Researcher Finds Hidden Data-Dumping Services In iOS

Trailrunner7 writes There are a number of undocumented and hidden features and services in Apple iOS that can be used to bypass the backup encryption on iOS devices and remove large amounts of users' personal data. Several of these features began as benign services but have evolved in recent years to become powerful tools for acquiring user data.

Jonathan Zdziarski, a forensic scientist and researcher who has worked extensively with law enforcement and intelligence agencies, has spent quite a bit of time looking at the capabilities and services available in iOS for data acquisition and found that some of the services have no real reason to be on these devices and that several have the ability to bypass the iOS backup encryption. One of the services in iOS, called mobile file_relay, can be accessed remotely or through a USB connection can be used to bypass the backup encryption. If the device has not been rebooted since the last time the user entered the PIN, all of the data encrypted via data protection can be accessed, whether by an attacker or law enforcement, Zdziarski said. Update: 07/21 22:15 GMT by U L : Slides.

Pedos, drug lords, and terrorists take notice!!

[rodrigoandrade]

Everyone else, every law-abiding citizen, may move on, nothing to see here...

Re:Pedos, drug lords, and terrorists take notice!!

[i+kan+reed]

It is not a positive reflection on your post that I can't even tell what kind of paranoid delusion you're trying to espouse.

Re:Pedos, drug lords, and terrorists take notice!!

[KibibyteBrain]

Yup, because the law-abiding can't know about these features so members of the former group use this to fund their illicit activities.

Re:Pedos, drug lords, and terrorists take notice!!

you forgot to include mormons

Re:Pedos, drug lords, and terrorists take notice!!

[gstoddart]

I'm going with "if you have nothing to hide, you have nothing to fear".

Which isn't so much a paranoid delusion, as it is a prevalent sentiment.

Re:Pedos, drug lords, and terrorists take notice!!

[CaptnZilog]

Everyone else, every law-abiding citizen, may move on, nothing to see here...

So you're a law-abiding citizen?
I'll correct you on that the next time I see you on the roads doing even 1mph over the speed limit - you'll be 'breaking the law' y'know?

Studies show normal ordinary people 'break the law' at least 3x/day on average.
Heck, getting a BJ from your wife is illegal in some states (as far as 'a law on the books') still.
So, they may not be 'strictly enforced' laws, but I'm willing to bet every 'law abiding citizen' (so they think) has broken the law, and does so quite often really.

Re:Pedos, drug lords, and terrorists take notice!!

[cayenne8]

So, are there *that* many people out there, that actually trust their phones enough to keep really private stuff on them?

Sheesh.

Re:Pedos, drug lords, and terrorists take notice!!

They're just a subset of pedos

Re:Pedos, drug lords, and terrorists take notice!!

If I have nothing to hide, then what reason do you have to spy on me as if I do? With altruism off the table (I am innocent, remember), the only explanation left is malice.

Re:Pedos, drug lords, and terrorists take notice!!

[FictionPimp]

Recently, in a nearby city an office was injured arresting a criminal. The police response was that the people in that bad area didn't help the officer as he was being beaten, so they started patrolling that area more. The result was jaywalking tickets to people crossing the street from their house to their mailbox, and kids getting tickets for riding their bikes without a headlamp (in the daytime). Basically any tiny infraction to punish the populace.

Re:Pedos, drug lords, and terrorists take notice!!

[gstoddart]

If I have nothing to hide, then what reason do you have to spy on me as if I do? With altruism off the table (I am innocent, remember), the only explanation left is malice.

The corollary to "if you have nothing to hide you have nothing to fear" is that everybody has something to hide.

And the people who spy on you are certainly not willing to give you the benefit of the doubt, and they care not a whit about your presumed innocence.

Re:Pedos, drug lords, and terrorists take notice!!

every law-abiding citizen, may move on, nothing to see here...

If the country is a democracy, and the govt is *by* the people, it means the govt is an employee of the people. What gives an employee (govt) the right to spy on the boss (people) whether it's warranted or not?

2 Questions

[CanHasDIY]

1) Can this method be used to bypass iCloud?

2) Does anyone have a write-up of how it works? I've got a lost-to-pawn iPad that need wiped, and will likely have more come into the shop in the future.

Re:2 Questions

why not just jailbeak and flash again with stock?

Huge Caveat!

