XORing with the stored key).
96. Re:Is Apple being compensated? by gd2shoe · 2013-05-12 12:10 · Score: 1
  
  He was told they'd get around to it no sooner than 7 weeks (roughly 2 months). They got it back to him in 4 months (or maybe 6, depending on how the math was done). It sounds like they misjudged the duration of the backlog.
  He was given a time estimate, as a lower bound, and it took twice (or 3x) as long. That's not at all unusual for business. There is no indication of how long the actual unlocking took. From what little we know, it could easily have been minutes.
  (You are right that the summary doesn't make as strong an implication as I thought it did.)
  
  --
  I won't join Slashcott. OTOH, If Beta goes live, I just won't be back until it's fixed. Sorry Dice.
97. Re:Is Apple being compensated? by mjwx · 2013-05-12 12:46 · Score: 2
  
  Those who are Android fans should bear in mind that Google will also retrieve data from Android devices if the Police issue them with a warrant.
  The beauty of Android is that it is very, very easy to make this very, very hard for Google (or anyone trying really).
  
  But the best defence against the Police is a Nokia 6110. As long as you dont use SMS they store practically nothing.
  
  The only real security for mobile devices is to store nothing sensitive (or incriminating) on them.
  
  --
  Calling someone a "hater" only means you can not rationally rebut their argument.
98. Re:Is Apple being compensated? by mjwx · 2013-05-12 12:57 · Score: 3, Insightful
  
  You can crack the 4 digit lock screen in like 2-4 minutes.
  Once you can access the encrypted contents, it's all a matter of brute forcing. It's made a bit harder because trying each key takes substantial amount of time, but with ten thousand keys as you said it is no problem. You can use more digits, or a password with keys and laters. About 8 truly random digits and characters should make it unbreakable.
  You're commenting on forensics without knowing how to do forensics with a computer or electronic device. Please stahp.
  
  The limitations of the device or OS are pointless. You wont key in 10,000 passcodes because you never do forensics on the devices themselves (in case of booby traps and to maintain data integrity and prevent the suspicion that the forensic examiner tampered with the data) you always do forensics on an image of the device's OS. This is easy to get off Android using FastBoot, I'm certain Iphones will have something similar. Then you simply run up the image with an emulator and crack away to your hearts content. If you're really in a hurry, you set up multiple emulators and crack them in parallel.
  
  So I have no doubt that a 4 digit passcode can be broken very quickly (2-4 minutes is not an unfair estimate if they've used a common 4 digit passcode like 1234 or 9876 and you'd be surprised how many people do this, but I think it would be about 1-2 hours).
  
  An 8 digit random passcode is far, oh so very far from being unbreakable it's not funny.
  
  --
  Calling someone a "hater" only means you can not rationally rebut their argument.
99. Re: Is Apple being compensated? by mjwx · 2013-05-12 13:01 · Score: 1
  
  Google takes a more privacy-protective approach: it "resets the password and further provides the reset password to law enforcement," the materials say, which has the side effect of notifying the user that his or her cell phone has been compromised.
  Oh, good for google! Wait, why doesn't Apple just reset the password and provide the new password to law enforcement. Oh, yeah, right, better security--they can't just reset the password. And boy, how much better it is for the suspect's privacy that google notifies him. Let's see, he's been arrested, his phone seized, a warrant obtained to examine its contents--I'm sure he'd be so much more relieved if he were to get email from Apple when his pass code is cracked, because by god that is so important to his privacy!
  You do know that in order for Google to do this, they have to have physical access to the device.
  
  And yes, it is a lot better as you know that the device has been compromised. Although if you're dumb enough to keep incriminating data on your phone, then you've got bigger problems.
  
  Where this matters is when you're innocent. You know what was done and how to correct it. It adds transparency into a system that requires transparency to operate in a fair manner.
  
  --
  Calling someone a "hater" only means you can not rationally rebut their argument.
100. Re:Is Apple being compensated? by Sabriel · 2013-05-12 13:35 · Score: 2
  
  There is such a right. The specific right to search with a warrant is an exception to, not a removal of, the general right to privacy. You have a general right to secure what is yours (e.g. your phone). The police have, with a duly processed warrant, a specific right to pierce that security in a specific manner. They cannot legally, for example, hit you with a five dollar wrench until you confess the password.
  At least in this country. Other posters may not be so lucky.
101. Re: Is Apple being compensated? by Fjandr · 2013-05-12 19:33 · Score: 1
  
  I'm pretty sure you replied to the wrong message. I don't see your username in any of the messages in this particular thread, and there is no mention of VOIP in this thread.
102. Re:Is Apple being compensated? by kasperd · 2013-05-12 23:23 · Score: 1
  
  Since the default passcode is only 4 digits I would expect about 99% of users to be brute forcible in a few seconds to someone with the capability to image the device and identify the key storage block.
  Sounds plausible. Someone in this thread said the number of iterations in the computation needed to get the key was chosen such that it takes 100ms for the phone. If we guess it can be done 10 times faster on a computer, it takes about a couple of minutes to try all 4 digit combinations. That is fast enough, that you wouldn't even bother with submitting it to a computing cluster.
  
