Slashdot Mirror

← Back to Stories (view on slashdot.org)

FBI Gripes "We Can't Read Everyone's Secrets" (reuters.com)

Posted by yaelk on from the secret-time dept.

New submitter rdukb writes: FBI Director James Comey told the Senate Intelligence Committee that investigators still can't access the phone contents of one of the San Bernadino killers. He went on to argue that the phenomenon of communications "going dark" due to more sophisticated technology and wider use of encryption is "overwhelmingly affecting" law enforcement operations, including, not only the San Bernadino murders, but also investigations into other murders, car accidents, drug trafficking and the proliferation of child pornography. This might increase pressure on Apple to loosen the backdoor restrictions. Will the industry relent and allow Government access to data from these devices?

30 of 175 comments (clear)

  1. Sure. Force Apple and Google to add backdoors by Anonymous Coward · · Score: 5, Insightful

    What could POSSIBLY go wrong?

    Um...maybe fifteen minutes after the first OS release, the Darknet will have utilities published to take advantage of them?

    Captcha: "contempt"

  2. If you open that backdoor... by Anonymous Coward · · Score: 3, Insightful

    You will just force me to find other means to encrypt, making my device even DARKER than it already is...

    1. Re:If you open that backdoor... by mark-t · · Score: 3, Interesting

      The idea, I imagine they believe, is that when you have to go to suffficient lengths to keep your data confidential, you will actually draw even *more* attention in the process, and even if you are not guilty of anything in particular, may find yourself more heavily scrutinized by the powers that be than the average individual.

      --
      File under 'M' for 'Manic ranting'
  3. No by Kohath · · Score: 5, Insightful

    People made that mistake before. We learned our lesson. Government can't be trusted. They demonstrate it a new way every day.

    1. Re:No by Darinbob · · Score: 5, Insightful

      "Overwhelmingly affecting" law enforcement. Really? What did they do when people didn't have technology and just whispered their secrets to each other? Did they whine that they couldn't hear the secrets and tried to pass laws that required everyone to shout? We have always had secrets that law enforcement could never figure out and we always will. There have always been unsolved cases, and there always will be. Law enforcement has always whined that it could do more if only they had more power, and they always will.

    2. Re:No by Sperbels · · Score: 5, Funny

      If you people would only let us slowly tear the flesh off of our suspect, getting a confession would be that much easier. It's like you guys want more crime.

    3. Re:No by Kohath · · Score: 5, Interesting

      And even if the current crop of voters *did* learn their lesson (which they did not), the next generation has not learned it, and will make the same mistakes all over again.

      I don't think the next generation will side with law enforcement. What did the police ever do for them besides hassle them, give them traffic tickets, and threaten to raid their parties? We have the lowest crime in decades and safest highways ever. Law enforcement is generally not needed and increasingly feared by regular people.

      The people who like law enforcement are 55+ and remember trying to raise a family during the crime wave times of 1970-1990.

    4. Re:No by mark-t · · Score: 3, Interesting

      What I think is more interesting is that even *IF* the government could be trusted, it would still be a bad idea to give them unfettered access, because if they can read your confidential data, however benign they may claim their intentions to be, then so can somebody with less benevolent motivations. The net result is that instead of making things easier for law enforcement, it will actually made things harder because law enforcement would then be further burdened with trying to also protect those who are innocent from predatory criminals who are exploiting the weaker security that would be made mandatory.

      Obviously if you don't trust the government in the first place, this is clearly a bad idea.... but it is interesting, I think, to note that even if the government *COULD* be trusted, it still works out to an overall bad idea, with a net negative benefit for absolutely everyone, both the people *AND* the government. The only ones who would really come out ahead are the ones who disregard the law.

      --
      File under 'M' for 'Manic ranting'
    5. Re:No by Jack+Griffin · · Score: 3, Interesting

      I don't think the next generation will side with law enforcement. What did the police ever do for them besides hassle them, give them traffic tickets, and threaten to raid their parties? We have the lowest crime in decades and safest highways ever. Law enforcement is generally not needed and increasingly feared by regular people.

      This is a really good point. The police are losing the hearts and minds and seem content to let it drift away. The biggest threat to the rule of law is the lack of buy-in from the people.
      As you say, when I was a kid it was dangerous to go out at night. Violent crime was a lot more common and the police were the good guys (mostly) there to protect and serve. We used to have a local cops visit the school and everyone knew them by first name.

      Nowadays I feel free to walk the streets any time of night, I sleep with my front door open, I never lock my car, we live in the the safest and most prosperous times. Yet my experience of the Police is some jerks who wants to punish me for the most ridiculously trivial things.
      The cops need a PR makeover, get back into the community as part of the community, as more social oriented workers than para-military bully boys.