[rabtech]

There is a huge caveat here:

You can only do this if you have the keys from a computer you have sync'd with previously. That only happens if you enter your passcode then see the "Trust this Computer" prompt on a computer that has iTunes installed and you click "Trust" at the prompt. That creates a set of sync keys that the iOS device will then accept to access the various services.

Some of the stuff he complains about is only enabled for devices used for development or if the device is enrolled in enterprise provisioning. As far as I'm aware, Apple requires that the company purchase the device on the company account to support over the air enrollment in this system so it wouldn't affect personal devices. Even for USB connected devices, you must enter the password/passcode to allow the device to be visible to MDM tools in the first place. Even enabling development mode requires entering the password/passcode.

The one main point he brings up (which I agree with) is Apple needs to provide a way to see the list of computers on your device and remove them.

There are some other more theoretical issues here that Apple should address, but no your iPhone is not running a packet sniffer and will not hand over files to anyone who connects. If your device isn't provisioned for enterprise and has never connected to a PC to sync (the vast majority of iOS devices these days) then as far as I can tell, none of the issues he found are of any use whatsoever.

Re:Huge Caveat!

[93+Escort+Wagon]

That only happens if you enter your passcode then see the "Trust this Computer" prompt on a computer that has iTunes installed and you click "Trust" at the prompt. That creates a set of sync keys that the iOS device will then accept to access the various services.

The article made that very clear. But it's not clear to me where these keys are stored - is it on the disk, unprotected, or is it in your encrypted keychain? If the former, it seems to me that - unless you encrypt your computer's hard disk - this means anyone with unfettered access to your computer could get at these keys and thereby get at everything on your iOS device. If the latter, it would be much more difficult to do, even if they otherwise got access to your account.

The guy said he uses this to monitor his kids (which, depending on their age, might be a bit jerky in my opinion). However since he seems like an overzealous parent, I'm wondering if he has his kids' passwords etc., which would be necessary if these keys are in the keychain.

Re:Huge Caveat!

[jittles]

That only happens if you enter your passcode then see the "Trust this Computer" prompt on a computer that has iTunes installed and you click "Trust" at the prompt. That creates a set of sync keys that the iOS device will then accept to access the various services.

The article made that very clear. But it's not clear to me where these keys are stored - is it on the disk, unprotected, or is it in your encrypted keychain? If the former, it seems to me that - unless you encrypt your computer's hard disk - this means anyone with unfettered access to your computer could get at these keys and thereby get at everything on your iOS device. If the latter, it would be much more difficult to do, even if they otherwise got access to your account.

The guy said he uses this to monitor his kids (which, depending on their age, might be a bit jerky in my opinion). However since he seems like an overzealous parent, I'm wondering if he has his kids' passwords etc., which would be necessary if these keys are in the keychain.

Unless Apple has changed the way this process works, the keys you need to get it to sync aren't in the keychain at all. ON a mac you can find them in ~/Library/MobileSync or something like that. On later versions of Windows it'll be in Users\\AppData\Roaming\Apple\MobileSync

You can quite literally copy and paste them from one machine to another in order to trick an iDevice into syncing with multiple iTunes libraries at once, though you can run into problems with that if you're not careful. However, if encryption is enabled on backups, then you must know the passphrase to actually access a device backup. It's been years since I've played around with this, so I may bit a bit off on the exact directory locations, but they are basically just files sitting around in your user folder.

Re:Huge Caveat!

[gerardrj]

If there were master keys the Apple process to retrieve court ordered data would not take 4 months and $1,000.

Re:Huge Caveat!

[Lumpy]

In other words, over sensationalized slashdot summary carefully glazes over the facts that make it moot.

Re:Huge Caveat!

Tell that to your local forensics investigator with his special USB cable and software. Physical access to the device trumps going through Apple every time.

Re:Huge Caveat!

[tehlinux]

"Most of the phone vendors have a way of doing this."

[Citation needed]

Re:Huge Caveat!

Most departments that do have the software and the motivation don't have the time or the resources to keep up with the massive supply of tinfoil hats required to actually make it work.

Re:Huge Caveat!

"Master keys anyone? Oh no Apple would NEVER do that right?"

Not if they wanted to continue making a living out of selling their wares. Seriously, if there products were backdoored and the world finds out that is the end of the company. Nobody will pay over the odds for the latest shiny that just sits there stealing their data (iCloud sync would take care of this with a master key arrangement).

