Slashdot Mirror

← Back to Stories (view on slashdot.org)

Apple's "Warrant Canary" Has Died

Posted by samzenpus on from the get-out-of-the-mine dept.

HughPickens.com writes When Apple published its first Transparency Report on government activity in late 2013, the document contained an important footnote that stated: "Apple has never received an order under Section 215 of the USA Patriot Act. We would expect to challenge such an order if served on us." Now Jeff John Roberts writes at Gigaom that Apple's warrant canary has disappeared. A review of the company's last two Transparency Reports, covering the second half of 2013 and the first six months of 2014, shows that the "canary" language is no longer there suggesting that Apple is now part of FISA or PRISM proceedings.

Warrant canaries are a tool used by companies and publishers to signify to their users that, so far, they have not been subject to a given type of law enforcement request such as a secret subpoena. If the canary disappears, then it is likely the situation has changed — and the company has been subject to such request. This may also give some insight into Apple's recent decision to rework its latest encryption in a way that makes it almost impossible for the company to turn over data from most iPhones or iPads to police.

25 of 236 comments (clear)

  1. A change in the law? by Dupple · · Score: 4, Insightful

    Here's an interesting follow up from Ars

    http://arstechnica.com/tech-po...

    --
    Watch those corners
  2. Not completely gone by whoever57 · · Score: 5, Interesting
    Apparently (I haven't read the source docs myself), there is some similar language -- suggesting that some type of order has been served on Apple, so the canary is perhaps not dead yet -- just pining for the fjords [yes, I know, not really the correct use of this phrase].

    To date, Apple has not received any orders for bulk data

    What's missing is a specific reference to Section 215, suggesting that a limited Section 215 order has been served on Apple.

    --
    The real "Libtards" are the Libertarians!
    1. Re:Not completely gone by gnasher719 · · Score: 3, Informative

      well cook already made a public canary announcement or a lie, about them not being able to read your mail while at the same time it's obvious for anyone that they can change your apple credentials with or without your consent(giving access to your mail).

      Except the only source for the "not being able to read your mail" is the summary of a slashdot article, which managed to incorrectly quote the article that it summarized. And the source of the statement is openly available (a 1 hour interview with Tim Cook) and he clearly doesn't say anything like what you claim.

  3. Re:There is no "almost impossible" by bobbied · · Score: 4, Interesting

    It either can or can't be done. Almost impossible means it still can be done.

    Encryption is ALWAYS breakable by brute force. Question is how long does it take? Seconds? Hours? Months? Years? Decades? This is usually determined by key sizes. The longer the key, the longer it takes to brute force. (generally)

    --
    "File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
  4. Re:There is no "almost impossible" by geekmux · · Score: 4, Funny

    It either can or can't be done. Almost impossible means it still can be done.

    Encryption is ALWAYS breakable by brute force. Question is how long does it take? Seconds? Hours? Months? Years? Decades? This is usually determined by key sizes. The longer the key, the longer it takes to brute force. (generally)

    Decades?

    Wow.

    You must live pretty damn far away from a big city or something.

    Takes me like fifteen minutes to buy a $5 wrench. Tops.

  5. Re:There is no "almost impossible" by dunkindave · · Score: 5, Informative

    Encryption is ALWAYS breakable by brute force. Question is how long does it take? Seconds? Hours? Months? Years? Decades? This is usually determined by key sizes. The longer the key, the longer it takes to brute force. (generally)

    Um, not quite, one time pads are provably impossible to break by brute force since the message can be decoded into any message of the right length.

  6. Better title by smittyoneeach · · Score: 3, Funny

    "Apple Warranty Canary Caught Working in a Coal Mine"

    --
    Get thee glass eyes, and, like a scurvy politician, seem to see things thou dost not.--King Lear
  7. Re:There is no "almost impossible" by vux984 · · Score: 4, Insightful

    Takes me like fifteen minutes to buy a $5 wrench. Tops.

    That requires:
    a) you know who to hit with it
    b) the person you decide to hit with it knows the password

    So if you shoot a "terr'ist" and retreive his encrypted smart phone... what are you going to do exactly with a wrench?

  8. Re:There is no "almost impossible" by EvolutionInAction · · Score: 5, Informative

    No. You don't know what you're talking about. See, OTPs use a random 'key' the same length as the data you're encrypting. It doesn't matter if there are known fields in the data, because matching those sections tells you nothing about any other section.

    OTPs have a trivial proof that they provide perfect encryption as long as the key is never reused. They're just horribly impractical for everyday use.

  9. Re:There is no "almost impossible" by Anonymous Coward · · Score: 4, Insightful

    No, one time pads cannot be broken. The key and the message have the same length. You xor the key and the message to encrypt, xor again to decrypt. Since the attacker knows neither the key nor the plain text, he cannot break it even if he is an immortal whose only objective is breaking the crypto.
    Then why isn't it used everywhere? Because the key needs to be as big as the message, and the key is good for only a single use. That means you cannot send a new key encrypted with the one time pad (well, you can, but it won't help you). Any clever tricks you're thinking would make the crypto weaker.

