Judge Tells Apple To Help FBI Access San Bernardino Shooters' iPhone (engadget.com)

← Back to Stories (view on slashdot.org)

Judge Tells Apple To Help FBI Access San Bernardino Shooters' iPhone (engadget.com)

Posted by whipslash on Tuesday February 16, 2016 @01:24PM from the slippery-slope dept.

An anonymous reader writes: After a couple shot 14 people in San Bernardino, CA before being killed themselves on December 2nd, the authorities recovered a locked iPhone. Since then, the FBI has complained it is unable to break the device's encryption, in a case that it has implied supports its desire for tech companies to make sure it can always have a way in. Today the Associated Press reports that a US magistrate judge has directed Apple to help the FBI find a way in. According to NBC News, the model in question is an iPhone 5c, but Apple has said that at least as of iOS 8 it does not have a way to bypass the passcode on a locked phone.

610 comments

Min score:

Reason:

Sort:

I can see it now... by ZorinLynx · 2016-02-16 13:26 · Score: 5, Insightful

"Judge orders arsonist to unburn-down house"
Good luck with that.
1. Re:I can see it now... by 0100010001010011 · 2016-02-16 13:38 · Score: 0
  
  They didn't say what sort of help they needed to provide.
  I say set them up with a password for loop. Lack of computing power is the FBI's problem.
2. Re:I can see it now... by binarylarry · 2016-02-16 13:43 · Score: 4, Funny
  
  Its pretty trivial to use this technique with Visual Basic, once you've identified the iOS device's IP address, you're home free.
  
  --
  Mod me down, my New Earth Global Warmingist friends!
3. Re:I can see it now... by currently_awake · 2016-02-16 13:44 · Score: 1
  
  Taking apart the chips layer by layer has worked elsewhere. Sounds expensive, did the judge authorize Apple to get paid for this?
4. Re:I can see it now... by Anonymous Coward · 2016-02-16 13:44 · Score: 0
  
  That would seem like reasonable help.
5. Re:I can see it now... by R3d+M3rcury · 2016-02-16 13:46 · Score: 1
  
  ...and, as I understand it, the IP Address is 512.276.128.17.
6. Re:I can see it now... by lgw · 2016-02-16 13:56 · Score: 1
  
  I don't think it's that dire. One can almost always break in if you have physical control of the device. At worse you have to hook up JTAG and watch the instructions being executed, look for the pattern in the code where encryption is checked and force signals to be in the configuration you want.
  That only works if the key is stored on the device, and the text the user types is merely a password to authorize use of the key, which would be a damn silly implementation.
  OTOH, the phone probably has a short key, and brute force would likely work, though you may need to physically bypass the CPU (in inbuilt software) in order to bypass any limit on number of attempts.
  
  --
  Socialism: a lie told by totalitarians and believed by fools.
7. Re:I can see it now... by Anonymous Coward · 2016-02-16 13:59 · Score: 0
  
  "Judge orders arsonist to unburn-down house"
  Good luck with that.
  Not quite... This is like what I encountered in the computer industry - I was not hired to fix a persons computer, but rather hired to spend time attempting to fix a computer. Clients don't like this when it is explained to them, until they can comprehend the issues involved - i.e. more recovery=more time=more money.
  If apple throws up it's hands and simply says it cannot be done without sending people to attempt recovery, they are not following the courts order, as it has been "directed to help find a way in".
  This only requires you send someone there to help - it does NOT require them to be successful.
8. Re:I can see it now... by Anonymous Coward · 2016-02-16 14:03 · Score: 0
  
  Sounds like a good way to get funding for research into quantum computing!
  "Well let's see, breaking the encryption here is essentially impossible with current hardware, so we'll need to build ourselves a quantum computer. Seeing that you're funding this, we're gonna need a few billion for hardware plus ongoing funding for salaries of at least a dozen top-notch research scientists. We should be able to get back to you with the data in, oh I don't know, 20 years seems like a standard number for this sort of project."
9. Re:I can see it now... by Darinbob · 2016-02-16 14:07 · Score: 1
  
  How will the phone decrypt without the keys? If the phone could decrypt on its own then there's be no need to pull in special experts here you could just turn on the phone and read the data.
10. Re:I can see it now... by Anonymous Coward · 2016-02-16 14:08 · Score: 0
  
  I was actually considering it to be less help than that. Give them a memo containing the phrase "Brute force attack" should be all that is needed.
11. Re:I can see it now... by cheater512 · 2016-02-16 14:09 · Score: 1
  
  That will get you past the lock screen but it's not much help if the phone's data is actually encrypted.
  Only the correct passcode will help there.
12. Re:I can see it now... by Darinbob · 2016-02-16 14:11 · Score: 2, Funny
  
  Taking apart the chip gets you what? They've already got the encrypted data. If they key was on the phone and did not rely on any external key then they could just turn on the phone and it'd be done. So there's an external key that they don't have and will never get off of any chip.
  What the FBI is really saying is that they don't believe Apple. They're so used to spying that they probably find it inconceivable (yes it means what I think it means) that a big corporation would not also have a backdoor for spying.
13. Re:I can see it now... by ravenspear · 2016-02-16 14:13 · Score: 1
  
  Ah yes, I now have access. Very interesting. He was talking with Gr.........NO CARRIER
14. Re:I can see it now... by sims+2 · 2016-02-16 14:13 · Score: 1
  
  1. In my experience apps can run in the background and use wifi while the device is locked.
  2. That really shouldn't be that difficult for the company that manufactured the thing.
  
  --
  Minimum threshold fixed. Thanks!
15. Re:I can see it now... by Areyoukiddingme · 2016-02-16 14:13 · Score: 4, Interesting
  
  ...and, as I understand it, the IP Address is 512.276.128.17.
  I've noticed TV shows lately have started using the non-routeable class Cs, rather than completely invalid IP addresses. Which actually makes very good sense, since the 555 telephone exchange is the direct equivalent.
16. Re:I can see it now... by Anonymous Coward · 2016-02-16 14:20 · Score: 0
  
  It's not clear that Apple is the best company to do that. The whole thing feels really weird. Imagine if the FBI is looking for a body hidden in a skyscraper's foundation, and a judge orders the company that made the concrete to help. What are they supposed to do? A company specializing in ultrasound imaging would stand a better chance.
17. Re: I can see it now... by Anonymous Coward · 2016-02-16 14:24 · Score: 0
  
  Nope, it's a company that advertises their services ... Burying bodies in concrete. Apple made their bed when they advertised the iPhone as a way to defeat the police. Let them lie in it.
18. Re:I can see it now... by Anonymous Coward · 2016-02-16 14:27 · Score: 1
  
  2. That really shouldn't be that difficult for the company that manufactured the thing.
  Would you expect a safe manufacturer to be able to easily crack open a random safe they manufactured? If so, why? If not, why do you think encryption for a mobile device should be any different?
19. Re: I can see it now... by Anonymous Coward · 2016-02-16 14:30 · Score: 0
  
  I thought all lock manufacturers were required to provide skeleton keys to the feds... and to the really smart criminals
20. Re:I can see it now... by TsuruchiBrian · 2016-02-16 14:34 · Score: 1
  
  If cracking encryption was that easy, encryption would be nearly useless. That's not to say that this particular device will be hard to break into. It is very possible there is a weak password or screen pattern that will be easy to bypass, but if that's not the case, there is good reason to believe that the security mechanisms, if implemented properly by Apple, will be more than adequate at preventing anyone (including Apple) who doesn't know the password from getting in.
21. Re: I can see it now... by Anonymous Coward · 2016-02-16 14:35 · Score: 0
  
  Their reply, "we chose a bat, hopefully that was compatible... After we attacked the iPhone it seems to non-working plz help!!!!"
22. Re:I can see it now... by PPH · 2016-02-16 14:52 · Score: 3, Insightful
  
  Good luck with that.
  Failure might be what the judge wants. And in a very public forum. Can't crack the password? Oh noes! Tragedy! Something must be done. The terrorists have gotten away with it.
  For all we know, there is nothing on the phone other than a bunch of duck-face terrorist selfies. But this is very much in the public's eye. So now is the time for the dog and pony show.
  
  --
  Have gnu, will travel.
23. Re: I can see it now... by Anonymous Coward · 2016-02-16 14:55 · Score: 2, Insightful
  
  "and to the really smart criminals"
  You mean the FBI?
24. Re:I can see it now... by hawguy · 2016-02-16 14:57 · Score: 4, Informative
  
  2. That really shouldn't be that difficult for the company that manufactured the thing.
  Would you expect a safe manufacturer to be able to easily crack open a random safe they manufactured? If so, why? If not, why do you think encryption for a mobile device should be any different?
  The company that installed our safe said they could open it when we asked what would happen if we lost the combination. They said "No problem, we'll just bring in a cutting torch and grinder and a few hours later we'll have it open. You'll need to sign a waiver first absolving us of any damage to the room."
25. Re:I can see it now... by lgw · 2016-02-16 15:04 · Score: 1
  
  1. In my experience apps can run in the background and use wifi while the device is locked.
  Letting the thing actually run sounds dangerous to me, and certainly not a normal forensic technique. Heck, it could do something as simple as wipe all files when a certain date is reached. Best not to let it.
  
  --
  Socialism: a lie told by totalitarians and believed by fools.
26. Re:I can see it now... by mattventura · 2016-02-16 15:05 · Score: 4, Insightful
  
  Presumably, the decryption key is stored somewhere on the device, but it in turn is encrypted with the phone's passcode. The security system deletes the key if you enter too many incorrect passcodes, but if they were able to extract the encrypted key from the phone, they could brute force it easily since there's only 10^n codes for a numeric passcode.
27. Re:I can see it now... by TsuruchiBrian · 2016-02-16 15:14 · Score: 4, Insightful
  
  You can crack encryption the same way, except instead of taking a few hours with cutting torches, it takes hundreds of billions of years of computer computing clusters working well after the human race is extinct. Neither solution gives the inventor of the security mechanism much more of an advantage.
28. Re: I can see it now... by Anonymous Coward · 2016-02-16 15:18 · Score: 0
  
  Law enforcement trying to make a case for back doors in encryption standards. We know this unwise as once a back doors exists, information will get out but try to explain to law enforcement.
29. Re:I can see it now... by sims+2 · 2016-02-16 15:23 · Score: 1
  
  No but I would expect apple or samsung to be able to be able to be able to bypass the CPU.
  Safes? Crack as in open no crack as in cut the door off yes. I would absolutely expect them to cut a few of them open a year just to be sure their safes were still you know safe.
  
  --
  Minimum threshold fixed. Thanks!
30. Re:I can see it now... by 93+Escort+Wagon · 2016-02-16 15:24 · Score: 1
  
  I don't think it's that dire. One can almost always break in if you have physical control of the device.
  
  I'm pretty sure the FBI has physical control over this device...
  
  --
  #DeleteChrome
31. Re:I can see it now... by Rockoon · 2016-02-16 15:26 · Score: 1
  
  Apple should go ahead and build the fastest supercomputer in the world, and then bill the San Bernardino justice department, and then say "Still working on it" for the next 500 years.
  
  --
  "His name was James Damore."
32. Re:I can see it now... by silas_moeckel · 2016-02-16 15:36 · Score: 1
  
  And since it's not the 1990's anymore anything worth calling it encrypted is storing keys in specialized hardware, so it's not just a question of getting a debugger out and pawing through memory.
  
  --
  No sir I dont like it.
33. Re:I can see it now... by R3d+M3rcury · 2016-02-16 15:36 · Score: 1
  
  I still wish they'd use 127.0.0.1...
34. Re:I can see it now... by silas_moeckel · 2016-02-16 15:39 · Score: 0
  
  The crypto is pretty poor if brute force attacks work. Hardware key storage should wipe itself after so many failed attempts.
  
  --
  No sir I dont like it.
35. Re:I can see it now... by Anonymous Coward · 2016-02-16 15:48 · Score: 0
  
  Or they could just use any IPv6 address...
36. Re:I can see it now... by Anonymous Coward · 2016-02-16 15:54 · Score: 0
  
  Yes. "6. Apple shall advise the government of the reasonable cost of providing this service."
37. Re:I can see it now... by sims+2 · 2016-02-16 16:09 · Score: 1
  
  Ummm its an iPhone and unless its jailbroken it can't do that. And even if it was I've yet to see anyone come up with such a complex setup. You find any dead mans switch scripts for ios you let me know k? That would be a pretty cool find.
  Now if it was jailbroken I would try the following:
  Find a computer it was paired with and connect through afc2.
  Assuming the wifi isn't off.
  Find an ap it will auto connect to and see if it has open ssh installed if so if your lucky the password will still be alpine.
  Assuming it isn't in airplane mode.
  Now if you are the FBI you could use something like a stingray and get to open ssh from the cellular side. Afaik by default openssh doesn't have any real rate limit for login attempts on the iPhone so I figure the time should be reasonable. At least compared to having to break the encryption key.
  
  --
  Minimum threshold fixed. Thanks!
38. Re:I can see it now... by Anonymous Coward · 2016-02-16 16:10 · Score: 0
  
  Replicate the memory before doing that...
39. Re: I can see it now... by Anonymous Coward · 2016-02-16 16:13 · Score: 5, Funny
  
  They want to make it somewhat realistic ...
40. Re:I can see it now... by cold+fjord · 2016-02-16 16:14 · Score: 1
  
  Na, they could just fire up the Cray XMP supercomputer they bought. (Assuming they still have it.) It's not anywhere as impressive as it used to be, but it is an honest to goodness supercomputer.
  APPLE USES CRAY X-MP AND UNIX TO DESIGN YOUR NEXT MACINTOSH
  The funny thing is that the performance difference between that and a modern supercomputer in cracking AES probably doesn't really make a difference.
  