  A 4 digit pin is not completely worthless in scenarios, where limiting the number of attempts is possible. But once the pin can be attacked off-line, you need a lot more digits to justify the time spent implementing the encryption in the first place.
  
  --
  
  Do you care about the security of your wireless mouse?
103. Re:Is Apple being compensated? by __aaltlg1547 · 2013-05-13 00:48 · Score: 1
  
  That seems likely, and cracking the encryption in 7 weeks with the massive resources Apple has would mean the encryption is secure enough for most users' data. On the other hand, maybe they crack it in five minutes but they only assign one guy to do it part time because they know if the eliminated the backlog they would be flooded with too many decrypt requests.
104. Re:Is Apple being compensated? by BasilBrush · 2013-05-13 00:54 · Score: 1
  
  There is such a right. The specific right to search with a warrant is an exception to, not a removal of, the general right to privacy. You have a general right to secure what is yours (e.g. your phone). The police have, with a duly processed warrant, a specific right to pierce that security in a specific manner.
  You're saying exactly the same thing I did in different words. When I said there was no such right, I clearly spelled out that the non-existant right was the right to privacy of possessions and information stored on those possessions when the police have a warrant.
105. Re:Is Apple being compensated? by __aaltlg1547 · 2013-05-13 01:06 · Score: 1
  
  There's also this: If the protection can be cracked by the manufacturer, it can be cracked by criminals using the same methods.
  Everything they might do has an upside and a downside. If it's convenient, it can't be secure. If it's inconvenient and highly secure, you stand a chance of permanently losing your data and the government can't get it no matter how good their reasons are.
  If the manufacturer holds back-door passwords, you have zero protection from a police state. If they don't but rely on brute force to crack it, criminals can do the same.
  I would propose that the best method is to use multi-layer encryption. The manufacturer would hold keys to only one layer. Without decrypting that layer, you'd take say, 100 years to crack it. With that layer out of the way, it only takes a couple weeks on dedicated hardware.
106. Re:Is Apple being compensated? by dhermann · 2013-05-13 02:48 · Score: 1
  
  but I generally don't worry about an attacker with sorts of resources; they would probably just beat my PIN out of me...
  Oh man, you should never read Doctorow's Little Brother. Well, you should, because it's great, but it will freak you the F out.
107. Re:Is Apple being compensated? by DiEx-15 · 2013-05-13 04:50 · Score: 1
  
  Your kidding right? Of course Apple gets compensated...
  
  Whether or not their employees see that compensation is the real matter.
108. Re:Is Apple being compensated? by node+3 · 2013-05-13 06:31 · Score: 1
  
  Thanks for the link, and no, that's not Apple keeping a cleartext copy of your device encryption key. Could you clarify which sentence or paragraph has phrasing which makes you say otherwise?
  And back to your original post, device restores wouldn't require the encryption key anyway. iCloud backups don't simply copy the encrypted filesystem (which would need the key, however even then, the key would itself by encrypted with the user password or some other token, same as on the device). Additionally, this would be entirely optional, which while you never said it wasn't, would significantly weaken any purported issue such a policy would cause.
  In short: Apple doesn't hold a direct copy of your device encryption key.
109. Re:Is Apple being compensated? by Sabriel · 2013-05-13 14:47 · Score: 1
  
  Never underestimate the ability of people to read something other than what you wrote. :)
  You also said, "[...] the general right of search with a warrant." (emphasis mine). Warrants (in the US) grant a specific right, not a general one. And you do still retain (at least some of) your general right to privacy even then; for example, the police can't simply hand a copy of the contents of your phone to the local press or upload your collection of daffodil videos to their youtube channel.
  Furthermore, there's nothing special about mobile phones that says you can't encrypt them, or buy one with better encryption than others, just because a police officer might one day obtain a warrant to search it (or if you're in a part of the world where you cannot trust your local police, exactly because).
  You may think I'm being picky; I think we need to be very clear on what the police - since they are granted extra-ordinary legal powers - are allowed to do. The police I've personally met and known may be good citizens but, as even a brief websearch will demonstrate, the aphorism "power corrupts" does not have an "except police officers" clause.
110. Re:Is Apple being compensated? by Plumpaquatsch · 2013-05-13 19:42 · Score: 1
  
  The summary implies that it did only take a couple of minutes... after months of sitting on a shelf while Apple dealt with the backlog of other phones needing to be unlocked by law enforcement.
  The summary may imply that, but the article doesn't. Now what does that tell you?
  