  10. Re:There is no "almost impossible" by PurpleAlien · · Score: 5, Informative

    Actually, it is not. In reality, a 256 bit key can not be brute forced because of physics - especially the second law of thermodynamics. One of the results of this law is that information needs energy to be represented. In an ideal computer, the representation of one bit requires kT energy, where k is the Boltzman constant and T is the temperature. Let's assume we can operate at the average temperature of 3.2 Kelvin, the average temperature of the universe. The required energy to represent a bit in this case would be around 4.416*10-23 Joule.

    The annual amount of energy that our sun emits is about 1.21*10^34 Joule. Dividing this with the per bit-change energy, we could provide power for our ideal computer to perform 2.74*10^56 bit changes. This is just about enough to have a 187-bit counter go through all its states. This does not include the energy needed for the computations to test each key (our counter state in this case) for correctness.

    A 256 bit counter would require ~400.000.000.000.000.000.000 stars like our sun just to represent in the counter of our ideal computer.

    Or, to say it in the words of Bruce Schneier:
    "...brute force attacks against 256-bit keys will be infeasible until computers are built from something other than matter and occupy something other than space".

    Note: I am not talking about potential attacks against the algorithms here, etc. only pointing out that encryption is definitely not ALWAYS breakable by brute force.

    --
    My blog, if you're interested: http://www.purp
  11. Re:There is no "almost impossible" by pushing-robot · · Score: 5, Funny

    Tighten a loose bolt! I can always use a good wrench.
    It's five dollars well spent, in my opinion.

    --
    How can I believe you when you tell me what I don't want to hear?
  12. See Apple's privacy site for details by Camembert · · Score: 5, Informative

    FYI Apple's privacy site is here: http://www.apple.com/privacy/p...

    Of course there will be plenty of cynism here but I think it is in general a good & commendable effort for transparency. Interesting is the section on government information request:

    National Security Orders from the U.S. government.

    A tiny percentage of our millions of accounts is affected by national security-related requests. In the first six months of 2014, we received 250 or fewer of these requests. Though we would like to be more specific, by law this is the most precise information we are currently allowed to disclose.

    No warrant canary required, it is here in the open.
    So what could be the kind of thing asked taken into account the other the other privacy information on the site?

    1. Re:See Apple's privacy site for details by Prune · · Score: 4, Informative

      No, it is not "here in the open", because "250 and fewer" includes zero as an option. As per the Ars article someone already posted early on in this /. discussion, http://arstechnica.com/tech-po..., the 0-250 range is a reflection of new guidelines from the department of justice. A canary almost becomes unworkable for companies now because saying you have not received such a warrant in the given time period is equivalent to saying you have received 0 orders, which is more specific than the smallest allowable range of 0-250.

      --
      "Politicians and diapers must be changed often, and for the same reason."
  13. Not Coincidence, it's the point by SuperKendall · · Score: 5, Insightful

    Apple double-pinky swearing that they'll never, unh-uh, not ever unlock your iPhone

    That's not what they said - they said the've altered it so they CANNOT unlock your iPhone, even if they want to.

    Given how the technology works, that is a quite reasonable assertion. iOS devices have had full device encryption for some time, without that key you have nothing.

    All this "canary" bullshit begs the question why, if Apple really cared one little bit about their customers, don't they just come out and say what they have to say.

    That just shows a misunderstanding of what companies are legally ALLOWED to say. Once you get the order you CANNOT talk about it, thus the device of the canary.

    --
    "There is more worth loving than we have strength to love." - Brian Jay Stanley
  14. Re:There is no "almost impossible" by __aaltlg1547 · · Score: 5, Interesting

    1. Police seize iPhone
    2. Police arrest owner.
    3. Police tell owner to unlock the phone.
    4. Owner refuses.
    5. Police grab finger, press to button/fingerprint reader.
    6. Phone is unlocked.

    What encryption?

  15. Obama is but a puppet by Taco+Cowboy · · Score: 5, Insightful

    The huge machinery behind the NSA / CIA / FBI and all those alphabet agencies wants total control, and it has the enthusiastic support of private companies such as Google, Microsoft, Apple, Cisco, amongst others

    Obama? That one is but a puppet

    When the term of this puppet ends, by 2016 they will have another puppet installed. But of course, they will give us an "illusive election", whereby no matter who we vote for, it will be their puppet who will be installed inside the Casa Blanca!

    Viva la Maquinaria !!