  --
  much of left-wing thought is a kind of playing with fire by people who don't even know that fire is hot - George Orwell
41. Re:I can see it now... by zugmeister · 2016-02-16 16:18 · Score: 1
  
  Well, yeah, but that's not what they're doing. They're trying to brute force the unlock code, which without this software will wipe the phone after 10 failed unlock attempts. If the guy only has a 4 digit code, this will take considerably less than "hundreds of billions of years", or even (probably) the time it would take to get coffee.
42. Re:I can see it now... by basecastula+ · 2016-02-16 16:19 · Score: 4, Insightful
  
  What more does the FBI want? The suspects are dead. Stop spending money on diminishing returns.
43. Re:I can see it now... by Anonymous Coward · 2016-02-16 16:20 · Score: 1
  
  > What the FBI is really saying is that they don't believe Apple. They're so used to spying that they probably find it inconceivable (yes it means what I think it means) that a big corporation would not also have a backdoor for spying.
  Yeah, but shouldn't they have already spied on Apple to know whether or not they're telling the truth?
44. Re:I can see it now... by zugmeister · 2016-02-16 16:24 · Score: 3, Informative
  
  This is exactly what they want to do... The problem is the phone will wipe itself after 10 failed attempts, so the gov't wants Apple to write them software to bypass the wipe and continue the brute force attack. I'm the only person I've ever met who has more than a 4 digit code to unlock my phone, and I don't even have anything to hide!
45. Re:I can see it now... by zugmeister · 2016-02-16 16:27 · Score: 5, Informative
  
  Hardware key storage should wipe itself after so many failed attempts.
  /sigh, RTFA... This is exactly what happens after 10 bad entries. So the gov't wants Apple to write them software to let them bypass the wipe and continue brute forcing the unlock code.
46. Re: I can see it now... by Anonymous Coward · 2016-02-16 16:29 · Score: 0
  
  On a 5c, which doesn't have secure enclave, the pass phrase is XOR'd with a 256 bit machine generated random number.
  It's then run through PBKDF2 for around 100,000 iterations (on that hardware).
  That isn't a simple 4 digit passcode guessing session.
  Secure Enclave devices are much harder than this to attack
47. Re: I can see it now... by zugmeister · 2016-02-16 16:32 · Score: 1
  
  Apple made their bed when they advertised the iPhone as a way to defeat the police.
  I guess that's one way of looking at it. Myself, I saw it more as Apple saying "here's a big lock you can use to keep your private information private from everyone*". Judging by how the market has acted since, I'd say the people have given their approval.
  
  * No, you can't just let the good guys in, it doesn't work that way. Either there's a screen door on the submarine or there isn't.
48. Re: I can see it now... by mattventura · 2016-02-16 16:33 · Score: 1
  
  But it doesn't change the fact that there's still only 10,000 4-digit passcodes. They could even do a hacky solution like finding a way to disable the wipe after incorrect attempts and brute forcing from there. If they can pick apart the chips, I'm sure they can find a way.
  Of course, that's assuming Apple actually wants to help, which I would guess they probably don't (and they shouldn't IMO).
49. Re:I can see it now... by FlyHelicopters · 2016-02-16 16:37 · Score: 1
  
  Yes, because the FBI is so stupid they didn't think to try any of that...
50. Re:I can see it now... by sg_oneill · 2016-02-16 16:40 · Score: 1
  
  What more does the FBI want? The suspects are dead. Stop spending money on diminishing returns.
  Presumably they want info on who they where talking to. If the shooters had accomplices, the FBI wants to know who they are.
  
  --
  Excuse the Unicode crap in my posts. That's an apostrophe, and slashdot is busted.
51. Re:I can see it now... by Anonymous Coward · 2016-02-16 16:41 · Score: 0
  
  Until you find that you have to first "unlock" the phone, "before" you can update the software.
52. Re:I can see it now... by sims+2 · 2016-02-16 16:48 · Score: 1
  
  And we're back to the iPhone uses hardware encryption and the key is stored with some type of chip that only work in one direction that I can't think of the name of at this time.
  But anyway the point is while you can copy the encrypted data in its encrypted state you won't be able to decrypt it without the cooperation of that chip and if anything happens to hit the reset on that chip any backups you might have would be worthless.
  All iirc of course.
  
  --
  Minimum threshold fixed. Thanks!
53. Re: I can see it now... by armanox · 2016-02-16 16:52 · Score: 1
  
  And when did Apple advertise that?
  
  --
  I'm starting to think GNU is the problem with "GNU/Linux" these days.
54. Re:I can see it now... by ShaunC · 2016-02-16 16:55 · Score: 5, Insightful
  
  Presumably they want info on who they where talking to. If the shooters had accomplices, the FBI wants to know who they are.
  If only we had an agency who is (lawfully or otherwise) intercepting every electronic signal known to mankind, who could be consulted when national security concerns arise...
  
  --
  Thanks to the War on Drugs, it's easier to buy meth than it is to buy cold medicine!
55. Re:I can see it now... by sims+2 · 2016-02-16 16:56 · Score: 1
  
  Why would they need to if they can just get apple to do it?
  And get precedent set at the same time.
  Keep in mind they use mouse jigglers with computers so leaving the device on isn't unheard of.
  
  --
  Minimum threshold fixed. Thanks!
56. Re:I can see it now... by meerling · 2016-02-16 17:04 · Score: 4, Informative
  
  I've done tech support for certain security products, and your probably right on the money there. You'd be amazed how many people are absolutely positive that you have a 'secret' backdoor to get past your security program. You wouldn't believe some of the arguments I've been subjected too over that. People just believe hollywood too much over reason. Any security program that has a backdoor access is NOT SECURE ! If the users neglected to make their emergency unlock disk, or lost it, they were totally screwed. Time to nuke & pave.
  As it happens, I don't support or have an iphone, so I have no idea what apple does, but I find it very plausible that there is absolutely nothing they can do, especially if they got pissed at their treatment early and removed any method they previously had to unlock it, even if it was for the cops when they have a proper warrant for the information. In which case, don't forget your key or it's toast.
57. Re: I can see it now... by meerling · 2016-02-16 17:06 · Score: 1
  
  Correct.
58. Re:I can see it now... by meerling · 2016-02-16 17:08 · Score: 1
  
  Of course there are limits to what a judge can force anyone to do, especially when they are not the party being charged with a crime.
59. Re:I can see it now... by gweihir · 2016-02-16 17:09 · Score: 1
  
  No. This is not on the amateur-level you describe. True, much "security" is on the level you describe, but this is a secure microcontroller. Give it exactly what it expects or fail 10 times and it will nuke its key-storage using power from internal and well-protected capacitors.
  
  --
  Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
60. Re:I can see it now... by KGIII · 2016-02-16 17:10 · Score: 1
  
  Over the years, I've seen many people try to use an analogy that involves a physical object or action and something to do with computers. Often, the analogy is made with a car. Yet, very seldom has it been successful.
  You can physically crack a safe with tools and a little bit of time. This is not possible with good encryption. No, I can't think of a good analogy.
  
  --
  "So long and thanks for all the fish."
61. Re:I can see it now... by Archangel+Michael · 2016-02-16 17:12 · Score: 1
  
  The terrorists have gotten away with it.
  Gotten Away with what, exactly? They have already kill those that they can kill. They themselves are dead.
  Exactly what aspect of this does a Judge have any say into compelling a non-involved party into "helping" law enforcement? And why isn't someone asking the judge that very same question?
  Or is it "fuck the law, we're making it up as we go along because ... TERRORISTS HAVE ALREADY WON!
  
  --
  Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
62. Re:I can see it now... by A+nonymous+Coward · 2016-02-16 17:14 · Score: 1
  
  The decryption key is stored nowhere on the phone. It is taken directly from the user tapping it in. This is not like a login password which is matched against user input; it literally is the raw decryption key.
  
  --
  Infuriate left and right
63. Re:I can see it now... by A+nonymous+Coward · 2016-02-16 17:17 · Score: 1
  
  Apparently that is the government's main request, that Apple somehow disable that auto-wipe feature so they can brute force it.
  These are not like PGP passphrases which are entire sentences; most people only use a couple of words.
  I thought of creating a passphrase in a different language, but (at least then) that input screen has to come so early in the boot process that no alternate keyboards were available.
  
  --
  Infuriate left and right
64. Re:I can see it now... by KGIII · 2016-02-16 17:22 · Score: 2
  
  Then, when 500 years passes, the FBI will return and ask what the answer is... The computer's monitor will flicker, turn on, and display a grainy image that shows but two number. 42.
  
  --
  "So long and thanks for all the fish."
65. Re:I can see it now... by Barlo_Mung_42 · 2016-02-16 17:26 · Score: 1
  
  Should just set up an old mac cube to brute force it so they can say they're working on it.
66. Re:I can see it now... by ArmoredDragon · 2016-02-16 17:28 · Score: 1
  
  I still don't see why they couldn't remove the NAND chips and dump their contents, then do an offline brute force attack. I figure that if this is a terrorism case, then NSA could throw their most powerful compute clusters at it.
67. Re:I can see it now... by AaronW · 2016-02-16 17:29 · Score: 5, Interesting
  
  It should be possible to bypass the erase operation with physical access to the device. Most NAND devices have a write protect pin which when pulled low will disable program and erase operations.
  It may also be possible to add a socket and duplicate the encrypted flash chip so that the original is never in the phone. This could be complicated if the flash device supports a unique ID and the encryption platform makes use of it. I could think of several ways to bypass even that though. One way is to use an FPGA to create a flash emulator that can simulate the NAND device. One other advantage of this is that it could guarantee that the data is never erased. The encryption hardware itself must also store the number of authentication attempts in some non-volatile storage. Usually this would be on another chip or die since it's still not very common to mix flash and logic on the same chip.
  Unless the encryption and erase functionality is built into the Toshiba NAND device Apple uses it should be possible to pop the NAND device and use an FPGA and/or other hardware for forensic purposes since the iPhone is not built to FIPS standards (which usually pot the boards in epoxy and provide a number of methods to prevent physical intrusion).
  Even the secure keys that are not known by Apple should be accessible with physical access to the device. It's expensive, but it should be possible to read the blown fuses by digging through the layers if the exact location is known on a chip.
  https://media.blackhat.com/bh-...
  
  --
  This post is encrypted twice with ROT-13. Documenting or attempting to crack this encryption is illegal.
68. Re:I can see it now... by sims+2 · 2016-02-16 17:41 · Score: 1
  
  Yep if encryption is done right the weakest link will always be the password. If you can break the crypto easier than the password someone fked up the crypto.
  But afaik the first line of defense on an iPhone isn't really encryption its just a lock screen like: http://linux.slashdot.org/stor...
  Behind that screen apps are still open and the fs is still mounted so yes I find it hard to believe that its secure.
  The hardware crypto just defends against offline attacks.
  
  --
  Minimum threshold fixed. Thanks!
69. Re:I can see it now... by Anonymous Coward · 2016-02-16 17:42 · Score: 0
  
  anything worth calling it encrypted is storing keys in specialized hardware, so it's not just a question of getting a debugger out and pawing through memory.
  Quite so. In fact, it wouldn't surprise me to learn that the security chip storing the actual keys has built in anti-tampering features to prevent precisely this kind of attack. These specialized chips are designed to store private keys and other cryptography tokens. If it were easy to break into their protected memories with physical access, they wouldn't be worth much for security.
70. Re:I can see it now... by dgatwood · 2016-02-16 17:52 · Score: 1
  
  It's not anywhere as impressive as it used to be ...
  You're inclined to understatement. If it is the 4-processor Cray X-MP, then it is approximately the same speed as the cell phone whose crypto key they're trying to crack....
  
  --
  Check out my sci-fi/humor trilogy at PatriotsBooks.
71. Re:I can see it now... by FlyHelicopters · 2016-02-16 17:53 · Score: 1
  
  If Apple can decrypt it, then it isn't encrypted in the first place.
  Apple could very well say, "this isn't going to work, but if you want to pay us millions of dollars to accomplish nothing, we'll be happy to take your money".
  It is a chance for Apple to get the government to pay for their own security testing. They could well take this chance to really let loose their people at attacking their own systems.
  If they are not secure, fair enough, the FBI gets this one, but Apple learns how to make the next device more secure. If it is secure, then so be it, they are doing something right.
  A lock doesn't have to be perfect, it just has to prevent someone from gaining entry within a given amount of time. Most safes are this way. All can be broken, even the big walk in one down at the bank. But can it be broken into before the bank opens in the morning? That is the real question.
  Can the iPhone's encryption be broken? Probably. Can it be broken in a timeframe that matters to humans? Hopefully not, or the lock is worthless.
72. Re:I can see it now... by Dutch+Gun · 2016-02-16 18:18 · Score: 1
  
  What the FBI is really saying is that they don't believe Apple. They're so used to spying that they probably find it inconceivable (yes it means what I think it means) that a big corporation would not also have a backdoor for spying.
  Either that or they really want to punish Apple for not providing a back door. Think about Apple's position here. A judge orders them to "try" to break it, and if they don't put some reasonable resources into this, they're now in contempt of court. Every time a high profile case comes up, the same nonsense happens.
  True, Apple has billions, but this still has to be a bit of a PITA for them.
  