  --
  Of course news about a fake are Fake News.
111. Re:Is Apple being compensated? by gd2shoe · 2013-05-13 20:29 · Score: 1
  
  ???
  Are you talking about the summary that quotes the relevant bits of the article?
  You're two days behind what node_3 responded with. At least he had a valid point. How did you miss his post?
  
  --
  I won't join Slashcott. OTOH, If Beta goes live, I just won't be back until it's fixed. Sorry Dice.
112. Re:Is Apple being compensated? by Plumpaquatsch · 2013-05-13 21:32 · Score: 1
  
  ???
  Are you talking about the summary that quotes the relevant bits of the article?
  You're two days behind what node_3 responded with. At least he had a valid point. How did you miss his post?
  So you admit that even the summary doesn't imply that it takes only minutes, but it's just in your mind. Thanks for clearing that up.
  
  --
  Of course news about a fake are Fake News.
113. Re:Is Apple being compensated? by BasilBrush · 2013-05-14 02:15 · Score: 1
  
  You may think I'm being picky
  Not picky so much as saying a couple of true facts that were not in the scope of what I said.
  No, police don't have the right to upload what they find in a search to YouTube. And you don't have to pick encryption to make it easy for future police searches.
  Another thing that is outside the scope of what I said originally is the question of whether you have a duty to reveal your password if the police have a warrant. And that is still an open question, with cases still going either way and being appealed.
  And I very much agree with the fact that some police are OK and some are evil and some are corrupt. And there's every shade in between.
114. Re:Is Apple being compensated? by kasperd · 2013-05-14 04:19 · Score: 1
  
  Earlier you claimed this was "absolute proof", and that's the problem.
  Yep. A proof would require a demonstration, that they actually extracted data from a phone, which was protected by a password with more entropy than can be brute forced. Moreover, it would not be sufficient that somebody said, they did it. There need to be multiple credible sources indicating, Apple has decrypted phones protected by strong passwords. Without that, it couldn't be considered proof.
  
  --
  
  Do you care about the security of your wireless mouse?
Re:iPhones Encrypted by Anonymous Coward · 2013-05-11 15:22 · Score: 3, Informative

Since the 4. The flash is encrypted with a device key. Remote wipe simply cycles the key.
Previously parts were encrypted, but not all.
hrm by Aryden · 2013-05-11 15:24 · Score: 1

I wonder if they just overwrite the password hash....
1. Re:hrm by kestasjk · 2013-05-12 03:22 · Score: 1
  
  They probably just descramble the firewall....
  
  --
  // MD_Update(&m,buf,j);
I must be missing something. by jtownatpunk.net · 2013-05-11 15:25 · Score: 4, Informative

The summary talks about decrypting the data on the phones. The articles talk about getting past the lock screen on the phones. Those are two entirely different things. On my phone, I have to first enter the decryption code before I'm presented with the lock screen.
1. Re:I must be missing something. by Anonymous Coward · 2013-05-11 15:35 · Score: 1
  
  All iPhone flash storage since the 3GS is fully encrypted. The keys are stored in NVRAM on the baseband, so fairly simple to retrieve.
  If you set a passcode though the keys are then 'encrypted' using your passcode. That's why on a passcode-protected device you can't sync to iTunes or deploy from Xcode without unlocking it once.
2. Re: I must be missing something. by LostMyBeaver · 2013-05-11 20:52 · Score: 1
  
  Pretty convince you've hit the nail on the head. This isn't an issue of cracking encryption but simply gaining initial access to the phone via pin
No I think they are just confused by Sycraft-fu · 2013-05-11 15:30 · Score: 4, Informative

Most phones aren't encrypted and usually the company can bypass it. For example with Android phones tied to a Gmail account, Google can bypass the lock screen. So if you forget your password, that is a recovery mechanism. Also data can be accessed if you physically removed the flash chip from the phone and put it in another reader. Lock screens are protection against most kinds of attacks, not high level security. Most people don't need high level security though, so it works well.
You can also encrypt your phone. Well I presume you can encrypt iPhones, having not owned one I don't know. You can encrypt Blackberries and Androids. There you set a key and it does basically a full-disk encryption type of thing. You have to enter the key to access the device at all (whereas lock screen lockouts will allow some stuff to happen) and there is no recovery. If you forget the password, you're boned, flash the device and start over. Few people do that because it is not pushed and is inconvenient.
It is also more security that is generally useful. Most people are worried about someone running up a phone bill, or getting at your account information or something if they steal a phone. A lock screen stops that. Device encryption is needed only against more serious threats, hence most don't use it.
1. Re:No I think they are just confused by Trax3001BBS · 2013-05-11 16:52 · Score: 1
  