    --
    Muchas Gracias, Señor Edward Snowden !
    1. Re:Obama is but a puppet by hairyfeet · · Score: 5, Interesting
      I simply think they know what is coming, we are about to hit (if we haven't already) the singularity, that moment in history where the world is completely changed forever, like the invention of the engine and the airplane but the coming one? Its NOT gonna be nice if the "Ayn Randiates" in the halls of power have their way.

      So what is the new singularity? Simple its the day when human labor is no longer needed to maintain and advance the world. Its the day when everything from picking beans to paving roads can all be done by machines that never get paid, never ask for days off, its the corporate idea of heaven!Its the dark reality of John Henry, that no matter how hard you work, even if you work yourself to death, the machine will just keep on working and will run you down without a bit of remorse.

      When that day comes there is really only 3 paths, one of which we partially do now which is 1.- "make work" where you pay somebody for doing a pointless "job". We do that now at fast food joints, if you raised the minimum wage to a living wage and quit letting the corps hand out "how to get government handout" videos to new employees? You'd find within a year all the fast food workers replaced with an automated system that not only wouldn't get paid but would probably have a better track record than the underpaid overworked employees do know when it comes to getting orders correct.

      The second option would be the "Star Trek Socialist paradise" which would be the most humane of the three, basically give everyone a basic wage and let them do what they will with their free time while giving extra benefits and credits to those that choose to "serve the greater good" by devoting themselves to science and medical research. It sounds now but sadly too many greedy bastards at the top would rather burn the forest down than share the trees which brings us to #3 which is what I think all the 3 letter agencies are ramping up for..

      A fascist dictatorship where the elite rule with an iron boot using fear and violence where those at the top commit systematic genocide by forcing the "useless people" to live in ever worsening squalor, probably while claiming they are just "lazy" because they can't compete with the Asian slaves building our electronics. You would need the 3 letter agencies for several jobs in such a shift, to inspire fear and paranoia, to monitor and allow you to remove anybody that could possibly lead the peasants in an uprising, and to get enough dirt on those with weaker stomachs to insure they "get with the program".

      Considering how much we have been seeing the mask fall off when it comes to those in power, how they just ignore any and all promises without fear of punishment and how many in power seem to get almost sadistic glee at the thought of stomping on the poor? Sadly I have a feeling its gonna be the third option. They'll use a major false flag to excuse "extraordinary measures" that will simply never end and get worse...war on terror anyone?

      --
      ACs don't waste your time replying, your posts are never seen by me.
  16. Re:There is no "almost impossible" by Opportunist · · Score: 5, Insightful

    Another reason why biometry is great to establish identity but poor for authentication.

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  17. Re:There is no "almost impossible" by Opportunist · · Score: 4, Insightful

    You underestimate the stupidity of your adversary. And their sadism.

    Or, in other words, just 'cause you can't confess doesn't mean the torture ends.

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  18. Re:There is no "almost impossible" by fustakrakich · · Score: 3, Funny

    It would flip a coin...

    --
    “He’s not deformed, he’s just drunk!”
  19. Re:There is no "almost impossible" by Anonymous Coward · · Score: 3, Informative

    It is an excerpt from Applied Cryptography by Bruce Schneier.

    The full section is available on Schneier's personal blog.

  20. Re:There is no "almost impossible" by St.Creed · · Score: 3, Funny

    It would flip a coin...

    Maybe it should just ask the cat.

    You could, but there's an even chance it's dead :)

    --
    Therefore, by the (faulty) logic you're using, you're just a cow with a keyboard - osu-neko (2604)
  21. Way to connect those dots... by Brannon · · Score: 4, Insightful

    Apple removed a sentence from their quarterly filings and obviously this is a sign of imminent fascist genocide.

    Smart people are some of the stupidest people I've ever met.

  22. Re:There is no "almost impossible" by Aaden42 · · Score: 3, Informative

    There are two things you as a soon-to-be defendant can do:

    1) Power down your phone if you believe you are about to be detained. On power-up, the device requires your passcode to unlock. TouchID doesn’t work after reboot until the passcode is entered once. You can do this without unlocking the device by holding the power & home button for 10 seconds.

    2) Either before arrest while you can still surreptitiously access your phone or after when they’re trying to get your finger on the screen, use the wrong finger (one you haven’t enrolled in TouchID) or move your finger enough to smudge and get a bad read. You only get five attempts before the phone stops accepting TouchID, and you need to provide your passphrase again. If successful, the screen will say, “Touch ID does not recognize your fingerprint,” so it’s detectable to someone who knows what they’re doing, but also confirmation to you that it worked. As far as I know, there’s no timeout to this status. You will not be able to use TouchID until the passcode is entered.

    Either way, TouchID is disabled and they need to get your passcode out of you. Assuming you’re still in ordinary LEO territory, a $5 wrench isn’t going to work out when it comes to admissibility. If you’re already in TLA non-citizen territory, you’re done for anyways. Your call if “making it easier on yourself” is a good play or not...