  --
  Irony: Agile development has too much intertia to be abandoned now.
73. Re:I can see it now... by dgatwood · 2016-02-16 18:24 · Score: 1
  
  On the iPhone 5c (basically an iPhone 5 in a plastic case), they probably can. That's probably the last model that you could attack in that way, though.
  The FBI should be glad it isn't an iPhone 5s or later. If it were, the crypto keys wouldn't be in the external NAND flash, but rather in the secure enclave, which is a small bit of flash silicon that's inside the CPU itself, and it may not even be possible to expose the flash without destroying it.
  
  --
  Check out my sci-fi/humor trilogy at PatriotsBooks.
74. Re:I can see it now... by TechyImmigrant · 2016-02-16 18:28 · Score: 3, Informative
  
  > it should be possible to pop the NAND device
  This is not a reliable thing. You can desolder a BGA, but the odds of breaking the device in the process are pretty good. Maybe if you are the police you find the risk of destroying the potential evidence unacceptable, even if you cannot get at the evidence any other way because crypto and physical security done well works.
  
  --
  I should use this sig to advertise my book ISBN-13 : 978-1501515132.
75. Re:I can see it now... by TechyImmigrant · 2016-02-16 18:30 · Score: 1
  
  Mine is 6 digits. But I'm not a murderer and anything I do want to hide doesn't go near a cell phone.
  
  --
  I should use this sig to advertise my book ISBN-13 : 978-1501515132.
76. Re:I can see it now... by spongman · 2016-02-16 18:31 · Score: 1
  
  After 10 retries the keys in the SoC are wiped (not the flash). Without those the flash is just noise.
77. Re:I can see it now... by TechyImmigrant · 2016-02-16 18:32 · Score: 1
  
  Taking apart the chips layer by layer has worked elsewhere. Sounds expensive, did the judge authorize Apple to get paid for this?
  It's about a megabuck. But Apple don't do it. There are specialized companies who do this for the semiconductor industry.
  If you only have one sample, your odds of getting a positive result are not great.
  
  --
  I should use this sig to advertise my book ISBN-13 : 978-1501515132.
78. Re:I can see it now... by spongman · 2016-02-16 18:40 · Score: 1
  
  No, the decryption key is based off the passcode in combination with a secret stored in the SoC. You need both.
79. Re:I can see it now... by tlhIngan · 2016-02-16 18:49 · Score: 2, Insightful
  
  I still don't see why they couldn't remove the NAND chips and dump their contents, then do an offline brute force attack. I figure that if this is a terrorism case, then NSA could throw their most powerful compute clusters at it.
  Since the iPhone 4, the NAND memory has been encrypted. With a key unavailable to software.
  It's why a complete phone wipe on iPhone 3GS and prior took several hours, while only taking seconds on an iPhone 4 and up.
  So dumping the NAND does absolutely nothing - the key used to encrypt it is hidden inside the SoC itself an inaccessible to software. So you can't pop the NAND off one iPhone and put it in another iPhone.
  Android's started encrypting the flash as well, but it's still an optional feature.
  Heck, you can have main memory encryption as well - so the data in main memory can't be accessed as well. In this case, it's usually a per-startup key - so every bootup uses a completely different key.
  And the iPhone 5c is the last phone where the authentication is done in software. Since the A7 SoC upwards, the secure enclave is what authenticates the PIN code, and forces a wipe of memory if you fail to authenticate after 10 tries.
  The problem for Apple is not creating the special firmware - that's easy. The hard part is how to install it without disturbing the data. Right now, to install a software update, you have to have an unlocked phone. Even a DFU update wipes out the user data.
80. Re: I can see it now... by Plumpaquatsch · 2016-02-16 18:53 · Score: 1
  
  "and to the really smart criminals"
  You mean the FBI?
  He said something about "smart".
  
  --
  Of course news about a fake are Fake News.
81. Re:I can see it now... by Anonymous Coward · 2016-02-16 18:55 · Score: 0
  
  TV shows should use IPv6, since no one else does...
82. Re:I can see it now... by AaronW · 2016-02-16 19:04 · Score: 2
  
  It's actually fairly reliable today and is fairly common. I regularly work with boards with BGAs with over 1000 balls that are replaced.
  Also, look up what is possible with FIB. You can basically cut through traces and build new traces on the fly on a chip, going through multiple layers or even adding new layers on top of a chip. It's not even particularly expensive and it is done regularly in the semiconductor industry especially during chip prototyping. Hell, a recent chip I worked with had to be "Fibed" to fix a critical problem. It was cheaper to fib a number of chips than it was to make a change in the metal layer and wait for the results to come back so development could proceed. Now there are some techniques with antifuse that can make this difficult, but I'm sure ways around it if you spend the money.
  
  --
  This post is encrypted twice with ROT-13. Documenting or attempting to crack this encryption is illegal.
83. Re:I can see it now... by Anonymous Coward · 2016-02-16 19:05 · Score: 0
  
  We do. This entire court case appears to be a case of feigning helplessness for the sake of ... lulling the people on that phone in to false sense of security? IDK, but the ruse is absurd and a waste of court resources. The bottom line is they already have the information they are requesting.
84. Re:I can see it now... by AaronW · 2016-02-16 19:06 · Score: 1
  
  And that is why you use techniques like FIB. You can basically add your own probes anywhere on the chip, cut or create new traces, etc. Hence when you have physical access, and especially when you have access to the chip designed all bets are off. You can literally just modify the SOC to read the keys.
  
  --
  This post is encrypted twice with ROT-13. Documenting or attempting to crack this encryption is illegal.
85. Re:I can see it now... by nbritton · 2016-02-16 19:14 · Score: 1
  
  That's easy to solve, charge the government a few million dollars for your assistance. You need access, sure no problem, we'll build you a server farm to crack the encryption key using brute force... It will cost you 600 million dollars.
86. Re:I can see it now... by A+nonymous+Coward · 2016-02-16 19:30 · Score: 1
  
  Thanks, didn't know that. I don't know enough about encryption to know what that gains, but it's interesting.
  
  --
  Infuriate left and right
87. Re: I can see it now... by Anonymous Coward · 2016-02-16 19:38 · Score: 0
  
  So I'm curious then.
  If you forget your pin/pwd, you can simply plug into a trusted computer and force a reset.
  How does this work?
88. Re: I can see it now... by Anonymous Coward · 2016-02-16 19:49 · Score: 1, Funny
  
  The ping is coming from. . .
  INSIDE THE HOUSE!
89. Re: I can see it now... by Anonymous Coward · 2016-02-16 19:50 · Score: 0
  
  But if you did that and NOR switch is flipped you might corrupt the data.
90. Re:I can see it now... by infolation · 2016-02-16 19:52 · Score: 1
  
  The Judge has not actually told Apple to de-crypt the phone, rather to develop software to prevent the phone from introducing any additional delay between passcode attempts, and to turn off any “auto-erase” functions on the phone, if enabled.
  
  Normally iPhones slow down anyone trying to “brute force” their way into a phone by guessing passcode after passcode.
  
  The arsonist/firefighting analogy for that would be quite convoluted.
91. Re:I can see it now... by TechyImmigrant · 2016-02-16 20:02 · Score: 4, Interesting
  
  You are describing some aspects of my day job. I know the statistics of these operations.
  Replacing a BGA is one thing. Pulling a BGA, depackaging it and FIBing it is likely to fail. This isn't a problem if you can just do 10 and pick the ones that work. But if it's a single chip from a single phone, the odds are not good.
  
  --
  I should use this sig to advertise my book ISBN-13 : 978-1501515132.
92. Re: I can see it now... by phayes · 2016-02-16 20:10 · Score: 1
  
  Why are you assuming that the phone isn't encrypted with a passphrase as apple recommends: https://support.apple.com/en-u...
  It's the first link when searching for "touch id fingerprint sensor" so it's not hard to find.
  Of course that would be assuming that you actually want to know what you're talking about and not just make snarky comments.
  
  --
  Democracy is a sheep and two wolves deciding what to have for lunch. Freedom is a well armed sheep contesting the issue
93. Re: I can see it now... by Anonymous Coward · 2016-02-16 20:10 · Score: 0
  
  I'd be a fan of them if they did.
94. Re:I can see it now... by cfalcon · 2016-02-16 20:10 · Score: 1
  
  Isn't this the exact attack that physical anti-tamper is meant to defeat?
95. Re: I can see it now... by Anonymous Coward · 2016-02-16 20:11 · Score: 0
  
  "and to the really smart criminals"
  You mean the FBI?
  No, dummy, he said smart
96. Re:I can see it now... by Alumoi · 2016-02-16 20:13 · Score: 1
  
  And the answer will be ... 42!
97. Re:I can see it now... by cfalcon · 2016-02-16 20:14 · Score: 1
  
  The other post explained the error, but the reason for this is because the entropy in the key would be very low or guessable, so the break-in procedure would be (1) image the phone (2) try every PIN. You'd be in in less than a second. The key is a 128 bit AES key (some posts claim 256, so maybe that's correct, but I thought it was 128), and that's the piece that is guarded by the PIN. All the shenanigans about auto-wiping and machine enforced attempt limits are to allow the use of such a low entropy password like a PIN in the first place, by being able to wipe the master key if the user can't input the correct code in ten tries.
98. Re: I can see it now... by Rosyna · 2016-02-16 20:24 · Score: 1
  
  Using multiple static data sources when generating an encryption key protects against extremely weak passcodes.
99. Re:I can see it now... by Plumpaquatsch · 2016-02-16 20:26 · Score: 1
  
  What more does the FBI want? The suspects are dead. Stop spending money on diminishing returns.
  Presumably they want info on who they where talking to. If the shooters had accomplices, the FBI wants to know who they are.
  The obvious solution would have been to not kill the suspects.
  
  --
  Of course news about a fake are Fake News.
100. Re:I can see it now... by multi+io · 2016-02-16 20:35 · Score: 1
  
  And since it's not the 1990's anymore anything worth calling it encrypted is storing keys in specialized hardware, so it's not just a question of getting a debugger out and pawing through memory.
  Well, in block device / disk encryption on PCs, they keys are stored on the regular device, but they're stored encrypted with another key, namely the passphrase, which is only stored in the user's brain (hopefully). So unless the device is already running and somebody has already entered the correct passphrase, you can paw through anything you want (except the user's brain) and it won't help.
101. Re:I can see it now... by Alumoi · 2016-02-16 20:37 · Score: 3, Funny
  
  There's No Such Agency in the US, you know :P
102. Re:I can see it now... by wvmarle · 2016-02-16 20:59 · Score: 1
  
  As they have the hardware on hand, I'm quite sure there will be a way to take the memory chip out, maybe even go as far as disassembling it, copy the contents, and then you have as many times ten attempts as you need.
  Sure it ain't easy, but that wasn't the question either. They just want access, and are obviously quite desperate to get it.
103. Re:I can see it now... by stealth_finger · 2016-02-16 21:07 · Score: 2
  
  Over the years, I've seen many people try to use an analogy that involves a physical object or action and something to do with computers. Often, the analogy is made with a car. Yet, very seldom has it been successful.
  You can physically crack a safe with tools and a little bit of time. This is not possible with good encryption. No, I can't think of a good analogy.
  It's like a car with like a billion ignitions and you need to, you know, get all the keys, but they're like a metre long and have to go in the right order or something....and are made of unobtainium.
  
  Nope.
  
  --
  Wanna buy a shirt?
  https://www.redbubble.com/people/stealthfinger/shop?asc=u
104. Re: I can see it now... by bjwest · 2016-02-16 21:08 · Score: 1
  
  It would be realistic, to 90% of the people watching.
  
  --
  
  --- Keep the choice with the user..
105. Re:I can see it now... by Anonymous Coward · 2016-02-16 21:21 · Score: 0
  
  FBI wants to brute force the phone. The phone is set to erase all content after 10 attempts. They have asked Apple to modify the phone to allow unlimited attempts and give them a method to automate trying lots of codes at high speed. It's a 4 digit PIN code so easily brute forceable in =10000 attempts if Apple did that so computing power is not the issue.
106. Re:I can see it now... by TechyImmigrant · 2016-02-16 21:34 · Score: 4, Insightful
  
  Isn't this the exact attack that physical anti-tamper is meant to defeat?
  It is one attack model that an anti tamper system might be designed to resist. However it is also an attack model that some systems choose not to defend against in a simple cost/benefit analysis. If the secret on the chip has a commercial cost less that the cost of the attack, then why defend against it? The gear to mount a FIBing attack is millions of dollars. Paying a reverse engineering company is less, but > $10E6. This is related to whether or not your system has BORE properties (Break One, Reuse Everwhere).
  This does not apply here. The perception of the worth of product like a smartphone can be very tied up with perceptions of how secure it is, and being required to pull the rabbit out of the hat by a court and then you actually unlock a phone you claimed you can't unlock, then that might well destroy those perceptions of security and cost a lot in lost sales. So designing it so you can't yourself defeat the security you put in is the only sane option.
  The court order presumes that the auto erase functionality can be bypassed with software to be provided by Apple. This is likely be unbypassable either because the key management system is enforcing the retry limit in hardware or protected firmware, away from the main application code, or the software that does it simply doesn't have a back door.
  The company I work for is in the same position. We can't and won't put in back doors because being found to have lied about the security of the devices would be an existential threat to the company. That doesn't stop people who don't know lying on the internet, claiming we put in back doors, but it's not a rational thing to do.
  