  Most phones aren't encrypted and usually the company can bypass it. For example with Android phones tied to a Gmail account, Google can bypass the lock screen. So if you forget your password, that is a recovery mechanism.
  Who you replied to is correct the article is of the pass code
  FTA : Quote "the Apple legal specialist, told him that "once the Apple analyst bypasses the passcode,
  the data will be downloaded onto a USB external drive" /Quote
  I have a Google tablet (Motorola_XOOM_MZ604) the only way to bypass the password is to reset the unit.
  Now one may do this then run forensics on the SSD, but that to is a lot of work (money).
  The Google Tablet is the only password I've bypassed (by resettng) for a friend
  I would hope the rest are the same or it's not a password. As for back doors
  that's why rooted devices are the best, install a different ROM for better features as well as security.
  Yet I've never trusted a super user program that wants money for full features and most ROMs do come with one.
2. Re:No I think they are just confused by Trax3001BBS · 2013-05-11 17:01 · Score: 1
  
  Is there any encryption that makes good a 4 digit key?
  I've seen a phone "hacked". Person was in the hospital and concern for some reason that their phone
  was password protected; his brother opened it with 2480 - quite proud of themselves as well :}
  2480 the universal password :} A pattern pass with 10 attempts is a good scheme, if you don't start at the top left.
3. Re:No I think they are just confused by Anonymous Coward · 2013-05-11 17:20 · Score: 1
  
  Longer lockscreen passcodes can be enabled with enterprise profiles for the really paranoid/security conscious.
  You don't need an enterprise profile. It's under Settings / General / Passcode Lock. Set Simple Passcode to Off, and you can enter an arbitrary passcode.
4. Re:No I think they are just confused by hankwang · 2013-05-11 19:10 · Score: 1
  
  "2480 the universal password :} "
  Only after 2580.
  
  --
  Avantslash: low-bandwidth mobile slashdot.
War on Drugs by pitchpipe · 2013-05-11 15:58 · Score: 5, Funny

Court documents show that federal agents were so stymied by the encrypted iPhone 4S of a Kentucky man accused of distributing crack cocaine that they turned to Apple for decryption help last year... Because the waiting list had grown so long, there would be at least a 7-week delay...
As soon as they are able to get these phones decrypted, this war on drugs will be won!

--
Look where all this talking got us, baby.
PhoneView by TeamSPAM · 2013-05-11 16:00 · Score: 1

Maybe I should buy a copy of PhoneView (http://www.ecamm.com/mac/phoneview/) and setup my own computer forensics firm.

--
Brought to you by Team SPAM! where we believe: "Information in the noise!"
1. Re:PhoneView by cgimusic · 2013-05-12 02:42 · Score: 1
  
  How exactly would that help? Any idiot can access data on a phone without a passcode. If by forensics you mean accessing unencrypted data on a different device to the one it is stored on then I do it every day just by plugging in my USB drive. "if you use the iPhone’s passcode lock feature, you’ll need to disable it before you can make any changes using PhoneView; it isn’t sufficient to just unlock the screen." http://www.macworld.com/article/1133796/phonedrive.html
How does Apple Decrypt it? by Frankie70 · 2013-05-11 16:01 · Score: 5, Interesting

Unless the iPhone has a backdoor - the effort required for either Apple or others should be the same. Does this mean that the iPhone has a backdoor?
1. Re:How does Apple Decrypt it? by csumpi · 2013-05-11 16:33 · Score: 1
  
  It does. And I just used it.
2. Re:How does Apple Decrypt it? by Nerdfest · 2013-05-11 16:54 · Score: 2
  
  Just? If Apple can decrypt your phone, they're not doing encryption right.
3. Re:How does Apple Decrypt it? by steelfood · 2013-05-11 16:56 · Score: 1
  
  Even if they had one, it seems it's not one that is so simple as to make unauthorized decryption effortless. I would rather think that they purposely included some design flaws into their scheme, and are using those known flaws as an exploit to (much) more easily get to the key.
  