Re:Huge Caveat!

Always encrypt your hard disk these days. There's that much data snooping going on it is the least you can do. That way they either need to know your passcode, guess your passcode, or prove to you the encryption is either trivial or backdoored (doesn't even matter which). Getting your passcode would then at least require some judicial oversight - UK citizens need no longer apply.

Re:Huge Caveat!

[Guy+Harris]

but no your iPhone is not running a packet sniffer

Not even if you're using a Remote Virtual Interface? If that can only be used by plugging the device into a Mac and running rvictl on the Mac, that's one thing, but if you can also get it to act as a remote pcap daemon over the network, as he claims, that's a different matter.

Attacker or law enforcement?

whether by an attacker or law enforcement

For those who are innocent, law enforcement IS the attacker.

DROPOUTJEEP backdoor

[Animats]

This may be the backdoor known as DROPOUTJEEP, which was described in some Snowden-leaked documents last year.

Looks like Apple sold out, put in a backdoor, and then lied about it.

Re:DROPOUTJEEP backdoor

[Animats]

Apple's reputation management service is reacting faster now. It used to take them an hour to mod criticism down. Now it only takes 15 minutes. Who are they using?

Re:DROPOUTJEEP backdoor

[Lumpy]

The MS shills are pretty much whores, I'm betting they paid them $0.03 a mod.

Re:DROPOUTJEEP backdoor

[HornWumpus]

Not a MS shill. But a consultant. Just because I'm a whore, doesn't mean I'm cheap.

Re:DROPOUTJEEP backdoor

[Plumpaquatsch]

This may be the backdoor known as DROPOUTJEEP, which was described in some Snowden-leaked documents last year.

Looks like Apple sold out, put in a backdoor, and then lied about it.

Yeah. Or the guy who wrote that is either a moron or a jerkass, and completely ignored some important info given. Like the fact that DROPOUT.JEEP was actually the codename for a wired jailbreak for the first iPhone that NSA had to develop themselves. It's not like that info is hard to gain once you strip out the boasting and bullshit bingo from the l33t NSA haX0r slide.

XOR

[Himmy32]

The summary seems to imply that law enforcement and being an attacker are mutually exclusive...

Good way to bypass iTunes...

Does this mean I can back it up over USB without iTunes? That's not a bug, it's a feature!

DON'T PANIC

Why link to a re-post and not to the source: http://www.zdziarski.com/blog/

There we find this:

DON'T PANIC

Before the journalists blow this way out of proportion, this was a talk I gave to a room full of hackers explaining that while we were sleeping, this is how some features in iOS have evolved over the PAST FEW YEARS, and of course a number of companies have taken advantage of some of the capabilities. I have NOT accused Apple of working with NSA, however I suspect (based on released documents) that some of these services MAY have been used by NSA to collect data on potential targets. I am not suggesting some grand conspiracy; there are, however, some services running in iOS that shouldnâ(TM)t be there, that were intentionally added by Apple as part of the firmware, and that bypass backup encryption while copying more of your personal data than ever should come off the phone for the average consumer. I think at the very least, this warrants an explanation and disclosure to the some 600 million customers out there running iOS devices. At the same time, this is NOT a zero day and NOT some widespread security emergency. My paranoia level is tweaked, but not going crazy. My hope is that Apple will correct the problem. Nothing less, nothing more. I want these services off my phone. They donâ(TM)t belong there.

Re:DON'T PANIC

[dos1]

>I want these services off my phone.

How can you say that and yet still buy such devices? It's not like one doesn't have a choice...

Re:DON'T PANIC

[0123456]

How can you say that and yet still buy such devices? It's not like one doesn't have a choice...

Yes, they could buy Android instead. Or Windows.

Oh, hang one...

Re:DON'T PANIC

[TechyImmigrant]

Try BeOS.
Not a high profile target for the feds, the police or the Russian mob.

Re:DON'T PANIC

[johanwanderer]

You mean, DON'T PANIC .

Re:DON'T PANIC

[gstoddart]

How can you say that and yet still buy such devices? It's not like one doesn't have a choice...

And how much crap is installed on Android you can't disable (or know is there) without rooting your phone?

How much crap on Windows phone? I bet you can neither disable nor know it's there.

Your BlackBerry?

So, please, tell us, how are Android, Windows or BlackBerry phones any better? Can you prove none of them has something similar?

I very much doubt you can.