  --
  I should use this sig to advertise my book ISBN-13 : 978-1501515132.
107. Re:I can see it now... by TechyImmigrant · 2016-02-16 21:36 · Score: 1
  
  And that is why you use techniques like FIB. You can basically add your own probes anywhere on the chip, cut or create new traces, etc. Hence when you have physical access, and especially when you have access to the chip designed all bets are off. You can literally just modify the SOC to read the keys.
  Good luck with that. Circuits can be and are designed to make FIB attacks hard. Key management hardware is #1 on the list of circuit types that would try to make FIB attacks hard.
  
  --
  I should use this sig to advertise my book ISBN-13 : 978-1501515132.
108. Re:I can see it now... by TechyImmigrant · 2016-02-16 21:40 · Score: 1
  
  Thanks, didn't know that. I don't know enough about encryption to know what that gains, but it's interesting.
  Something you know. Something you have. Your password. Your Phone. It raises the bar. You need the device as well as the password. You can't just pull the data from the chip and decrypt it with a key derived from the password. It's a normal crypto principle.
  
  --
  I should use this sig to advertise my book ISBN-13 : 978-1501515132.
109. Re:I can see it now... by Anonymous Coward · 2016-02-16 21:48 · Score: 0
  
  Common... Iphone take a few minute at crack most of the time... If they offered me a few billion dollars I would crack it for them... Bellow that, my soul is worth more...
110. Re:I can see it now... by Stuarticus · 2016-02-16 22:17 · Score: 1
  
  Bring them in alive? You think I'm John Ruth?
  
  --
  If you think someone isn't free to have a different definition of "freedom" you may be a tyrant.
111. Re:I can see it now... by Stuarticus · 2016-02-16 22:20 · Score: 1
  
  I believe all TV IP addresses have to start "555-..."
  
  --
  If you think someone isn't free to have a different definition of "freedom" you may be a tyrant.
112. Re:I can see it now... by houghi · 2016-02-16 22:38 · Score: 1
  
  I can imagine that the waiver would also talk abut the content. Although they will try to be carefull, it could still mean that the post-it note with the password you need gets destroyed.
  
  --
  Don't fight for your country, if your country does not fight for you.
113. Re:I can see it now... by Anonymous Coward · 2016-02-16 22:40 · Score: 0
  
  If only we had an agency who is (lawfully or otherwise) intercepting every electronic signal known to mankind, who could be consulted when national security concerns arise...
  Sorry, no can do. The shooters were white, meaning the incident was downgraded from 'National Security alert' to 'Domestic Dispute'. No NSA involvement sorry.
  Captcha: Equally
114. Re: I can see it now... by Hognoxious · 2016-02-16 23:35 · Score: 1
  
  So these people use a device with military grade encryption to post their personal details all over the tumbltubes and the twitbooks?
  
  --
  Confucius say, "Find worm in apple - bad. Find half a worm - worse."
115. Re:I can see it now... by RabidReindeer · 2016-02-16 23:38 · Score: 1
  
  Great minds think alike! My passphrase is "Allahu Akbar"!
116. Re: I can see it now... by Anonymous Coward · 2016-02-17 00:12 · Score: 0
  
  Nope, it's a company that advertises their services ... Burying bodies in concrete. Apple made their bed when they advertised the iPhone as a way to defeat the police. Let them lie in it.
  Do you dream about licking Obama's genitals every night when you lay your head on a pillow shaped like his anus?
117. Re:I can see it now... by squiggleslash · 2016-02-17 00:21 · Score: 1
  
  They don't need to go that far. They just need to update the iPhone's operating system with an insecure version. The iPhone will update itself with whatever software Apple tells it to.
  Tim Cook has made it clear that this is both technically possible and something Apple absolutely refuses to do. I have to say I think they're making a praiseworthy stand.
  
  --
  You are not alone. This is not normal. None of this is normal.
118. Re:I can see it now... by Big+Hairy+Ian · 2016-02-17 00:22 · Score: 1
  
  Go down a typical high street you'll find several shops that will do it for $10 and they'll remove the lock-in to a specific network to boot!
  
  --
  Build a Man a Fire, and He'll Be Warm for a Day. Set a Man on Fire, and He'll Be Warm for the Rest of His Life.
119. Re:I can see it now... by AmiMoJo · 2016-02-17 00:30 · Score: 1
  
  The FBI wants three quite feasible things:
  1) Disable auto-erase when 10 incorrect PINs are entered
  2) Disable any rate-limiting on PIN entry attempts
  3) Allow PINs to be entered via USB/wifi/Bluetooth
  In other words, they want Apple to remove the barriers to doing a brute force attack on a 4 digit PIN. If the software is modified to allow that, it is likely that they can break in to the phone.
  
  --
  const int one = 65536; (Silvermoon, Texture.cs)
  SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
120. Re:I can see it now... by SadButResolved · 2016-02-17 00:39 · Score: 1
  
  Just 3d print his fingerprint on some tape and open the phone. People never think of the physical attacks, this method is way easier than pin codes. Chances are they can get all of this from his cloud storage anyway and open it right up. Grep any messages he has sent that had odd words out of place, bet he typed it in a few times and its in the logs/history.
121. Re:I can see it now... by AmiMoJo · 2016-02-17 00:43 · Score: 1
  
  The NAND isn't the problem. The encryption key is stored in a secure part of the CPU. These secure areas are pretty common these days in ARM chips and dedicated secure memories. They have physical protection to stop you de-capping the chip and reading or modifying it. They are pretty much impregnable too, at least to people with the resources of the FBI.
  The secure part of the CPU will have its own firmware and sub-processor, which is likely burned into ROM and can't be changed (for security reasons). It will only unlock when presented with the right key, and will auto-erase after 10 incorrect attempts. Attempting to open it and block writes to the internal memory will cause it to erase itself, even when powered off.
  
  --
  const int one = 65536; (Silvermoon, Texture.cs)
  SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
122. Re:I can see it now... by mlts · 2016-02-17 00:44 · Score: 1
  
  Bad analogy. A safe maker will offer locksmiths drill templates and instructions on how to pull relockers back, should they go off. This isn't a quick thing, as the locksmith will have to drill holes through very tough steel and cement, but this is a common thing, as it is a lot faster to drill a few holes, than it is to guess where the relocking devices are.
  There is no analogy to "lets just take power tools and cut the safe into pieces" with encryption.
  Does this mean Apple has responsibility to let anyone with a badge in at any time? It is far more often for corrupt LEOs in a third world nation to abuse their powers and demand all phones be decrypted at a whim than an encrypted device actually have decryption codes for a bong counting down, as in the movies.
  Yes, a master key system can be put in place where Apple devices in Elbonia have a master key for their government, and not Latveria... but what happens if the Elbonian key storage mechanism gets hacked or compromised? Backdoors always get blown open, and it usually isn't a good guy who does this.
123. Re:I can see it now... by Anonymous Coward · 2016-02-17 00:44 · Score: 0
  
  Do you know who did have something to hide? Anne Frank
124. Re:I can see it now... by Big+Hairy+Ian · 2016-02-17 01:03 · Score: 1
  
  It's a good thing he didn't secure it with the finger print scanner as there's no way the FBI could have broken that after they wrenched it out of his cold dead hands!
  
  --
  Build a Man a Fire, and He'll Be Warm for a Day. Set a Man on Fire, and He'll Be Warm for the Rest of His Life.
125. Re:I can see it now... by v1 · 2016-02-17 01:10 · Score: 4, Informative
  
  They don't need to go that far. They just need to update the iPhone's operating system with an insecure version. The iPhone will update itself with whatever software Apple tells it to.
  I support the full line of Apple prodcuts at work so I have a slightly better understanding of how this process works.
  Unlike firmware updates on many devices, and older Apple iOS devies, the new ones require the firmware to be "signed", each time it is installed. This means the device will roll up its own salt, and will send a request to Apple's Firmware Signing Server. This server uses the salt and the checksum on the fimware to generate a verifiable cryptographic signature, using public key tech. iTunes sends this signature back to the phone during the restore. If it's invalid, the phone's hardware will refuse to install it. (iTunes normally will prevent it sooner, but this is assuming you have hacked iTunes, no easy task)
  Around 1-2 weeks after Apple releases a new iOS, they stop signing the old one. This prevents you from downgrading your phone's firmware. It doesn't matter if you've already downloaded and kept a copy of it. Apple won't sign it with the new salt the phone is going to generate during the installation process. So users cannot hack the firmware OR install an older version to take advantage of a patched bug.
  BUT... Apple has the secret part of the key for signing. They can roll their own custom firmware, sign it, and using a well-known public process, select the firmware and upload it. Their key servers will sign it, and the device will accept it. If Apple really wanted to fullly cooperate, it would be trivial to do. The new "security enclave" prevents them from simply ignoring the pin or displaying it on the screen, but it's possible that one or more of their requests could be accomodated. It really depends on how the SE is designed. If it's designed well, and I think we can assume it is, (they're not morons, and they have a functionally unlimited budget for such a minor thing) we should assume the SE does rate limiting in hardware. (usually via MANY hashes to dig down to the key) which is not bypassable unless you can rip the data from the hardware and feet it into a supercomputer. The USB/BT code entry is probably doable since its outside the scope of the SE. The master key should be stored inside the SE so software can't get around that.
  End game: to give them what they want will require physical hacking of the SE, to recover the encrypted key and the internal salt the SE has generated for it, and feeding that data into an emulator for the SE (or a physically redesigned/hacked SE) that can work the passcode. The hardware on the phone itself right now CANNOT be used to recover the passcode. The FBI doesn't want to break the chip trying to recover the data. They have the techniques but (A) there's a good chance they break it and they get just one try, and (B) this will go a lot faster with Apple cooperating on bypassing the SE. (they can probably still DO it, they may even have the process already developed, but it will probably be faster with Apple's cooperation)
  That leads us to another point... what if they already can access the data, or have accessed the data, and this is just a show? It's been said that the best form of deception is making your opponent believe you have fallen for his deception. Right now the terrorists are keeping a close eye on this case, trying to decide whether it's a "good idea" to use the iphone. If Apple gives them the finger, (and I hope they do) and the FBI shrugs and goes away moping, and suddenly has a breakthrough a few months from now from a "classified source", well, guess what. And that, sir, is where all my chips are placed.
  Remember, this is one case. You have to think BIG. You have to think long term. This is neither of those things. The FBI either already has this data, or will have it before th
  
  --
  I work for the Department of Redundancy Department.
126. Re:I can see it now... by Anonymous Coward · 2016-02-17 01:11 · Score: 0
  
  "Judge orders arsonist to unburn-down house"
  Good luck with that.
  "Hey Moose, Rocco - help the judge find his checkbook."
127. Re: I can see it now... by Anonymous Coward · 2016-02-17 01:33 · Score: 0
  
  Nope, it's a company that advertises their services ... Burying bodies in concrete. Apple made their bed when they advertised the iPhone as a way to defeat hackers. Let them lie in it.
  FTFY.
128. Re:I can see it now... by Anonymous Coward · 2016-02-17 01:36 · Score: 0
  
  class C
  Stoppit
129. Re:I can see it now... by Impy+the+Impiuos+Imp · 2016-02-17 01:40 · Score: 1
  
  Presumably they want info on who they where talking to. If the shooters had accomplices, the FBI wants to know who they are.
  If only we had an agency who is (lawfully or otherwise) intercepting every electronic signal known to mankind, who could be consulted when national security concerns arise...
  They can get phone records of who they called. With an honest, actual warrant at that.
  
  --
  (-1: Post disagrees with my already-settled worldview) is not a valid mod option.
130. Re:I can see it now... by necro81 · 2016-02-17 01:42 · Score: 1
  
  And when they finally do decrypt it, all they'll find is a grocery list. [ref]
131. Re:I can see it now... by FictionPimp · 2016-02-17 01:42 · Score: 1
  
  On googles new Nexus 5X and 6P encryption is no longer optional.
132. Re:I can see it now... by Plumpaquatsch · 2016-02-17 01:44 · Score: 1
  
  FBI wants to brute force the phone. The phone is set to erase all content after 10 attempts. They have asked Apple to modify the phone to allow unlimited attempts and give them a method to automate trying lots of codes at high speed. It's a 4 digit PIN code so easily brute forceable in =10000 attempts if Apple did that so computing power is not the issue.
  Well, yes and no. "The passcode is entangled with the device’s UID, so brute-force attempts must be performed on the device under attack. A large iteration count is used to make each attempt slower. The iteration count is calibrated so that one attempt takes approximately 80 milliseconds. This means it would take more than 5½ years to try all combinations of a six-character alphanumeric passcode with lowercase letters and numbers"
  
  --
  Of course news about a fake are Fake News.
133. Re:I can see it now... by N1AK · 2016-02-17 02:00 · Score: 1
  
  And why do you think any of those things are feasible? The device is encrypted, you can't just load the new software over the old software in memory and you can't get to the update options without getting past the PIN entry screen. If Apple has designed this well then it should be extremely infeasible to do any of the three things you suggest (I'd expect some equivalent of the last to be possible however).
134. Re:I can see it now... by AmiMoJo · 2016-02-17 02:09 · Score: 1
  
  I doubt that any of it is possible, but it does show that the FBI is at least trying to find a way in. Presumably they might hope to force Apple to change its software so that in future there is a backdoor for the FBI to use, even if in this case it fails.
  