  --
  "If a nation expects to be ignorant and free in a state of civilization, it expects what never was and never will be."
4. Re:How does Apple Decrypt it? by Anonymous Coward · 2013-05-11 17:24 · Score: 1
  
  Unless the iPhone has a backdoor - the effort required for either Apple or others should be the same. Does this mean that the iPhone has a backdoor?
  Have /. fallen so far already?
  How difficult it is for Apple to have some mechanism to brute force their own passcode or password API? The summary already mentioned it is for unlocking seized iPhones, so those are presumably not remote-wiped, but merely locked. The only "special" capability Apple needed is to try the combinations without triggering the auto-wipe.
  How many people use a simple 4-digit passcode vs password? It only takes 10000 tries to brute force the 4 digit passcode. And probably longer for password (how long a password would people use, for a device that you have to unlock many times a day and with usually with your thumb?)
  No "backdoor" required, just physical control over the phone. But /.ers should have already known that once you have physical control over a machine, all bets are off.
  The real question is, why isn't Google being flooded by the same demands from police? Are Android phones less secure and thus the police don't need Google? Or there are much fewer Android phones seized? Or do Google have a real backdoor thus it took so little effort to crack, so they are not deluged? Or are HTC/Samsung doing these cracking instead?
5. Re:How does Apple Decrypt it? by node+3 · 2013-05-11 17:44 · Score: 1
  
  Don't worry, this is not what is happening.
6. Re:How does Apple Decrypt it? by Yvanhoe · 2013-05-11 17:45 · Score: 2
  
  What is their incentive for doing it right anyway? Since when do people check the result of security audits on the smartphone they want to buy?
  
  --
  The Wise adapts himself to the world. The Fool adapts the world to himself. Therefore, all progress depends on the Fool.
7. Re:How does Apple Decrypt it? by Frankie70 · 2013-05-11 17:53 · Score: 1
  
  How difficult it is for Apple to have some mechanism to brute force their own passcode or password API? The summary already mentioned it is for unlocking seized iPhones, so those are presumably not remote-wiped, but merely locked.
  How many people use a simple 4-digit passcode vs password? It only takes 10000 tries to brute force the 4 digit passcode. And probably longer for password (how long a password would people use, for a device that you have to unlock many times a day and with usually with your thumb?)
  Yes, that's why I asked - why is law enforcement not able to brute force it without Apple's help?
8. Re:How does Apple Decrypt it? by AK+Marc · 2013-05-11 20:09 · Score: 1
  
  Because Apple uses the chain of trust to break in.
  
  --
  Learn to love Alaska
9. Re:How does Apple Decrypt it? by mlw4428 · 2013-05-11 20:13 · Score: 2
  
  So a company purposely makes shitty security so that they can break their own security whenever they want and people are OK with this? Sounds like an even better reason to stick/switch to Android. At least an open-source product has a better chance at security over some proprietary bullshit.
10. Re:How does Apple Decrypt it? by nospam007 · 2013-05-11 21:50 · Score: 1
  
  "Unless the iPhone has a backdoor - the effort required for either Apple or others should be the same. Does this mean that the iPhone has a backdoor?"
  No, Apple removes the maximum number of tries for the password with an 'update' and runs a brute force from 0000 to 9999.
  If you use a real long password, they're fucked.
11. Re:How does Apple Decrypt it? by disambiguated · 2013-05-12 00:37 · Score: 1
  
  Apple isn't Alice, the owner of the phone is.
12. Re:How does Apple Decrypt it? by Frankie70 · 2013-05-12 00:40 · Score: 1
  
  A backdoor by any other name.
13. Re:How does Apple Decrypt it? by poofmeisterp · 2013-05-12 00:41 · Score: 1
  
  Just? If Apple can decrypt your phone, they're not doing encryption right.
  Amen to that. I can't wait for Anonymous to get their hands on Apple's Master Key.
  Humorous side note; if the stealing of the master key didn't apply legally, I can next see little strip mall and hole-in-the-wall joints popping up everywhere with ads to "Spy on your lover's life" or "Get what is rightfully yours". Heh.
14. Re:How does Apple Decrypt it? by DJRumpy · 2013-05-12 00:57 · Score: 1
  
  Sad that your post isn't being modded insightful.
15. Re:How does Apple Decrypt it? by Reschekle · 2013-05-12 02:34 · Score: 1
  
  Android phones are unencrypted by default. This is definitely an area that iOS is far superior in. Recent versions of Android include encryption but it has to be enabled as a separate option. It will also only encrypt your internal storage, though vendor-forks of Android such as Samsung will do both internal and external (not an issue if you don't use SD cards). Additionally, the encryption is one-way and irreversible (though, again, this is something Samsung has improved in their fork).
  Perhaps the most annoying thing about Samsung's encryption is that they force you to choose a very secure password, which is reasonable for powering on the phone, but they also force this password to be your phone's screen unlock code as well, which is extremely annoying especially if you're working with an enterprise device that has a security profile that forces the phone to lock after a few minutes.
  The reasonable thing here would be to have an screen unlock PIN consisting of 4-10 digits that wipes the phone after a few incorrect tries and a much stronger phone decryption code that has to be entered when the phone is powered on. This can actually be accomplished by rooting the phone and hacking some scripts but it puts you in the position of putting an unsupported modification onto your phone just to make it usable. None of this is a problem if you're a hacker, of course.
  Because of the fragmented nature of Android, Google is not in a position to provide LE assistance for every device and carrier fork of Android.
16. Re:How does Apple Decrypt it? by gnasher719 · 2013-05-12 05:18 · Score: 1
  