  4. Boo Hoo!! by fred911 · · Score: 5, Insightful

    "overwhelmingly affecting" law enforcement operations"

      Including extra-legal warrantless, domestic, mass surveillance. Go cry somewhere else, the US intelligence
    complex made this bed, now go lie in it.

      We need more end to end encryption to be used as a daily matter of fact, because it's been proven time and time again you aren't trustable.

    --
    09 F9 11 02 9D 74 E3 5B - D8 41 56 C5 63 56 88 C0 45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B2
  5. more FBI lies by dltaylor · · Score: 5, Insightful

    FBI directors lie to Congress as part of their normal job duties.

    This is just more of the same.

    1. Re:more FBI lies by PolygamousRanchKid+ · · Score: 5, Insightful

      Well, now that the FBI employee directory is out. Concerned citizens can call or email the FBI Director directly, to voice their concerns.

      --
      Schroedinger's Brexit: The UK is both in and out of the EU at the same time!
    2. Re:more FBI lies by FatdogHaiku · · Score: 2

      When bureaucrats talk with politicians,
      the truth can be lost on the head of a pin.

      Also, Help, I'm trapped in a fortune cookie factory!

      --
      You have the right to remain sentient. If you give up the right to remain sentient, you will be elected to public office
  6. Dear FBI by Anonymous Coward · · Score: 5, Insightful

    Dear FBI,
    Backdoors will only let you catch the dumbest of dumb criminals. Encryption exists, you can't uninvent it. Taking default encryption away, hurts the privacy of the innocent and does nothing to stop the bad guys from using their own encryption. You can't have a backdoor without the possibility that others will figure out how to access that backdoor too. Just deal with it already and stop trying to destroy security.

  7. Hiring Fail by randalware · · Score: 5, Insightful

    The police are not hiring some people because they have too high of an IQ.

    Then the people they do hire, whine "Can't you make this easier ? It's too hard !"

    What do you want next ?

    Master keys to all physical locks ?
    People must use their birth names ?
    No cars that can exceed 30 mph ?
    Everyone wear hi-viz clothes and flashing lights ?
    Nation ID numbers tattooed on your cheeks ? all four cheeks ?

    If it was an easy job, stopping crooks, all our bankers, lawyers & politicians would be incarcerated.

    --
    This is my opinion based on what little I know and understand of the rumors and lies Thanks, Randal
  8. don't believe his lies by Gravis+Zero · · Score: 4, Insightful

    FBI director says investigators unable to unlock San Bernardino killer's phone content

    things one needs to unlock a smartphone:
    * fingerprint (sometimes) (difficulty: invalid)
    * dump the flash memory (difficulty: hobbyist)
    * to avoid lockout, have machines emulate the phone and try every combination to unlock the phone (difficulty: developer)

    conclusion: the investigators had a technician unlock the phone in less than an hour

    DO NOT BELIEVE HIS LIES.

    --
    Anons need not reply. Questions end with a question mark.
    1. Re:don't believe his lies by Anubis+IV · · Score: 4, Insightful

      devices sold, designed for consumers in the US have to be wiretap, plain text and voice recording friendly.

      No, they don't. Encrypted phones are used every day by the US government itself, as well as numerous businesses. Consumer-facing products such as FaceTime, FaceTime Audio, and iMessage are readily available today, are used by tens of millions of people, and are designed with end-to-end encryption that prevents wiretaps from taking place. Comparable products exist for other platforms. What you just said is an outright fabrication.

      Moreover, the Constitution's Fourth Amendment grants "The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures". It does not grant the government the right to deny us security on the basis that they may one day have a reasonable cause for a search or seizure. They're left to figure out how to get access on their own, despite our right to be secure. If I put my papers in a safe, that means bringing in a safecracker, not legally obligating all safe manufacturers to put defects in their safes that make them less secure. If I put my stuff in my car, that means bringing in a locksmith, not legally obligating all car manufacturers to put defects in their safes that makes them easier to break into. And if I put my data in a smartphone, that means bringing in a hacker, not legally obligating all smartphone manufacturers to put defects in their phones that makes them easier to access.

      In this particular case, I wish the government the best, but the suggestion that we shouldn't have the right to secure our smartphone because that same right can be used by criminals to hide wrongdoing is no different than suggesting that we shouldn't have the right to free speech because that same right can be used by criminals to incite wrongdoing.

    2. Re:don't believe his lies by cfalcon · · Score: 2

      Phones don't need to be wiretap friendly, you have no obligation to forfeit privacy, and the constitution guarantees your right to privacy and free speech.

      With that said, the phones are not constructed idiotically, and will wipe / key dump if attacked naively with brute force. Additionally, I don't know which phones are limited to 4 character passphrases, but it is sure as FUCK not "most". Android users can set a password, Apple users can set a password. Maybe some trivially untrustworthy shit limits your password length to 4 digits, but nothing worth using.