  --
  const int one = 65536; (Silvermoon, Texture.cs)
  SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
135. Re: I can see it now... by Kkloe · 2016-02-17 02:09 · Score: 1
  
  Military grade encryption is something of the past when computer power was expensive, now a usb varmed coffe cup could have beter encryption that used in the military, nowadays the communication protocol is as important as the encryption
136. Re: I can see it now... by Maritz · 2016-02-17 02:11 · Score: 1
  
  They could make the IP address all Qs and it would be realistic to the vast majority of people watching.
  
  --
  I do not want your cheap brainburning drugs. They are useless for work. And I am a working man today.
137. Re:I can see it now... by silas_moeckel · 2016-02-17 02:58 · Score: 1
  
  If the hardware is designed correctly that should not be possible.
  
  --
  No sir I dont like it.
138. Re:I can see it now... by kelarius · 2016-02-17 03:00 · Score: 1
  
  Wiredhas a much better article about what's going on with this order, they say that 1. the order leaves open the possibility that what the court is asking isn't possible, and 2. that the FBI isn't specifically asking Apple to unlock the phone but wants Apple to disable the feature that wipes the phone after 10 bad password attempts (they want to brute-force it).
  
  --
  Personally I'd rather have my idiots at home glued to the TV than out doing idiotic things
139. Re:I can see it now... by silas_moeckel · 2016-02-17 03:03 · Score: 1
  
  Any reasonably designed hardware should be resistant of those sort of attacks.
  
  --
  No sir I dont like it.
140. Re:I can see it now... by TheCarp · 2016-02-17 03:08 · Score: 1
  
  > "Judge orders arsonist to unburn-down house"
  But that is a terrible analogy because Apple can clearly help the FBI here. All they need to do is download the latest list of last years most common passwords, email it to them, and say "good luck".
  There...they helped. Works for me.
  
  --
  "I opened my eyes, and everything went dark again"
141. Re:I can see it now... by ceoyoyo · 2016-02-17 03:58 · Score: 1
  
  That's only a mean time of 2.25 years. And, as the GP said, virtually everyone uses a four digit number anyway. If it was possible to bypass the ten-tries-then-wipe protection the cops could pay somebody to sit there and enter the combinations by hand and still get it done in a reasonable amount of time.
142. Re:I can see it now... by PPH · 2016-02-17 04:28 · Score: 1
  
  info on who they where talking to.
  Metadata. Call records. AT&T or Verizon has it. Serve the warrant. Leave Apple alone.
  
  --
  Have gnu, will travel.
143. Re: I can see it now... by sh00z · 2016-02-17 04:37 · Score: 1
  
  On every iPod Touch and iPhone I've ever had, if it's set to require a PIN, you still have to enter the PIN when you plug into a trusted computer. (What confuses me is why, because you can only sync with one instance of iTunes, that more than one computer can be classified as trusted).
144. Re:I can see it now... by WorBlux · 2016-02-17 04:40 · Score: 1
  
  Sure, it's 127.0.0.1. Happy Hacking!
145. Re:I can see it now... by IronOxen · 2016-02-17 04:54 · Score: 1
  
  There is no way the US government doesn't have the most specialized computing power dedicated to cracking encryption that exists anywhere. If Apple has a chance of getting into that phone then they have left themselves a backdoor already at least in theory which means right now that Apple may actually not have the best change of developing an exploit for it. Others have been working on it for as long as they have had access to the latest IOS. The order is instructing Apple to use the firmware upgrade or recovery mode to load and run a specialized operating system in RAM to somehow tell the installed IOS to allow access to the stored data. If it is that easy, then the encryption was not implemented correctly. Missing the pass code should make it absolutely impossible to derive the needed decryption key.
146. Re:I can see it now... by Anonymous Coward · 2016-02-17 04:59 · Score: 0
  
  Posting as an AC for tinfoil hat reasons.
  What's bothering me is that the couple apparently destroyed beyond recovery every single digital device they own, and the phone was supplied by his employer. Maybe it's me, but I doubt they would have any incriminating contacts on a work phone if they had the foresight to take these precautions. And the FBI is apparently interested in about 15 minutes of their timeline before the event.
  So effectively, they are demanding to create a backdoor to read a phone that does not have the information they know is not there.
  Or they are looking to use a real terrorist incident to establish a precedent that can be used for any future terrorist action, the word 'terrorist' will be defined at a later date.
  Tim Cook, you are my hero.
147. Re:I can see it now... by WorBlux · 2016-02-17 05:00 · Score: 1
  
  Trust-zone provides strong guarantees of memory isolation. If you want to spy on the memory you could probe at the hardware level, but that increases the cost of the attack dramatically.
148. Re:I can see it now... by Anonymous Coward · 2016-02-17 05:13 · Score: 0
  
  San Bernardino Shooting Story Shot Full of Holes, Was this a False Flag Event?
149. Re:I can see it now... by david_thornley · 2016-02-17 05:20 · Score: 1
  
  You seem to be describing things you'd do to normal hardware. Apple goes to some pains to make these things not work, even if they don't go for FIPS certification. I don't know enough about the technical details to be of any use, but you've got the wrong mindset here if you're using phrases like "it's still not very common to....". You're not dealing with a system that was just not designed for forensic access. You're dealing with a system that was designed not to allow it.
  
  --
  "When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
150. Re:I can see it now... by david_thornley · 2016-02-17 05:25 · Score: 1
  
  The typical iPhone security is four digits, which is ten thousand possibilities. This would be trivial to brute-force if Apple hadn't made brute-forcing difficult to impossible. Since the iPhone allows ten attempts before wiping the phone, if the PIN is random there's one chance in a thousand it can be forced that way. In practice, people don't use random PINs, but that doesn't make it at all likely to find the PIN in ten tries anyway.
  
  --
  "When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
151. Re: I can see it now... by david_thornley · 2016-02-17 05:33 · Score: 1
  
  iPhone security relies on blocking brute-force attacks, because if Apple couldn't stop it a brute-force attack would take almost no time. The chips are meant to not be picked apart, although I don't understand the specifics. The wipe is designed so it can't be disabled and still keep the phone usable.
  Apple specifically wanted to make measures like yours impossible or impractical. I don't know enough about the field or what they did to make intelligent comments on how well they did, but by government reactions I'd say that Apple succeeded.
  I assume Apple doesn't want to help, and commend them for that. However, "want" doesn't come into effect given a court order, so Apple set things up as best they could so they'd lack the capability.
  It sounds to me like records retention. If your business has a policy that emails will be deleted after 180 days, and enforces it, then it's perfectly fine legally if a court orders disclosure of an email of 181 years ago and the business does not comply.
  
  --
  "When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
152. Re:I can see it now... by david_thornley · 2016-02-17 05:37 · Score: 1
  
  Brute force is going to cost far more than that. It's not possible to enumerate possible 128-bit keys with only the resources currently in the Solar System, given that there is a minimum energy cost for a bit flip imposed by quantum mechanics stuff I don't really understand. A sufficiently powerful quantum computer (and I've heard reasons why it's unlikely we'll ever have one) could halve the effective key size, which would make a 128-bit key crackable, given a sufficiently numerous collection of sufficiently powerful quantum computers.
  I thought Apple used AES-256, in which case the quantum computers are also useless. Other people think Apple uses AES-128, which is not proof against quantum computers. Last time this came up, I poked around a bit and didn't come up with an answer.
  
  --
  "When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
153. Re:I can see it now... by david_thornley · 2016-02-17 05:43 · Score: 1
  
  That's why smart US intelligence agencies subcontract such data collection to the Brits.
  
  --
  "When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
154. Re: I can see it now... by david_thornley · 2016-02-17 05:46 · Score: 1
  
  Any IP address with components that didn't exceed three digits would look realistic to almost all the people watching. Heck, if they did a "153.64.283.52" I wouldn't notice that it was invalid at first.
  
  --
  "When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
155. Re:I can see it now... by WorBlux · 2016-02-17 05:57 · Score: 1
  
  Yes Apple could do that, but whey the fuck should the have to? As is obvious from your posts there are other people with the expertise and experience to do it cheaper and faster than apple could. Apple may be forced to provide assistance by revealing where on a specific model of chip the unique device keys are stored, and protocol of how the file-system keys are generated from the unique device key and the pin/password. However there is nothing that requires Apple to develop the tools and expertise needed to break thier own security protocols.
156. Re:I can see it now... by david_thornley · 2016-02-17 05:58 · Score: 1
  
  It's a lock screen with increasing-length lockouts for entering the wrong PIN, and which wipes the phone irretrievably after 0.1% of the possible PINs have been entered. The hardware that enforces that is hardened against examination. It looks like an X lock screen on the outside, but doesn't work like one. The data itself is proof against brute-force attacks, in the sense that it would take far more than the total resources of the Solar System to brute-force (if Apple used AES-128 instead of AES-256, a sufficiently powerful array of sufficiently powerful quantum processors might be able to brute-force it, and we don't actually know we can't make such an array).
  Sure, the iPhone is still operating with the lock screen on, but it by design can't be accessed except through the PIN. The file system can be effectively destroyed by erasing one key, so as long as it's part of the secure authentication mechanism it can't be bypassed.
  The hardware crypto is designed to deal with online attacks, since they're a lot more feasible. There's nothing that prevents the FBI from copying the actual data and doing offline attacks, except that it won't work.
  
  --
  "When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
157. Re:I can see it now... by hattig · 2016-02-17 06:04 · Score: 1
  
  I think there is a presumption that the Apple A6 does not do all of this in hardware, so there is some software support, even in later versions of iOS, that could be modified for this court order to work.
  Obviously a sane implementation would put it all in hardware, with a hardware enforced (and non-changable) slow decrypt rate (brute force cannot occur) to boot. The A7 and beyond are suggested to do it all in hardware, and it's the apple A7+ that handles storage encryption and keys, not the flash, because of credential management.
  I don't know if it is custom Apple, or ARM trustzone, or similar, but access to the hardware key is restricted by the passcode (or fingerprint in later devices) credential, and if the comparison of credential is done in the hardware too, with the hardware key destruction (or regeneration) hardwired too, then things become a PITA to work around. Literally, your hardware provides a single function: void unlock(credential) (side effect: key destruction) (side effect: provide the encryption key to the hardware storage decryptor).
  But wait, you say, there's still an API to update the credential, surely. I'm sure that's hardware compare and update though, so you still need to have the previous credential.
  But wait, maybe all this is done by embedded firmware exposing that function? Nope. Hardware. A resettable counter (10 attempts), a comparator, secure key storage (space for several keys, only one active at a time), some I/O to activate it.
  As others have said, the court order may be ordering Apple to unburn a burned down house, and also create a unicorn farm to boot.
  In fact, unless the A6 is less secure than the above, I think the FBIs best chance is to either decap the SoC, and find a way to stop the counter, counting (allowing unlimited unlock attempts) with precision laser surgery, or give up.
158. Re:I can see it now... by WorBlux · 2016-02-17 06:07 · Score: 1
  
  Actually using sentences decreases the search space by quite a bit. Mining Lyric and quote sites is sufficient to break most sentence passwords in a reasonable brute-force time. Pronouncible passwords, diceware are better ways to into your lingual memory.
159. Re:I can see it now... by Feyshtey · 2016-02-17 06:11 · Score: 1
  
  Ironically, these are both required security functions that must be present on government issued mobile devices, depending on the nature of the device use.
  
  --
  "But we have to pass the bill so that you can find out what is in it,..." - Nancy Pelosi
160. Re:I can see it now... by WorBlux · 2016-02-17 06:12 · Score: 1
  
  Fingerprint ID tokens expire and are expunged after a certain about of time has passed. Additionally fingerprintID can be disabled on iPhones that have it.
161. Re:I can see it now... by A+nonymous+Coward · 2016-02-17 06:14 · Score: 1
  
  I don't know about iPhones, but Android full-encryption requires using a password, not four digit pin.
  
  --
  Infuriate left and right
162. Re:I can see it now... by Aaden42 · 2016-02-17 06:14 · Score: 1
  
  The existing phone won't take a software update without the passcode OR wiping the existing encryption keys to go back to factory fresh. My understanding of Apple's crypto platform is that it's intentionally not possible to install a subverted version of the OS without destroying the keys stored in the current device.
163. Re:I can see it now... by lgw · 2016-02-17 06:14 · Score: 1
  
  If Apple can decrypt it, then it isn't encrypted in the first place.
  Clearly not true. It could be encrypted, but Apple could ave a copy of the key hidden away somewhere - a key escrow program. This would protect iThing users from non-government attacks, and is what the government wants to future to be.
  Also, it could be encrypted, with the key on the device, as appears to be the case, and so Apple just needs to read that key. That may be unduly expensive, but any form of persistent storage can be read by some out-of-band method.
  
  --
  Socialism: a lie told by totalitarians and believed by fools.
164. Re:I can see it now... by A+nonymous+Coward · 2016-02-17 06:15 · Score: 1
  
  Use a nonsensical sentence, break normal grammatical patterns, throw in foreign words, etc.
  
  --
  Infuriate left and right
165. Re:I can see it now... by lgw · 2016-02-17 06:16 · Score: 1
  
  The key is stored somewhere. Wherever that is can be imaged, unless the tamper-resistance is good. Even if you don't have physical access, you can generally get the key to leak through side-channel attacks. All of which could be really quite expensive.
  