  No, Apple removes the maximum number of tries for the password with an 'update' and runs a brute force from 0000 to 9999.
  Most be the world's most boring job. Having an iPhone and typing in all codes from 0000 to 9999. And when you're done and found the code, there are a few hundred more iPhones to keep you busy for the next four months (that's where the four month backlog comes from).
17. Re:How does Apple Decrypt it? by AK+Marc · 2013-05-12 06:43 · Score: 2
  
  It's not a backdoor, it's a side door with bright neon lights and a sign that says "enter here". Backdoor indicates it's in some way hidden. Apple holding and being able to reset keys was an advertised feature. I fail to see how using an advertised feature fits the common definition of "back door".
  
  That's like saying that Linux has a massive backdoor in that you can put your own malicious code in, compile it, then distribute the compiled code as original. Would you consider that a backdoor?
  
  --
  Learn to love Alaska
How ? by Taco+Cowboy · 2013-05-11 16:20 · Score: 3, Interesting

i see this story as being a GOOD thing, generally speaking. the feds are stumped by my iphone. now the only people we need to cockblock are in cupertino
The question is, how ?
The Apple platform is a closed platform, and they closely guard against any attempt to change their products (even after we have purchased them with our own money)
Until now, there is no way to safeguard our secret stored in i-Device from the prying eyes of Apple Inc

--
Muchas Gracias, Señor Edward Snowden !
1. Re:How ? by BrokenHalo · 2013-05-11 21:18 · Score: 5, Insightful
  
  Until now, there is no way to safeguard our secret stored in i-Device from the prying eyes of Apple Inc
  If you want something kept secret, you're a fool if you put it on your phone.
2. Re:How ? by erroneus · 2013-05-12 00:34 · Score: 3, Interesting
  
  Jailbreak, inject a new encryption key?
3. Re:How ? by kthreadd · 2013-05-12 03:21 · Score: 3, Insightful
  
  Not at all if the computer (I don't know why so many call modern hand-held computers phones since they are not very phone-like) is using strong and trustworthy encryption which you control. I don't know the details in this case (Slashdot is seldom trustworthy), but if anyone except you can decrypt it using something other than brute force then the encryption is certainly not trustworthy. If that's the case then putting secrets on this computer that you call phone is absolutely a terrible idea, but I see very little problem with it if it's actually good encryption.
4. Re:How ? by bar-agent · 2013-05-13 11:50 · Score: 1
  
  Jailbreak, inject a new encryption key?
  If I remember correctly, the fundamental encryption key is burned into ROM. Can't inject a new one.
  
  --
  i'd hit it so hard, if you pulled me out you'd be the king of britain [bash.org]
5. Re:How ? by Gallomimia · 2013-05-14 04:04 · Score: 1
  
  By not using an Apple product, that's how.
  Good question, now I'll take one from the back. Yes?
  
  --
  Sadly, a Libertarian cannot force his views on another, and freedom cannot spread as does the cancer known as religion.
Brute-forcing the lock code by Verteiron · 2013-05-11 17:21 · Score: 5, Informative

Brute-forcing an iPhone's lock code is relatively trivial with freely available tools. This puts the device in DFU mode, so "Erase device on X unlock attempts" doesn't take effect. That version of the tools only bruteforces lockcodes, but there's no theoretical reason you couldn't try at least a dictionary attack on a password, too. Since it's also possible to dump the hardware key and a complete (encrypted) image, I imagine an offline attack on the image is possible, too. You wouldn't have to rely on the relatively slow hardware in the iPhone.
Using those tools I have successfully bruteforced the 4-digit lockcode to an iDevice running 6.0.2, and that's with no prior experience with or knowledge of iOS. I even used an emulated Mac to compile the necessary firmware patch. And that's just what I was able to do in with a few hours of fiddling. There are people who do this for a living, and tools dedicated specifically to extracting data from mobile devices. Are these PDs really saying they can't get into devices with simple lock codes?