    3. Re:don't believe his lies by LordWabbit2 · · Score: 2
      It's not as simple as that, the following was from a fellow slashdotter on a different post, I sent a copy to friends because I found it so interesting. Unfortuanately I did not keep a copy of WHO he was, my apologies to him for posting it again without attributing it to him.

      You mistake an iPhone's unlock code with the iPhone's encryption key. the iPhones do typically use a 4-6 digit pin as an unlock code. The user also has the ability to create a full alphanumeric password for the unlock code as well. However, that is simply the code that's used to unlock the actual full encryption key that is stored within dedicated crypto hardware. Apple uses a dedicated chip to store and process the encryption. They call this the Secure Enclave. Within the secure enclave itself, you have the device's Unique ID (UID) . The only place this information is stored is within the secure enclave. It can't be queried or accessed from any other part of the device or OS. Within the phone's processor you also have the device's Group ID (GID). Both of these numbers combine to create 1/2 of the encryption key. These are numbers that are burned into the silicon, aren't accessible outside of the chips themselves, and aren't recorded anywhere once they are burned into the silicon. Apple doesn't keep records of these numbers. The second half of the encryption key is generated using a random number generator chip. It creates entropy using the various sensors on the iPhone itself during boot (microphone, accelerometer, camera, etc.) This part of the key is stored within the Secure Enclave as well, where it resides and doesn't leave. This storage is tamper resistant and can't be accessed outside of the encryption system. Even if the UID and GID components of the encryption key are compromised on Apple's end, it still wouldn't be possible to decrypt an iPhone since that's only 1/2 of the key. The secure enclave is part of an overall hardware based encryption system that completely encrypts all of the user storage. It will only decrypt content if provided with the unlock code. The unlock code itself is entangled with the device's UDID so that all attempts to decrypt the storage must be done on the device itself. You must have all 3 pieces present: The specific secure enclave, the specific processor of the iphone, and the flash memory that you are trying to decrypt. Basically, you can't pull the device apart to attack an individual piece of the encryption or get around parts of the encryption storage process. You can't run the decryption or brute forcing of the unlock code in an emulator. It requires that the actual hardware components are present and can only be done on the specific device itself. The secure enclave also has hardware enforced time-delays and key-destruction. You can set the phone to wipe the encryption key (and all the data contained on the phone) after 10 failed attempts. If you have the data-wipe turned on, then the secure enclave will nuke the key that it stores after 10 failed attempts. Whether the device-wipe feature is turned on or not, the secure enclave still has a hardware-enforced delay between attempts at entering the code: Attempts 1-4 have no delay, Attempt 5 has a delay of 1 minute. Attempt 6 has a delay of 5 minutes. Attempts 7 and 8 have a delay of 15 minutes. And attempts 9 or more have a delay of 1 hour. This delay is enforced by the secure enclave and can not be bypassed, even if you completely replace the operating system of the phone itself. If you have a 6-digit pin code, it will take, on average, nearly 6 years to brute-force the code. 4-digit pin will take almost a year. if you have an alpha-numeric password the amount of time required could extend beyond the heat-death of the universe. Key destruction is turned on by default. Even if you pull the flash storage out of the device, image it, and attempt to get around key destruction that way it won't be successful. The key isn't stored on the flash itself, it's only stored within the secure enclave itself which you can't remove the storage from.

      --
      There are three kinds of falsehood: the first is a 'fib,' the second is a downright lie, and the third is statistics.
  9. Archer by U2xhc2hkb3QgU3Vja3M · · Score: 3, Funny

    This might increase pressure on Apple to loosen the backdoor restrictions.

    Phrasing!

  10. I don't think quotes mean what you think they mean by dfn5 · · Score: 2

    I read the article and no where do I see anyone quoted as saying "We Can't Read Everyone's Secrets". I do see "We still have one of those killer's phones that we have not been able to open," but I suppose that isn't as shocking.

    --
    -- Thou hast strayed far from the path of the Avatar.
  11. Re:Boycot by U2xhc2hkb3QgU3Vja3M · · Score: 2

    If they or any company does, then they should be boycotted until they go bankrupt.

    You mean like Microsoft, with Windows 10 which communicates with dozens of servers even when you turn telemetry off?

  12. The cognitive dissonance is astounding by timholman · · Score: 5, Insightful

    If James Comey thinks that the FBI could keep their backdoor decryption key secure, perhaps I could call him at his office phone using the FBI directory that just got uploaded to the net, and discuss it with him. :-)

    The FBI and the DoJ can't even keep their own databases safe from a social hack. A backdoor key would be in the hands of China and Russia before the week was out.

  13. Subpoenas and the right against self-incrimination by Frobnicator · · Score: 5, Informative

    Perhaps they know who the phones belong to, but what makes them think the owner is one of the San Bernadino killers?