  --
  Socialism: a lie told by totalitarians and believed by fools.
166. Re: I can see it now... by WorBlux · 2016-02-17 06:17 · Score: 1
  
  The problem with this analogy is the you only bury bodies in concrete is to hide criminal activity. It's no lake a blackout drape company. Yes sometimes they are used to hide criminal activity, but more often they are used to privacy and protection from criminal activity.
167. Re:I can see it now... by Aaden42 · 2016-02-17 06:17 · Score: 1
  
  The part that wipes isn't the NAND. The Secure Element both verifies the entered PIN and acts as a read-through crypto processor for access to the flash.
  Every time you enter a bad passcode, the secure element increments its own internal counter without accessing flash in any way. Hit the limit, and the chip wipes its internal storage of the AES keys necessary to access the flash.
  You can certainly desolder or otherwise protect the physical NAND chip, but doing so means you need to brute force the several 128-bit encryption keys used to secure data on it, not the 4-6 digits PIN or passphrase.
168. Re:I can see it now... by A+nonymous+Coward · 2016-02-17 06:17 · Score: 1
  
  Android phones require a password/phrase to use full encryption. A four digit PIN is not enough. Is iOS different?
  
  --
  Infuriate left and right
169. Re:I can see it now... by hattig · 2016-02-17 06:19 · Score: 1
  
  Agreed. ARM Trustzone is an ARM Cortex A5 with its own secure firmware, for example. Even AMD's chips use this.
  But you can also do the key aspects without even the firmware ROM. It's basic hardware functions - A Counter. A Comparator that increments the Counter upon Not Equal. Something to blow fuses to erase the current key should the counter reach 10 (hardwired). Compare and Set of the Credential (passcode, fingerprint hash thing). Some registers to set the supplied credential before kicking off the comparator.
  And yes, on top of that you have anti-FIB mechanisms (you have to destroy the circuits to reach the logic, metal layer faraday-ish cages, etc). Hell, even the presence of PoP memory makes things difficult. The encryption key will be encrypted by a hardware key unique to each chip, so even if you read the secure key storage it won't work, you'll need to find that distributed set of fuses on the SoC...
170. Re:I can see it now... by WorBlux · 2016-02-17 06:19 · Score: 1
  
  No, the all writs act only authorizes the coercion of someone to help execute a specific warrant. To force apple to do something to all phones with a warrant, would mean the warrant would functionally be a general warrant, a type of warrant specifically prohibited by constitution.
171. Re:I can see it now... by hattig · 2016-02-17 06:23 · Score: 1
  
  Exactly. To disable the auto-wipe feature, the hardware would need the credential they are trying to find, as it would compare before (re)setting the feature flag. All done in hardware, not firmware.
  If it's implemented correctly, there is simply no way that Apple can create a software to do what the FBI want, however much they would want to.
172. Re:I can see it now... by hattig · 2016-02-17 06:26 · Score: 1
  
  Regardless of that, to disable the key destruction logic they would need to know the user's credential anyway. And the logic that does this comparison is in hardware, not software, and that comparator is connected to the destruction logic. Basic hardware security 101.
  Maybe earlier Apple SoCs have flaws or workarounds, hence Tim Cook's wording - it may be possible. But later SoCs certainly won't allow it.
173. Re:I can see it now... by Anonymous Coward · 2016-02-17 06:29 · Score: 0
  
  Read TFA. The judge isn't ordering Apple to break the encryption, it's ordering Apple to help the FBI brute-force the password by writing custom firmware. The FBI wants auto-erase disabled, the time delay between password attempts disabled, and the ability to use a bot to send passcodes over the USB cable.
174. Re:I can see it now... by hawguy · 2016-02-17 06:36 · Score: 1
  
  I can imagine that the waiver would also talk abut the content. Although they will try to be carefull, it could still mean that the post-it note with the password you need gets destroyed.
  Surprisingly, they said that they'd get the content out unscathed -- they said they use the torch to cut open the outer shell, then chisel/scrape out all of the fire protective materials (it's a lot like concrete), then use a combination of an angle grinder and a reciprocating saw to get through the inner shell. Labor intensive and noisy and requires ventilation vans, but they said they get called out about once a year to break into once of their safes. Sometimes they can pry them off the floor with a hydraulic jack and take them to their shop, which makes it much easier for everyone.
  They reiterated that a safe isn't meant to stop a thief, just slow him down and attract enough attention that he gets caught before he has time to break in. Ours was a TRTL-30 rated safe, they said they *could* break into it in 30 minutes if they didn't guarantee that the contents would be safe and didn't care about collateral damage to the room where the safe was, but it'd normally take them 6 -8 hours from start to finish to break it open.
175. Re: I can see it now... by hattig · 2016-02-17 06:36 · Score: 1
  
  They could even do a hacky solution like finding a way to disable the wipe after incorrect attempts and brute forcing from there.
  How? This isn't done in software. This may not even be done in highly embedded firmware (ROM, not flash).
  These hardware security systems are designed so you can't just "disable the wipe". The wipe is an intrinsic part of the pin unlock hardware. Disabling the wipe requires the pin... another dead end.
  All the software can do is:
  1) Set Security Hardware Register X to be the entered pin value
  2) Signal the Security Hardware to Unlock the Encryption Key using the value in X (and other static hardware values) (side effects include destroying the encryption key, as well as passing the encryption key to the AES unit that needs it should the pin be correct. An Atomic Operation. Do, or destroy. Never let the user see the key.
  It's not that Apple don't want to help, they can't. And then there's the privacy ramifications even if they could (if that iPhone's Ax processor has some form of bug or hardware backdoor already). I'm sure that Apple already checked any iCloud data they could get access to.
176. Re:I can see it now... by FlyHelicopters · 2016-02-17 06:52 · Score: 1
  
  Clearly not true. It could be encrypted, but Apple could ave a copy of the key hidden away somewhere - a key escrow program. This would protect iThing users from non-government attacks, and is what the government wants to future to be.
  If a door can be opened without the key, then it isn't locked in the first place.
  If a device can be decrypted without the key, then it wasn't encrypted in the first place.
  Proper use of encryption requires that it not be accessible without the key, no exceptions.
  The other problem with your comment is that it assumes the US government is the only government on Earth (a common mistake of Americans). It also assumes that a key-escrow is safe against non-government actors. Math doesn't care who you are, it would never stay secure for long.
  
  Also, it could be encrypted, with the key on the device, as appears to be the case, and so Apple just needs to read that key. That may be unduly expensive, but any form of persistent storage can be read by some out-of-band method.
  The key is designed to not be readable, not even by Apple. The only possible way to read the key would be to decap the chip itself and use an electron microscope, which would take time and cost a lot of money.
  If the chip is designed properly, it will self-destruct when decapped, making even that option not possible.
177. Re:I can see it now... by Darinbob · 2016-02-17 07:01 · Score: 1
  
  Assuming they used a 4 digit PIN, I don't know about iPhone but my code is longer than that on Android. You theory makes a lot more sense. But there is still a snag: how do you update the firmware on an existing phone to allow this?
  I work on a relatively simple device compared to a phone. The security needs it has are much less; prevent network intrustion, provide end to end encryption and authentication, but there is very little need to protect highly confidential data stored on it beyond a few minor things. So with full source code and schematics I can not break into the newest versions with latest firmware; add a debug cable and it will erase internal security keys making anything that's encrypted useless. I'm not saying it's impossible to break in, but this is just basic run of the mill security compared to what is going to be on a phone with full data and firmware encryption.
  Sure, Apple could waste a lot of money by putting on a top tier team on it to figure out how to break in. Not a bad idea as that team might uncover security gaps to be patched. But that's going above and beyond a "reasonable" request from the courts for a mere fishing expedition.
178. Re:I can see it now... by TsuruchiBrian · 2016-02-17 07:03 · Score: 1
  
  That's not cracking the encryption. That's called guessing an easy password (or combination). Obviously I can "crack" the world's most secure safe, if I can guess the password easily. My point was that a secure safe and a secure crypto system share the same feature that the inventor of the system does not have an advantage at cracking the system. The best they can do is brute force it like everyone else (i.e. cutting torches, or guessing passwords)
179. Re:I can see it now... by Anonymous Coward · 2016-02-17 07:11 · Score: 0
  
  Is it a diminishing return? If they can get their way with this one, then doesn't it set a precedent whereby they can use this against millions of devices in future?
180. Re:I can see it now... by lgw · 2016-02-17 07:12 · Score: 1
  
  If a door can be opened without the key, then it isn't locked in the first place.
  If I enter your house through the open window, that doesn't mean you had a bad door lock.
  
  If a device can be decrypted without the key, then it wasn't encrypted in the first place.
  Sure, but that's not the question. The FBI doesn't currently have the key. If there's a way to give them the key, that doesn't mean the device is not encrypted. And in fact this is the case here: what the FBI is requesting is a version of iOS that lets them brute-force the password on the phone (the key is only protected by the phone password). Apple could trivially do this.
  
  It also assumes that a key-escrow is safe against non-government actors. Math doesn't care who you are, it would never stay secure for long.
  Depends on whether the government or Apple keeps the keys, and if Apple keeps them, whether they'd take the fairly simple steps needed to protect them from causal hackers and inside threats (most companies don't take even the most obvious steps to protect their customers). But the argument against key escrow is better found in the constitution than the technical details.
  
  e key is designed to not be readable, not even by Apple. The only possible way to read the key would be to decap the chip itself and use an electron microscope, which would take time and cost a lot of money.
  Yup. Very straightforward if it's not tamper-proof. Merely not cheap. But that's not what the judge is asking them to do.
  
  If the chip is designed properly, it will self-destruct when decapped, making even that option not possible.
  Tamper-proof chips can still be coerced into leaking their keys through side-channel attacks. That's the point of the difference between FIPS 140-2 Level 3 and Level 4.
  
  --
  Socialism: a lie told by totalitarians and believed by fools.
181. Re: I can see it now... by Anonymous Coward · 2016-02-17 07:26 · Score: 0
  
  You must use the pin after 48 hours or a power cycle. Fingerprint wont work.
182. Re:I can see it now... by ShaunC · 2016-02-17 07:28 · Score: 1
  
  This entire court case appears to be a case of feigning helplessness for the sake of ... lulling the people on that phone in to false sense of security?
  I agree it's feigned helplessness, but I disagree on the end game. I think it's an attempt to sway the public into supporting backdoors.
  This pair was posting on Facebook for heaven's sake. The Paris attackers were communicating over standard SMS. I simply don't believe there's anything on this iPhone that law enforcement doesn't already have, or can't get either through normal legal channels like subpoenas to the carrier and social media companies, or through questionable channels like NSA.
  It's not about getting whatever's on this specific phone. It's about terrorizing Americans into accepting government backdoors.
  
  --
  Thanks to the War on Drugs, it's easier to buy meth than it is to buy cold medicine!
183. Re:I can see it now... by budgenator · 2016-02-17 07:44 · Score: 1
  
  They are trying to unlock a phone, only 1,000-1 different combinations, the problem is the phone data wipes after so many failed login attempts. They want Apple to disable the data-wipe so they can brute force the pin number. The court is trying to force Apple to assist with the cyber equivalent of a "No Knock Search Warrant". I'm not sure how I feel on this issue, but I'm leaning toward forcing a private company to assist law enforcement executing a warrant against one of it's customers is a bad thing.
  If Apple is forced into this, they likely will move off-shore.
  
  --
  Apocalypse Cancelled, Sorry, No Ticket Refunds
184. Re:I can see it now... by Anonymous Coward · 2016-02-17 07:49 · Score: 0
  
  Are you still butt hurt over the fact that cops are sad because they don't have backdoors into encryption.
  When are you going to learn that the Bill of Rights is not mean to make the cops lives easier, it is the opposite.
  Working as intended, now fuck off.
185. Re:I can see it now... by FlyHelicopters · 2016-02-17 07:51 · Score: 1
  
  If I enter your house through the open window, that doesn't mean you had a bad door lock.
  No, it means the house wasn't locked in the first place. You're only as secure as your weakest link.
  