--
End of lesson. You may press the button.
1. Re:Brute-forcing the lock code by node+3 · 2013-05-11 17:45 · Score: 1
  
  You mean to say you were able to run through the ten thousand numbers between 0000 and 9999? You must be a super-hacker!
2. Re:Brute-forcing the lock code by AK+Marc · 2013-05-11 20:18 · Score: 1
  
  Good to know. I occasionally used 8068, as my phone number is 473-8068. No, please don't call. But now that's it's posted, I can't use it anymore.
  
  --
  Learn to love Alaska
3. Re:Brute-forcing the lock code by Verteiron · 2013-05-12 06:11 · Score: 1
  
  Who mentioned Google? I'm assuming Android device lockcodes are just as easily bruteforced, probably moreso; I've just never had occasion to need to get into one before.
  
  --
  End of lesson. You may press the button.
4. Re:Brute-forcing the lock code by Verteiron · 2013-05-12 06:13 · Score: 1
  
  That was the point. It's not hard. I'm a general IT guy and I was able to do it easily. These PDs are saying they need Apple's help bypassing lock codes. Not just passwords, but lock codes like the one I bruteforced with free tools in a few hours. That they claim to need Apple's help for that is ridiculous.
  
  --
  End of lesson. You may press the button.
5. Re:Brute-forcing the lock code by AK+Marc · 2013-05-12 09:33 · Score: 1
  
  No, it's not. Shageluk, AK owns that number, I lived in Anchorage. I'm not in Alaska now, and you'll never guess my area code. anyone calling based on your incorrect information will get nobody, or someone who is completely unrelated to me in any way.
  
  --
  Learn to love Alaska
Re: iPhones Encrypted by node+3 · 2013-05-11 17:42 · Score: 1

Are you sure the keys are burned in during manufacturing? When you remote wipe an iPhone, it wipes the key and the contents become inaccessible. If the key itself is hard coded in hardware, that's not exactly possible to do directly.
Re: iPhones Encrypted by Rosyna · 2013-05-11 17:49 · Score: 1

Are you sure the keys are burned in during manufacturing? When you remote wipe an iPhone, it wipes the key and the contents become inaccessible. If the key itself is hard coded in hardware, that's not exactly possible to do directly.
And if they were hardware keys, Apple could extract those. They can't. See Apple's iOS Security Guide page 15 for reference.
Yes by Frankie70 · 2013-05-11 17:51 · Score: 1

Likely just a master encryption key.
Yes - that's a backdoor.
Mod parent up by immaterial · 2013-05-11 18:14 · Score: 2

Wish I had my mod points today...
DMCA by RenHoek · 2013-05-11 21:55 · Score: 1

This is good right? I mean with the DMCA even trivial protections are illegal to circumvent, so you remove the people who would be capable and interested in reverse engineering from the market. Then don't be surprised then when nobody can decrypt smart phones.
Probably a hardware backdoor by Anonymous Coward · 2013-05-12 00:01 · Score: 1

like pins for a jtag port somewhere on the phone. That means
disassemble, solder something on, and flip some bits in flash. If
they have a limited number of jtag pods, solder stations, and people
capable and cleared to do the job I can understand the backlog.
Security through popularity! (But for how long?) by kenh · 2013-05-12 02:59 · Score: 1

If Apple is deluged with requests for what is, most likely, a free service they offer is there any doubt they won't.make it easier for law enforcement/Apple by either offering CSI labs 'DIY' kits OR training an AppleGenius at each store to do it on-demand?

--
Ken
Maybe it SHOULD be at Apple's expense by Sloppy · 2013-05-12 04:32 · Score: 1

If you design the product correctly, then it only takes a few seconds to tell law enforcement, "We lack the ability. Even the NSA lacks the ability. Give us a hundred billion dollars and we might be able to do one phone every hundred billion years." The fact that there's a backlog, shows that Apple screwed up big time, to the point of shocking negligence. Having them bear the expensive of the mistake might be the best incentive for them to fix the next version of the iPhone.
Not that that would really be fair -- it's not Law Enforcement's place to be providing incentive for Apple to do crypto competently. OTOH, if there were laws mandating people use best practices for mainstream consumer PCs... *laugh* Sorry, it's just one of those crazy ideas people sometimes get.