    That's where law enforcement is having a hard time.
    * Government can use a warrant to demand the item be surrendered, and preserve it as evidence.
    * Government can demand passwords from third parties like phone companies under both subpoenas and warrants.
    * BUT individuals have a constitution protection against compelled self-incrimination.

    The government is supposed to produce evidence and link the person to the crime without a forced confession. It is a GOOD THING, it helps prevent things like being tortured to confession and fishing expeditions looking for crimes. Prosecutors and police can demand an individual produce papers and documents that link them to a case, but (assuming their legal defense is doing their job) by doing so they trigger the protections of the fourth and fifth amendments by compelling the evidence.

    This was recently re-affirmed by the supreme court in US v. Hubbell. If the government demands that the person gives up documents, papers, or passwords to the device it is compelled self-incrimination. If the government demands a person incriminate himself to collect evidence, it becomes poisoned and the government cannot use it or information from it to help with prosecution.

    Police and prosecutors absolutely can demand the people turn over passwords .... but by doing so they also trigger immunity, they cannot use that fact or anything learned from the devices as evidence against them. They'll bitch and moan and complain about not having the passwords, they'll petition congress about how unfair it is to law enforcement that police need to actually investigate crimes and can't use self-incrimination tactics, but the lawyers know full well all it takes is a single slip of paper to legally demand the passwords. Grant them immunity under the protections of the 5th and they are compelled to turn the passwords over, but the person also walks away from criminal liability.

    Simply (perhaps dangerously oversimplified) in most of these cases it is that the police are lazy. There are many other known details, much other evidence, but investigators are going for the easy pickings of the data on phones and other personal documents typically protected by law. They could do actual leg-work, actual investigation, actual crime scene evaluation, and many investigators do. The ones wanting to break down the constitutional protections are the lazy investigators who won't be bothered to use the other available investigation tools.

    --
    //TODO: Think of witty sig statement
  14. Re:Subpoenas and the right against self-incriminat by ArmoredDragon · · Score: 2

    Police and prosecutors absolutely can demand the people turn over passwords

    That doesn't make sense to me because a password is the "what you know" authentication factor. And what would stop somebody from saying they forgot the password?

    Now a fingerprint on the other hand is "who you are" and the government does have the right to make you identify "who you are" not only to law enforcement but to the courts as well.

    The third authenticaiton factor "what you have" (i.e. smart card, key fob) could be compelled to be turned over only if the government can prove that not only does it exist, but that you actually have it too.

  15. Dear FBI: See this image by rnturn · · Score: 2

    It's a photo of the world's smallest violin playing a plaintive melody to go along with your constant whining about having to follow the law:

    >>--> . <--<<

    --
    CUR ALLOC 20195.....5804M
  16. Wasn't it just a few weeks ago that... by rnturn · · Score: 3, Informative

    ... Comey was trying to convince everyone that he wasn't obsessing over encryption and not being able to read everyone's private information?

    --
    CUR ALLOC 20195.....5804M
  17. Warrants Are Too Hard by Anonymous Coward · · Score: 2, Interesting

    Comey's message:

    - Warrants are too hard;
    - Due Process is too hard;
    - Privacy is too hard;
    - Habeas Corpus is too hard;
    - Miranda warnings are too hard;
    - Encryption is too hard;
    - Court cases are too hard;
    - Evidence is too hard;
    - Probable Cause is too hard;
    - Judges are too hard;
    - Jurisdiction is too hard;
    - Investigation is too hard;

    Etc.

    Damn, law enforcement is hard!

    My response? My grandparents were farmers in the Dirty Thirties. That was hard. Hard enough to destroy good families who didn't deserve to be tested that way. You don't know hard. Do your job and stop trying to skate along looking for an easy life with high pay and no accountability. You can steal my privacy the day you can steal my wallet. And you can't steal my wallet!

  18. Boohoo by kbsoftware · · Score: 2

    "FBI Gripes "We Can't Read Everyone's Secrets" " Good, that's how it should be. "Will the industry relent and allow Government access to data from these devices?" Let's hope not.

  19. Ignorant framing of the question by oneeyedman · · Score: 2

    "This might increase pressure on Apple to loosen the backdoor restrictions. Will the industry relent and allow Government access to data from these devices?"

    I suppose this post may just be click-bait, but there is no "loosening" or "relenting." The question is whether companies sell end-to-end encryption to their customers -- Yes or No. End-to-end encryption is the only real security that the government can't invade. People may disagree about whether citizens in a democracy should have a private sphere that excludes the government, but those are the stakes -- Yes or No. There is no gray area.

    --
    *** "Freiheit ist immer die Freiheit des Andersdenkenden". -- Rosa Luxemburg ***