  Sure, but that's not the question. The FBI doesn't currently have the key. If there's a way to give them the key, that doesn't mean the device is not encrypted.
  A four digit pin is not really secure, Apple's attempt to make it secure is to limit the number of attempts to try and prevent a brute force attack, as the FBI wishes to do.
  This requires overriding the existing security, something that appears possible on the iPhone 5c, but should not be possible (even for Apple) on the iPhone 5s or later (thanks to Secure Enclave).
  Let me put this another way. Try erasing the actual 256-bit AES key on the phone and try to recover the data and see how well that works without the key.
  The take away from this is that if you really care about your data, don't use a 4 digit pin, use a long password. Then this request for help wouldn't work. The key embedded on the phone only helps once you enter in your own key that goes with it. If your personal password is 12345 then you really have no protection. If your personal password is DEj28s^%$h3nkdol?EqP then you're 100% secure (or as close to 100% as it gets in this world).
  Of course likely no one uses such a password, but "Hello1Goodbye2Tomorrow3Yesterday4Happy5" would likely be pretty darn close the same thing, if a PITA to type in. You could shorten that to H1G2T3Y4H5 and while not as secure, it is a crapload better than a 4 digit pin.
  --------
  This is ALL missing the point of course... even if Apple unlocks the phone, if the owner of that phone used a third party encryption program, it likely wouldn't matter. The flaw has to be in the implementation of the encryption, since 256-bit AES will never be brute forced (it isn't physically possible in our universe). A $5 wrench might come in handy however. :)
186. Re:I can see it now... by Nixoloco · 2016-02-17 08:04 · Score: 1
  
  Actually, the passcode is merely used to encrypt the part of the stored decryption key. The decryption key which is a composite of a stored key and the etched CPU ID. (note Apple says they do not keep any record of the CPU ids when manufactured) The decryption key itself doesn't change unless the entire phone is reset. If the pass code was part of the decryption key, then the phone data would have to be decrypted /reencrypted every time the passcode was changed. As it is, they only have to decrypt/encrypt part of the stored decryption key.
187. Re:I can see it now... by lgw · 2016-02-17 08:37 · Score: 1
  
  No, it means the house wasn't locked in the first place. You're only as secure as your weakest link.
  Ah, but that's not what you first said. And it's not really true - "all the doors and windows are locked" is a perfectly reasonable definition of a secure house, but that still doesn't mean I can't enter. Security just isn't about absolutes.
  
  omething that appears possible on the iPhone 5c, but should not be possible (even for Apple) on the iPhone 5s or later (thanks to Secure Enclave).
  That's the matter of dispute "Secure Enclave" is marketing, and we don't know what's real. Apple rolled their own security with "Secure Enclave", which almost never turns out to actually be secure. Apple of course claimed they can't break it, to avoid bad press. They're now being asked to prove they can't, to prove the FBIs suggestions, such as a firmware update, or just altering the object code directly in RAM, won't work. Those seem like reasonable suggestions to me.
  
  Try erasing the actual 256-bit AES key on the phone and try to recover the data and see how well that works without the key.
  How is that relevant? No one ever attacks the math itself, except as an academic exercise. Practical attacks are always about getting the key. The key is on the phone. (But the phone is still "encrypted", regardless.)
  
  The take away from this is that if you really care about your data, don't use a 4 digit pin, use a long password. Then this request for help wouldn't work. The key embedded on the phone only helps once you enter in your own key that goes with it. If your personal password is 12345 then you really have no protection. If your personal password is DEj28s^%$h3nkdol?EqP then you're 100% secure (or as close to 100% as it gets in this world).
  My take-away is very different. I don't even have a PIN on my phone. I don't trust my phone provider to keep my data safe. If my phone were lost or stolen, of for that matter the PC in my house (which also doesn't have a login screen), I'd want to change my email password, but that's about it (and if I were worried about a government, I arrange things so that changing my email password was also irrelevant).
  
  --
  Socialism: a lie told by totalitarians and believed by fools.
188. Re:I can see it now... by niftymitch · 2016-02-17 08:52 · Score: 1
  
  This is exactly what they want to do... The problem is the phone will wipe itself after 10 failed attempts, so the gov't wants Apple to write them software to bypass the wipe and continue the brute force attack. I'm the only person I've ever met who has more than a 4 digit code to unlock my phone, and I don't even have anything to hide!
  This is a big deal...
  The first time Apple complies with this request it then becomes a case of another one just like the other one.
  A flood of "me-too" court orders would arrive at Apple inside of an hour.
  Court orders all have the same force of law and once the service is established as possible
  all must be served. It can be a dalliance in a divorce case. It can be a health care provider
  that believes you are acting badly.
  There is no national boundary that magically contains these requests. Once the capability
  is establishes a court in Germany, France, Russia, Iran, Cuba can all assert they have a right
  and demand the service.
  What the judge fails to comprehend is this class of request is kin to requiring a Genetic company
  to engineer a virus that would only be administered to a single pig but without industry and national
  safeguards to protect the world. There are national and international standards for working
  with viruses like Ebola -- but nothing like that exists for computer viruses like this. The anti-virus
  folk (industry) may capture and dissect a virus captured from the wild but are not in the business
  of designing and manufacturing them.
  It is also true that federal law: "Computer Fraud and Abuse Act" may make this request
  less than legal. There is no defendant involved simply evidence. Would complying
  violate the Computer Fraud and Abuse Act or would it be tampering with evidence?
  To prove that evidence was not tampered with the process and code might need to be
  divulged (OMG).
  The anchors under iPay and iTunes link to banking and are likely covered by the "Computer Fraud and Abuse Act".
  In parallel others should file evidentiary protection writs to capture the iPhone and other
  digital footprints of the judge and those requesting this action. IMO it is sufficiently
  ill considered that it risks larger issues of national security than the data that might
  be on the phone. i.e. those crafting this request might be provocateurs and agents of other
  companies, other nations or treasonous individuals and as such need to be investigated.
  This is not a simple issue of one phone this is a global infrastructure issue.
  
  --
  Truth is stranger than fiction, but it is because Fiction is obliged to stick to possibilities; Truth isn't. Mark Twain.
189. Re:I can see it now... by TsuruchiBrian · 2016-02-17 09:01 · Score: 1
  
  I was responding to the claim that safe manufacturers can unlock their own safes with cutting torches.
190. Re:I can see it now... by FlyHelicopters · 2016-02-17 09:05 · Score: 1
  
  Ah, but that's not what you first said. And it's not really true - "all the doors and windows are locked" is a perfectly reasonable definition of a secure house, but that still doesn't mean I can't enter. Security just isn't about absolutes.
  Now you're just being pedantic about it...
  A bank vault isn't invincible, but it doesn't have to be to be considered secure. If it can't be broken into before the bank opens in the morning, then it is "secure enough".
  The lock on the front door of my house is enough to keep out the average interested person, the alarm that goes off if they kick it down will address most of the rest. If turning the handle opens the door without effort, then the lock doesn't matter, now does it?
  
  That's the matter of dispute "Secure Enclave" is marketing, and we don't know what's real. Apple rolled their own security with "Secure Enclave", which almost never turns out to actually be secure. Apple of course claimed they can't break it, to avoid bad press. They're now being asked to prove they can't, to prove the FBIs suggestions, such as a firmware update, or just altering the object code directly in RAM, won't work. Those seem like reasonable suggestions to me.
  First, you can't prove a negative.
  Second, Secure Enclave isn't in the iPhone 5c, so it has nothing to do with this case, since the technology in the 5c is far closer to the 4s than the 5s and beyond.
  I suspect Apple could, if they REALLY wanted to, break the 5c and earlier models, due to them being less secure. I suspect Apple could NOT do the same trick with the 5s and beyond. If designed correctly, they would be virtually impossible to break. A new firmware doesn't help with a 5s, because that has nothing to do with the Secure Enclave. If you update the SE chip, you wipe the key in the process (as designed).
  
  How is that relevant? No one ever attacks the math itself, except as an academic exercise. Practical attacks are always about getting the key. The key is on the phone. (But the phone is still "encrypted", regardless.)
  No, HALF of the key is on the phone, the other half is the 4 digit pin you have to enter. Just getting the key on the phone won't let you read the phone's contents. Why is it that people miss that key detail?
  Without the 4 digit pin, you will never, ever, ever read the phone's contents. Ever.
  This is why the FBI needs the override from Apple, the phone will wipe after 10 incorrect tries (I've read in media reports that this was a work phone and it is indeed set to auto-wipe after 10 tries).
  
  My take-away is very different. I don't even have a PIN on my phone. I don't trust my phone provider to keep my data safe. If my phone were lost or stolen, of for that matter the PC in my house (which also doesn't have a login screen), I'd want to change my email password, but that's about it (and if I were worried about a government, I arrange things so that changing my email password was also irrelevant).
  If that is your take-away, then you simply don't understand the security implications.
  Let me put this another way. Imagine if your wallet was stolen and in it was your drivers licence, social security card, credit cards, and checkbook. Do you think that changing the pin on your debit cards and your password to your online banking would be enough?
  That's the problem, and it is a far bigger issue than you think it is.
191. Re:I can see it now... by Anonymous Coward · 2016-02-17 09:10 · Score: 0
  
  Do you feel better for putting that into scientific notation? Seriously?
192. Re:I can see it now... by lgw · 2016-02-17 09:30 · Score: 1
  
  The lock on the front door of my house is enough to keep out the average interested person, the alarm that goes off if they kick it down will address most of the rest. If turning the handle opens the door without effort, then the lock doesn't matter, now does it?
  Ah, but you were making absolutists claims about security up-thread. That's all I was objecting to.
  
  Second, Secure Enclave isn't in the iPhone 5c, so it has nothing to do with this case, since the technology in the 5c is far closer to the 4s than the 5s and beyond.
  I suspect Apple could, if they REALLY wanted to, break the 5c and earlier models, due to them being less secure. I suspect Apple could NOT do the same trick with the 5s and beyond. If designed correctly, they would be virtually impossible to break. A new firmware doesn't help with a 5s, because that has nothing to do with the Secure Enclave. If you update the SE chip, you wipe the key in the process (as designed).
  Yeah, I was just reading up on that It's a 5c, so Apple could definitely give the FBI access. It's not a technical question. Hopefully Apple stands firm on "we can, but we shouldn't", which I certainly agree with.
  For the 5s and beyond, I'd believe Apple lacked the technical know-how to provide access, though it's not clear you couldn't mess with the SE object code in memory (I believe you can update the SE firmware, but it needs the PIN to do it, which is a nice feature).
  
  Just getting the key on the phone won't let you read the phone's contents. Why is it that people miss that key detail?
  Because you can brute force it from there, trivially (but the point of the SE is to not expose the key without the PIN).
  
  If that is your take-away, then you simply don't understand the security implications.
  Let me put this another way. Imagine if your wallet was stolen and in it was your drivers licence, social security card, credit cards, and checkbook.
  Those things are not in my phone. Nor are they to be found unencrypted on my home PC. My home PC has no login screen, because that doesn't provide any real security. I don't care if the person who steals my PC can watch my porno collection. What they won't find is any of my financial details, any browser history that might be mineable, any of the hundreds of other ways Windows leaks stuff. When I want to do some online banking, then I'll type in a strong password, and use an environment only used for banking. And I certainly won't involve my phone in any way in this process.
  Sure, this approach is vulnerable to an "evil maid" attack, but I'm not trying to keep my details from the government - I'm fully protected from theft and normal sorts of hacking, while retaining convenience.
  
  --
  Socialism: a lie told by totalitarians and believed by fools.
193. Re:I can see it now... by KGIII · 2016-02-17 09:31 · Score: 1
  
  That's so retarded that it's completely backwards. I am *the* guy who tells 'em to fuck off. I am *the* guy who says that bad shit happens to good people and that's not justification to strip away our rights.
  
  --
  "So long and thanks for all the fish."
194. Re: I can see it now... by cfalcon · 2016-02-17 09:45 · Score: 1
  
  Yes. You get full encryption with a 4 digit PIN. The key is stored in (supposedly) tamperproof hardware, and it is setup to blank the key after 10 failed attempts.
195. Re:I can see it now... by FlyHelicopters · 2016-02-17 10:04 · Score: 1
  
  Those things are not in my phone.
  Maybe not, but that continues to miss the point.
  Those things DO exist somewhere, and if Apple can be made to provide a backdoor, then EVERY technology company can, and then ALL our data and information is open to hackers and foreign interests.
  This is much bigger than your phone or your credit card.
  Apple's point is that you should never be able to override encryption. If something is encrypted and you don't have the key, you don't get access, period.
196. Re:I can see it now... by Anonymous Coward · 2016-02-17 10:07 · Score: 0
  
  >>they want info on who they where talking to
  They should not need to open the phone for that. That information comes straight out of Verizon's logs & metadata; the Bureau probably had it in hand within hours of the event.
  Since the perpetrators destroyed their personal phones, it is hard to think that there is really much of value on Farook's [undestroyed] work phone. This sounds like idle curiosity on the investigators' part or, much more plausibly, the Bureau using this episode to establish legal precedent to force US companies to install backdoors.
197. Re: I can see it now... by Anonymous Coward · 2016-02-17 10:25 · Score: 0
  
  They do, it's called a lock pick set. You should get your own.
198. Re:I can see it now... by Anonymous Coward · 2016-02-17 10:35 · Score: 0
  
  It should be possible to bypass the erase operation with physical access to the device. Most NAND devices have a write protect pin which when pulled low will disable program and erase operations.
  Pictures of the iPhone 5c board for reference:
  http://www.techinsights.com/teardown.com/apple-iphone-5s/
  It looks like the NAND device is sitting on the opposite side of the processor, so my guess is the FLASH's write-protect signal is probably inaccessible. i.e. because of the (amazingly) dense PCB layout the write protect signal probably never shows up at a point where you could physically get to it in order to probe it or overwrite it at run time. Even if the write protect was accessible, I doubt that the OS would boot or run without a writable file system.
  A better option would be to desolder the FLASH device and have the manufacture read out the contents for you. Hynix (the FLASH manufacture) will have a testbed where they can read/test the individual packaged devices without having it soldered to a PCB. That's how semiconductor manufactures do final test on the parts during manufacturing as well as failure analysis for field problems. In addition, if you're really paranoid about damaging the device while desoldering it, you could always cut/grind away the PCB and other "expendable stuff" leaving just the NAND FLASH behind. Either way it's fairly simple to physically separate the FLASH from the PCB and extract the raw contents. Then you can duplicate / emulate to get what you need.
  Compared to the legal costs associated with going to court against Apple, it's probably a more cost effective option as well.
199. Re:I can see it now... by lgw · 2016-02-17 11:06 · Score: 1
  
  Sure, I agree with "shouldn't", but I full expect they (or someone) will, so I do what I can to protect my privacy by assuming that every corporation will leak everything I do. I have no choice but to hope my financial institutions can keep a secret, but I certainly don't expect the likes of Google or Apple or Facebook to do so, not long term.
  