--
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
1. Re:Maybe it SHOULD be at Apple's expense by gnasher719 · 2013-05-12 05:14 · Score: 1
  
  If you design the product correctly, then it only takes a few seconds to tell law enforcement, "We lack the ability. Even the NSA lacks the ability. Give us a hundred billion dollars and we might be able to do one phone every hundred billion years." The fact that there's a backlog, shows that Apple screwed up big time, to the point of shocking negligence. Having them bear the expensive of the mistake might be the best incentive for them to fix the next version of the iPhone.
  What method would you suggest that makes encryption protected by a four digit passcode virtually unbreakable?
2. Re:Maybe it SHOULD be at Apple's expense by Sloppy · 2013-05-12 06:30 · Score: 1
  
  First of all, remove the four digit constraint; that's ludicrous. Change prompt to "passphrase" and use whatever they enter, no matter how long. If some users desire to stick to only using numeric characters, and only want to enter up to four of them, that's their business. It shouldn't be required or forced upon the user, though. There's just no reason for that, and nobody who has thought about it for more than a few seconds would do that. Even Apple's own Mac OS X doesn't force you to use 4-decimal-digit passwords, though I think Mac OS X may just be a relic of the company's earlier sane/competent/user-friendly era. (If Jobs had lived, I wonder if he would have killed off the Mac by now.)
  Second, as a hardware maker, Apple has tons of options above and beyond mere software interfaces, for providing keys. (I'll let your imagination run wild as to what you can do for authentication using a usb port, though this approach might not be so great for the kind of people who primarily need to defend against LE seizing their possessions.)
  Four-digit decimal passwords are a 1970s thing, maybe which people are still used to, due to ATM legacy. Anyone who does that in a new product in 1980s or later, at a minimum ought to be called on the bullshit. If MS Windows had forced a 4-decimal-digit constraint on user passwords or their encrypted filesystems forced that upon the keys, you know this would have been in huge print in some full-page Mac OS ad in the New York Times. And every damn one of us (me included) would be high-fiving Apple while joining in the laughter. It would have been better than even their FAT filename constraints ad.
  It's gotta be broken on purpose; that's the only thing that makes sense. And if Apple made a conscious decision to make it easily crackable, you could make an argument that they're accepting the expense. I think it's a weak and dubious argument, but it's not totally out of thin air. They've created an expense which ought to not exist at all, due to the brute-force cracking normally being completely beyond reach.
  
  --
  As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
3. Re:Maybe it SHOULD be at Apple's expense by blaster · 2013-05-12 16:05 · Score: 1
  
  You could always just go to Settings > General > Passcode > Simple Passcode, check "No," and then "use whatever they enter, no matter how long." Of course then you wouldn't have the had then fun of writing the last four paragraphs...
4. Re:Maybe it SHOULD be at Apple's expense by Sloppy · 2013-05-14 03:55 · Score: 1
  
  Then what's going on with the backlog; why isn't Apple just telling LE that they can't crack the phones? Does that setting come with the wrong default?
  
  --
  As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
Re:Security through popularity! (But for how long? by gnasher719 · 2013-05-12 04:48 · Score: 1

If Apple is deluged with requests for what is, most likely, a free service they offer is there any doubt they won't.make it easier for law enforcement/Apple by either offering CSI labs 'DIY' kits OR training an AppleGenius at each store to do it on-demand?
It seems that to be able to get close enough to the encrypted data to start brute forcing the key, you need to get into the device in ways that require Apple's private keys. That's something that Apple wouldn't hand out to anyone, not CSI or an AppleGenius. I don't know how Apple handles it exactly, but I've read Microsoft's documentation how that kind of key is supposed to be handled (software developer locked into a room and from time to time the manager pushes some sandwiches through the gap under the door), so there is no bloody way these keys would ever leave Apple.
Apple should expect lawsuits for this by 109+97+116+116 · 2013-05-12 07:10 · Score: 1

For Apple to get into this I'd expect lawsuits against them--government entities might very well be able to get search warrants for this information but I doubt anyone involved can make a judge write up a warrant that allows Apple itself to have and reveal the data and not just the law enforcement entity involved.
There is no reasonable way to prove that there hasn't been tampering of evidence while the phone is in either nobody's or Apples control.
And if any party involved is shown to or can't prove they didn't hook this item up to an internet connected device to decrypt it there is no way to prove it hasn't been the target of malware that could plant erroneous data as well.
This is pretty creepy stuff.
Uhhh, disposable phones? by ikhider · 2013-05-12 10:14 · Score: 1

If the fool was using a personal phone to conduct illegal business, the police and Apple can use whatever means they want. Last I heard, drug dealers use disposable,cheap phones to conduct deals and then toss in the water/incinerator/whatever. What should be the real story is this failed war on drugs that only seem to give the state greater police powers, bankers more money, and make drug lords ridiculously rich. Decriminalize drugs and make it a health issue. Our society has a tremendous problem with drugs including and especially the "legitimate" kinds. Read Charles Bowden's 'Murder City' and 'Down By The River'. Excellent journalism.

--
"SO we bide our time, waiting for a purer kick to bloom and the future is still bleak, uncertain and beautiful" -GSYBE