You can choose to not have a device at all, but I have my doubts you can choose a phone which doesn't have similar security holes you know nothing about.

Re:DON'T PANIC

Given the choice I'd hang Android. At least I've managed to get some work done on Windows.

Re:DON'T PANIC

[Lumpy]

The only secure Android phone is what is running Cyanogenmod.

Re:DON'T PANIC

[joh]

Android has the Google Play Services that has all permissions, that can update itself without asking or even telling the user and that has access to EVERYTHING on the phone. If the NSA wants you data, it gets it. Period.

And really, you need to do some reality-check here. You can't protect yourself against that. No way. Not without building your own hardware, writing your own software, including the firmware and the baseband.

All the geeks dreaming of technical solutions to political problems are just dreamers. What we need is some sane checks and balances for when and in which cases such things are used. This is a political problem and the first step to home in to a solution is accepting that there ARE cases where law enforcement and government agencies indeed have a right and a need to do this. Without accepting this you will only continue to shake your fists and even IF you may get into power with steadfastly requiring 100% security against everyone: Once you will notice that people will use the Internet and mobile devices to organize against you then, you WILL turn around and cry for surveillance and WILL try to defend yourself. Freedom has to have some teeth and hands and eyes to defend itself. The point is not to pull the teeth, the point is how to tame them. There are no technical solutions to that problem.

Re:DON'T PANIC

[viperidaenz]

Not if you block it with a HOSTS file!

Re:DON'T PANIC

[hweimer]

So, please, tell us, how are Android, Windows or BlackBerry phones any better?

Many Android vendors have well-documented procedures how to unlock the bootloader of the device and install a custom ROM, which can be mostly built from source (the remaining proprietary blobs come from non-US companies and/or are unlikely to contain backdoors because of the greatly reduced codebase). None of the other major players allow this.

Re:DON'T PANIC

[knarf]

Android: you have the source. Not the source of the binary blobs so the device can still be compromised through those, but the rest is 'up to you'. Apple, Microsoft, Blackberry... no source.

Is Android the bees knees of mobile software? No, far from it. It is up to par with the competition, though. And it is free software (most of it). The non-free bits can be replaced, mostly. The non-replaceable bits... need to be replaceable. In other words, as it stands now Android is a local optimum.

Re:DON'T PANIC

[Rick+Zeman]

The only secure Android phone is what is running Cyanogenmod.

Only if you personally are capable of security auditing every single line of source code. Otherwise, you'll be trusting someone or something...as virtually everyone else is doing.

Re:DON'T PANIC

Cyanogenmod is a venture-backed for-profit business now.
Cyanogenmod had been flirting with Google for a while now in the interests of shipping with Play services.
Stock Cyanogenmod makes continuous access to Google's servers (no cite, but check the AFWall+ logs). ...and more...

Don't get me wrong, it's a great ROM and what I use, but there is nothing even remotely "secure" about it.

Re:DON'T PANIC

Android (as shipped with most phones) is about as open source as iOS is. iOS's kernel and most of the userspace is open source, just like Android's. A huge amount of what users expect from the devices is closed source, just like Google Apps and Google Play Services.

Read the AOSP/Cyanogenmod/etc forums sometime. Most people install Google Apps, and at that point you're well back into mothership calling blackbox land.

Re:DON'T PANIC

[mysidia]

The only secure Android phone is what is running Cyanogenmod.

No... the only secure Android phone is the one you pulled the battery out on.

iPhone is trickier... since there's no removable battery: it is very hard to secure. Best bet is to wrap it in tin foil and let the battery drain down on its own, then when it reaches 0% it will be secure

Re:DON'T PANIC

APK! APK! APK! Sing it, brother!

Okay, I'm trying not to vomit from laughing too hard now.

Re:DON'T PANIC

The only secure Android phone is what is running Cyanogenmod.

oh right so it has no security holes, you continue to pretend that.

Re:DON'T PANIC

[exomondo]

The only secure Android phone is what is running Cyanogenmod.

If you take "secure" to mean "i don't know of any security vulnerabilities in it" then sure, but that's unlikely to be very secure.

Re:DON'T PANIC

[mjwx]

The only secure Android phone is what is running Cyanogenmod.

Only if you personally are capable of security auditing every single line of source code. Otherwise, you'll be trusting someone or something...as virtually everyone else is doing.

And how much source code does Apple give you to audit.

There are levels of trust we accept because not everyone has the time or skills to audit source code. However many actions (like simply making source code available) make others more trustworthy than their competitors.

I know Google collects info from my Nexus 5 and 7 but Google are at least honest about what they collect, give me options on what gets sent and have demonstrated how it's annonymised.

Apple collects the same, if not more info from Iphone/Ipad users but they don't openly admit to it, they hid it deep in the fine print of the T&C's (something about sharing data with "partners") nor do they demonstrate that the data is anonymised at all.

Unless you're a complete idiot, it's easy to see who's the more trustworthy.

Re:DON'T PANIC

[Kamien]

The blog post also says this:
"(...) I understand that every OS has diagnostic functions, however these services break the promise that Apple makes with the consumer when they enter a backup password; that the data on their device will only come off the phone encrypted. The consumer is also not aware of these mechanisms, nor are they prompted in any way by the device. There is simply no way to justify the massive leak of data as a result of these services, and without any explicit consent by the user.
I don’t buy for a minute that these services are intended solely for diagnostics. The data they leak is of an extreme personal nature. There is no notification to the user. A real diagnostic tool would have been engineered to respect the user, prompt them like applications do for access to data, and respect backup encryption. Tell me, what is the point in promising the user encryption if there is a back door to bypass it?"

Re:DON'T PANIC

[Kamien]

Just buy an Android phone without Google Apps pre-installed.
I have one (Huawei).

No Google Play Services (and any other Google Apps - Maps, Mail, etc.)

Re:DON'T PANIC

[Plumpaquatsch]

Just buy an Android phone without Google Apps pre-installed. I have one (Huawei). No Google Play Services (and any other Google Apps - Maps, Mail, etc.)

Yeah, having everything send to the Chinese intelligence agencies is soooo much better. Not to mention the NSA backdoors in the Linux kernel that Google itself hasn't found.

Re:DON'T PANIC

"You can choose to not have a device at all, but I have my doubts you can choose a phone which doesn't have similar security holes you know nothing about."

I wonder how this was modded up?

I'm pretty sure that Cyanogenmod doesn't have similar security holes. You basically answered your own question: just root the Android phone and you can get rid of all the crap, and replace OS completely. This is simply not possible with Iphone/Windows/Blackberry.

Re:DON'T PANIC

[dos1]

Android and Windows Phone aren't the only alternatives out there. There are even devices and OSes that are supported entirely by FLOSS community, like OpenPhoenux. There is a choice, you just have to keep your eyes wide open.

Re:DON'T PANIC

[dos1]

You have a choice to buy iOS, Android, Windows or BlackBerry phones.

My Openmoko, SHR, Maemo, QtMoko and Debian based phones are a nice example. And they all work pretty well! It wasn't always the case, especially in their early days, but things have stabilized pretty well over time.

If you don't want any "crap", support projects like Neo900. You do have a choice.

Re:DON'T PANIC

[dos1]

to not buy*, of course.

Legitimate engineering uses

[tipo159]

Apple is often prone to adding capabilities without thinking through the security implications. But this researcher should do some more research into what constitutes legitimate engineering uses.

From TFA:

“Some of this data shouldn’t be on the phone. HFSMeta creates a disk image of everything that’s on the phone, not the content but the metadata,” Zdziarski said. “There’s not even an engineering use for that.”

I can imagine plenty of legitimate uses of just metadata. For example, the old iOS backup mechanism basically took a snapshot of everything and something like HFSMeta could be used to identify the files that have changed so only those files are backed up.

Re:Legitimate engineering uses

You have officially been banned from the circle jerk.

Re:Legitimate engineering uses

she was buried with him in his pyramid

Re:Legitimate engineering uses

[thoromyr]

not to mention "...creates a disk image of everything that’s on the phone..." is misleading, even with the following caveat. It would be far more accurate to say something like "...creates a copy of file access times of everything that's on the phone, and other metadata such as file size and other timestamps." But that wouldn't be bait for journalists and misquotation. (And if the dumped iOS file system metadata includes other things, perhaps mention those -- but timestamps and file size are the main things.)

Re:Legitimate engineering uses

[joh]

In iOS 7 or later just do not tap on "Yes" if it asks you if you trust the device you connected you iPhone to if you don't trust it.

? Well it's also kind of problematic

[Crashmarik]

For people who lose/have their device stolen.

Too many words

[joh]

People want to read something like "The iPhone has a secret backdoor for the NSA!!!". Anything much longer than that will never be read or understood by most people.

It's hopeless. Ask 100 people who have heard of this and 95 of them will tell you that it is proven now that the iPhone has a secret backdoor for the NSA over which all data can just be read by them.

(And I'm not even saying that it has NO such backdoor. Maybe it has. But this isn't it. This just isn't designed for mass surveillance, it needs a cooperating user and individual access to a device the user has connected his iPhone to. Maybe it's a side door for law enforcement and/or forensics additionally to a debugging tool.)

Re:Too many words

[Charliemopps]

People want to read something like "The iPhone has a secret backdoor for the NSA!!!". Anything much longer than that will never be read or understood by most people.

It's hopeless. Ask 100 people who have heard of this and 95 of them will tell you that it is proven now that the iPhone has a secret backdoor for the NSA over which all data can just be read by them.

(And I'm not even saying that it has NO such backdoor. Maybe it has. But this isn't it. This just isn't designed for mass surveillance, it needs a cooperating user and individual access to a device the user has connected his iPhone to. Maybe it's a side door for law enforcement and/or forensics additionally to a debugging tool.)

Except for the fact that Apples handing all of your data over to the NSA anyway. Apple has a very cozy relationship with the US federal government.
http://cdn.bgr.com/2013/11/app...

But at least Apple held off for longer than some of the others:
http://static.guim.co.uk/sys-i...

Long story short? The NSA doesn't need this backdoor, it's a lot easier to just go strait to apple.

Re:Too many words

[joh]

People want to read something like "The iPhone has a secret backdoor for the NSA!!!". Anything much longer than that will never be read or understood by most people.

It's hopeless. Ask 100 people who have heard of this and 95 of them will tell you that it is proven now that the iPhone has a secret backdoor for the NSA over which all data can just be read by them.

(And I'm not even saying that it has NO such backdoor. Maybe it has. But this isn't it. This just isn't designed for mass surveillance, it needs a cooperating user and individual access to a device the user has connected his iPhone to. Maybe it's a side door for law enforcement and/or forensics additionally to a debugging tool.)

Except for the fact that Apples handing all of your data over to the NSA anyway. Apple has a very cozy relationship with the US federal government.
http://cdn.bgr.com/2013/11/app...

According to that table there were 0 - 1000 cases in which "some" content data was disclosed to law enforcement in the US (and 1 in the UK and 0 in about 30 other countries). You call this "a very cozy relationship"? With 313 million citizens in the US there were less than 1000 requests granted. What's "cozy" about that?

Re:Too many words

[hsthompson69]

We're missing a number here - how many requests were *made*?

http://cdn.bgr.com/2013/11/app...

The data for the US is almost laughably vague. It could very well be that 1000 requests were made, and 1000 requests were granted.

100% success rate in complying with requests sounds pretty cozy to me...

Re:Too many words

[Smurf]

The data for the US is almost laughably vague. It could very well be that 1000 requests were made, and 1000 requests were granted.

100% success rate in complying with requests sounds pretty cozy to me...

Following that exact same logic we could argue that 2000 requests were made (involving 3000 accounts) and 0 were granted.

A 0% success rate in complying with requests sounds pretty un-cozy to me...

I agree that the data is worthless, though.

Re:Too many words

Nope. I don't trust your "nothing to see here, move along". Breaking encrypting through brute-force techniques has been around for a long time, and if there is a 'you have to do this and that' and you are relying on 'this and that' is not enough to save you, because there is always a simpler verions of 'this and that', and even if there isn't an easier version, as said before, brute-force might be really hard for some, and childs play for others. Breaking it and all others like it is a billable job, and people who enjoy doing it can automate the hell out of it, and in a short time, make it a button press for a novice (working for the 3 letter agency).

Re:Too many words

[AmiMoJo]

What's "cozy" about that?

Did a judge authorize every release of data? I don't know, I'm asking. If they just handed it over when asked then that is a cozy relationship, if they demanded a warrant and gave the target notice and an opportunity to contest it then that's fair enough.

Re:Too many words

[drinkypoo]

Long story short? The NSA doesn't need this backdoor, it's a lot easier to just go strait to apple.

This isn't about the NSA in particular, this is about all law enforcement. It's ordinary for law enforcement to confiscate your phone and drop it into a cradle for analysis when you're arrested.

Re:Too many words

[Plumpaquatsch]

Except for the fact that Apples handing all of your data over to the NSA anyway. Apple has a very cozy relationship with the US federal government. http://cdn.bgr.com/2013/11/app...

According to that table there were 0 - 1000 cases in which "some" content data was disclosed to law enforcement in the US (and 1 in the UK and 0 in about 30 other countries). You call this "a very cozy relationship"? With 313 million citizens in the US there were less than 1000 requests granted. What's "cozy" about that?

Not to mention that this number includes all requests for tracking down stolen phones and those from missing persons.

ANOTHER Huge Caveat!

The iDevice has to be jailbroken to get at these features.

Re: Pedos, drug lords, and terrorists take notice!

Go whoosh yourself.

In Soviet USA

iOS iSpies on you.

It's called trauma

[joh]

Really, very much as after 9/11 people are actually training themselves into a deep trauma. As you should know avoiding a trauma means NOT to do that. Sadly if you leave people to do what they want (and have this amplified by the headline-addicted press and of course the Internet) they will do exactly that. They will over and over come back to what did hurt them, they will stare at it all day long and become more and more fascinated by it, until they can't think of anything else anymore. Feelings of intense anger that is targeted at often logically totally unrelated persons or things will be more and more common.

http://en.wikipedia.org/wiki/P...

To "get back to reality" isn't easy then.

Re: Pedos, drug lords, and terrorists take notice

That too is against the law in some states.

I knew it!

I frikken knew it. That's why China won't allow iPhones. I bet you 83% odds Windows has it too. Government backdoor is 99% the reason.

Whoa.

[edrobinson]

Is Apple beginning to get like M$?

Re:Whoa.

[mjwx]

Is Apple beginning to get like M$?

What do you mean by "beginning"?

Oh snap!

[viperidaenz]

You'll have to close this back door in iOS 8 and add a new one that's harder to find.

Whoa.

Is Apple beginning to get like M$?

It always was.

JCS does not like Crypto devices

Smartphones could theoretically be perform the function of an unbreakable crypto endpoint, very much like a "SIGABA in your Pocket".

That would make their ears deaf. Billions of SIGABAs in the hand of civilians !!!

So they "broke" the crypto machine security by adding backdoors. Don't by the corporate colored glass beads, but roll your own crypto. Its not actually hard. A small controller, an LCD display and a keyboard will do.

Re:JCS does not like Crypto devices

Don't by the corporate colored glass beads, but roll your own crypto. Its not actually hard.

WHAT THE FUCK ARE YOU SMOKING? Rolling your own crypto is HARD. The near infinite number of ways you can screw up (fucked implementations like "optimizations", timing attacks, electromagnetic leakage, poor handling of entropy and key material--the list goes on and on) automatically make rolling your own crypto a bad idea.

You want better security, support the open source hardware and software guys (especially crypto devs who put out established/trustworthy products like OpenBSD).

And yes, I've written plenty of crypto code and STILL don't trust any of it.

Re:JCS does not like Crypto devices

[Sloppy]

He was obviously talking about building your own hardware. Did you really think his parts list of "A small controller, an LCD display and a keyboard," was in reference to writing an alternative to OpenBSD?

Huge Caveat!

Or to put it another way, they're the services used for syncing (or at least, don't offer any more access than the sync functionality).

Of course a computer set to sync data can access the fucking data.

Law Enforcement should cost

[cant_get_a_good_nick]

Process is now taking about four months on average, and costs
about $1,000, so LE is looking for streamlined / inexpensive
tools to collect evidence.

Part of the protection against tyranny isn't the gun, but simply that certain law enforcement has certain costs. Part of it is red tape - a warrant sticks some glue in the process, slows it down. Part of it is monetary costs. In the 1970's wire taps cost a lot.

These costs force some filtering of resources. You can't just go after everyone, you need to be somewhat efficient with resources. It doesn't eliminate bad actors, but it makes the consequences more intense.

Part of what the NSA is doing, they can do because the surveillance is so cheap. If it cost them 1000 a person, then just in America it would cost them 350 Billion a year to spy. The world would cost 7 Trillion. We can't afford that, only that surveillance is (too) cheap does mass surveillance make sense.

Memo to Self : don't buy iAnything

[RockDoctor]

Memo from Self : Like I was going to do that? After the last time I worked on a Mac?