  --
  Socialism: a lie told by totalitarians and believed by fools.
200. Re:I can see it now... by Anonymous Coward · 2016-02-17 11:42 · Score: 0
  
  Without the 4 digit pin, you will never, ever, ever read the phone's contents. Ever.
  But what if I get the key from the secure enclave, and the data in the flash, and brute force all the possible four digit PINs, and thus all the possible combined keys? That seems fairly easy, assuming you can get the key, which is probably close to impossible, and certainly not possible through a software attack.
201. Re:I can see it now... by brantondaveperson · 2016-02-17 12:11 · Score: 1
  
  It should be possible to bypass the erase operation
  I'm pretty sure these keys aren't stored in the flash, but are stored on the chip itself. Nothing that goes over any of the buses is going to help you get the key, and nor is anything that's stored on the flash. You should have a look at this which I think has already been liked to from this thread, but is well worth a read. If it's actually true, then the FBI doesn't have a hope in decrypting this or any other iPhone.
  But a possible outcome of this, and perhaps the FBI see this case as a first step, is forcing Apple to (say) encrypt the device keys with asymmetric encryption, using a key pair that they own. And by forcing Apple, I mean forcing everyone.
202. Re:I can see it now... by Anonymous Coward · 2016-02-17 12:18 · Score: 0
  
  You aren't paying attention to the discussion, and don't have a clue what you're talking about. Please stop.
203. Re:I can see it now... by brantondaveperson · 2016-02-17 12:23 · Score: 1
  
  iPhones use full-encryption by default on every device, and if you use a pin the encryption becomes more or less physically unbreakable. This is just another way in which the much-criticised iOS is very significantly superior to Android. Encryption hardware, and locked boot loaders, are what make these devices pretty much bulletproof from a data security point of view.
  If your data is on an iPhone, and you have a PIN, it's completely safe from any attack other than the $5 wrench. Well, that's assuming that you believe Apple, but why would they lie about that? The stuff they're talking about is industry standard stuff anyway - it's not like the invented anything new, they just made unbreakable hardware encryption available to the masses. For better or for worse.
204. Re:I can see it now... by Anonymous Coward · 2016-02-17 12:32 · Score: 0
  
  ARGH - It's not in software, it's in hardware - and you can't update the device without unlocking it first because you don't have the filesystem keys.
  Most of this thread is dedicated to educating people about modern encryption.
  Executive Summary. It's unbreakable. Give up.
205. Re:I can see it now... by brantondaveperson · 2016-02-17 12:38 · Score: 1
  
  It's about terrorizing Americans into accepting government backdoors.
  Bingo. We all know the encryption is basically unbreakable, but this is about making sure that the general public know too, and getting them all worried about it.
206. Re:I can see it now... by mjwx · 2016-02-17 13:15 · Score: 1
  
  What more does the FBI want? The suspects are dead. Stop spending money on diminishing returns.
  Because dissecting how a crime happened, we can look for the signs of similar crimes in the future and prevent them.
  
  The FBI has, or at least used to have the worlds most talented criminal profilers. Understanding the motivations, wants and actions of spree killers can help us spot the signs of them before they become spree killers.
  
  Sorry if this sounds more sensible than blaming video games, rock and/or roll music, Satan, D&D, comic books, Game of Thrones, believing in the wrong sky faerie (or the right one in the wrong way), coloured chalk or whatever else the "Think of the Children" crowd think is causing all the evil in the world.
  
  --
  Calling someone a "hater" only means you can not rationally rebut their argument.
207. Re:I can see it now... by TsuruchiBrian · 2016-02-17 14:41 · Score: 1
  
  Do we know it's just a pin number and not a password? I am not familiar with iPhone, but on android you can lock your phone with a long ass password that would not be easily brute forced.
208. Re: I can see it now... by Anonymous Coward · 2016-02-17 15:47 · Score: 0
  
  0000 to 9999 is 10,000 combinations.
209. Re: I can see it now... by Anonymous Coward · 2016-02-17 16:10 · Score: 0
  
  #1 the data isn't erased in the flash, so there's no need to get to the write line.
  #2 the data in the flash is encrypted, so there's no point in copying it. You can't read it without the key.
  #3 you don't have a clue.
210. Re: I can see it now... by Anonymous Coward · 2016-02-17 16:52 · Score: 0
  
  No, this is tv broadcasting. It should be 255.255.255.255
211. Re:I can see it now... by ArmoredDragon · 2016-02-17 18:09 · Score: 1
  
  These kind of countermeasures probably wouldn't stop this guy:
  https://www.youtube.com/watch?...
  Or the too long didn't watch: He physically probes the data bus to be able to watch what it's doing, and can dump the full contents of the smartcard he's probing, or even insert his own commands if he wants to.
212. Re:I can see it now... by tibit · 2016-02-17 18:50 · Score: 1
  
  There's one little problem, though: to do the software upgrade you need the PIN... IOW, I have no idea how they propose to get that software onto the phone. Oh, Apple can develop the software, but so what? It'll be useless.
  
  --
  A successful API design takes a mixture of software design and pedagogy.
213. Re:I can see it now... by tibit · 2016-02-17 18:52 · Score: 1
  
  How on Earth do you update the OS without knowing the pin? Updates don't happen without user having to unlock the phone first.
  
  --
  A successful API design takes a mixture of software design and pedagogy.
214. Re:I can see it now... by tibit · 2016-02-17 18:55 · Score: 1
  
  I've had an iPad with older iOS laying around. I've added the unlock code to it. Now there's no way to do anything on it, including upgrading it, without unlocking it using a correct pin. What am I missing? How will you upgrade that device without user interaction only possible after a successful unlock?
  
  --
  A successful API design takes a mixture of software design and pedagogy.
215. Re:I can see it now... by GingaFlash · 2016-02-18 06:00 · Score: 0
  
  Forgive my ignorance on the subject, but how does an iPhone achieve full-encryption using just a four digit pin? I thought the minimum number of characters for full 128-bit encryption was 16? (8 bits of data for each character, 128/8=16)
  Actually curious on this because my knowledge of the subject is subpar at best.
216. Re: I can see it now... by niftymitch · 2016-02-18 11:20 · Score: 1
  
  But it doesn't change the fact that there's still only 10,000 4-digit passcodes. They could even do a hacky solution like finding a way to disable the wipe after incorrect attempts and brute forcing from there. If they can pick apart the chips, I'm sure they can find a way.
  Of course, that's assuming Apple actually wants to help, which I would guess they probably don't (and they shouldn't IMO).
  The court order may prove moot.
  http://www.popsci.com/box-can-...
  The important part is simply overlooked by the coverage.
  Complying with this court order is not about one phone or one crime.
  It is about "The First" phone.
  One common rant is that this crime is so evil that that we need to do anything
  and everything possible. This ignores the reality of what abuses can be
  done for First+N phones.
  Any court order: civil, criminal, domestic, international must be complied with.
  China, Oregon, Iran, France, Germany will all be able to demand the service.
  All can demand the service be delivered inside their borders as there is no technical reason to not.
  Apple has no legal footing to deny any order issued by due process including secret FISA warrants.
  Divorce, employment actions...
  Apple is not indemnified if there is a flaw in their code.
  Apple is not in a position to deny the service even for a stolen or border confiscated phone.
  A secret warrant could demand the secret bits be moved from Apple to an undisclosed site
  where Apple would no longer have control.
  Should the method escape Apple other complications follow.
  Recall Apple has skin in this game. Apple Pay, iTunes are serious
  cash generation tools that if compromised would risk vastly more than
  the considerable value of the present value of Apple.
  Point of sale payment is a global issue and may be sufficient
  to exclude this writ from the "All Writs Act" that seems to be
  central to the FBI strategy.
  The other implication is that a writ can compel any company to
  develop and engage in any service. "Any service" risks a lot.
  There is nothing to exclude FISA writs from forcing Intel to,
  from AT&T to, from Comcast to... develop tools and services
  to deliver to "Bob" at a loading dock someplace.
  Today Apple may be able to sidestep this for a number of months
  with this hack:
  http://www.popsci.com/box-can-...
  This seems small to some but how large is a fulcrum?
  "Give me a lever long enough and a fulcrum on which to place it, and I shall move the world."
  Add overreaching under the color of the long arm of law and the lever is in place.
  Note well this investigation has no bounds or time limit.
  Today: http://abc7.com/news/fbi-serve...
  the FBI searches Farook's brother's home months after the crime and long
  after the FBI knew who and where he was.
  There be dragons here....
  Pay attention.
  This is a big deal.
  
  --
  Truth is stranger than fiction, but it is because Fiction is obliged to stick to possibilities; Truth isn't. Mark Twain.
217. Re:I can see it now... by niftymitch · 2016-02-18 11:43 · Score: 1
  
  That's easy to solve, charge the government a few million dollars for your assistance. You need access, sure no problem, we'll build you a server farm to crack the encryption key using brute force... It will cost you 600 million dollars.
  This is not a "crack the encryption key" request.
  It is cleverly limited to entering a bad unlock code ten times wipes the device.
  The clever part is this is: "The first phone"
  Once the 10x lockout is removed others have shown that a four button code will be hacked
  in a day and a six button code in about a week.
  The FBI seems to have spent month and an untold number of test phones
  to crack this nut or they are simply lazy and want a service they can just
  compel.
  Note that Apple cannot pick and choose which court order they service.
  Legal, illegal, we have no clue about the parade of court orders serviced
  on previous phones and devices. Apple may have seen astounding
  and numerous abuses in previous writs and Apple may be bound by these
  orders sealed, FISA, NDA, threat under the cover of the law domestic and
  international and no longer wants to play.
  Consider a teanager visiting a market for a soda pop. Both get
  a coke and have a nice day. Next time the friend swipes a pop or
  a bottle of beer... then that friend swipes more than a bottle of beer,
  then that friend escalates to armed robbery, that friend threatens bodily harm if
  you say something, that X-friend then murders a shopkeeper.
  A lot of what we are seeing in these early days of big data and pervasive
  surveillance is modest teenage risk taking. Adults need to catch up
  and pay attention.
  
  --
  Truth is stranger than fiction, but it is because Fiction is obliged to stick to possibilities; Truth isn't. Mark Twain.
218. Re:I can see it now... by Anonymous Coward · 2016-02-18 14:20 · Score: 0
  
  left field hypothetical here, but what if tomorrow god rained down meteorites on all Apple employees? Does the FBI have some sort of contingency plan?
219. Re:I can see it now... by Anonymous Coward · 2016-02-18 18:48 · Score: 0
  
  Normally in situations like this, well-architected systems use a technique called PBKDF2 (password-based key derivation function #2) to create the key from the password you type. You never need to store the key, which is much safer. In newer iPhones (with TouchID), there is a second chip, called the Secure Enclave, which combines data that it knows with the password you type. It has, built in to hardware, safeguards against the rapid-fire password checker the FBI is asking Apple to build. iPhone 5c apparently was based on the older gen of hardware, and did not contain the TouchID nor the secure enclave. In newer phones, it's possible that the wipe function is triggered by a signal from the secure enclave. Not sure how it works in the 5C.
220. Re:I can see it now... by Anonymous Coward · 2016-02-18 21:39 · Score: 0
  
  to whom it may concern, They have already probably unlocked this phone. Either through a backdoor previously entered into the system, or just using the fingers from the bodies of the suspects which they normally retain after using enhanced interrogation techniques. If they did not try this before the bodies were disposed of, they are pretty stupid and do not deserve to learn the information on the phone. The ultimate security is most likely a ruse. They hope the false sense of security will be relied upon by others. In any case at a bare minimum they have the contact information and call records of all calls made too and from the phone. The only way I could see the security being useful would be if it were actually as good as they claim it is, highly unlikely, or be used as a sort of digital onetime pad that is passed from one location to another by hand without the battery being inserted. Even the vibrations produced by nearby sound of the electronic orientation sensor has been proven useful for eves dropping on a target.
221. Re:I can see it now... by Anonymous Coward · 2016-02-18 21:54 · Score: 0
  
  I have successfully backdoored security system mainboards in the past, with no help from the manufacturer. Your mileage may vary. The panels contain lockouts for several levels, each with different privileges. The highest levels usually protect the subscriber reporting destination and codes. This makes it difficult for the owner to subscribe to another monitoring service even after they have fulfilled their contract obligations without buying new hardware. Of course in the fine print most customers never find out until it's too late that they are actually only leasing the equipment.
222. Re: I can see it now... by Anonymous Coward · 2016-02-20 08:51 · Score: 0
  
  I think you slightly missed the point.
223. Re:I can see it now... by Anonymous Coward · 2016-02-25 02:50 · Score: 0
  
  Not so fast. If they are able to duplicate the HW state and then run it in a simulator, they should be able to circumvent a lot of protections.
Here Come Da Judge! by Anonymous Coward · 2016-02-16 13:26 · Score: 0

Yours,
Flip Wilson
Huh? by Lunix+Nutcase · 2016-02-16 13:29 · Score: 3, Informative

There's no word on exactly which model of iPhone was recovered
Huh? The article clearly states a model:

According to NBC News, the model in question is an iPhone 5c
1. Re:Huh? by whipslash · 2016-02-16 13:30 · Score: 2
  
  That must have just been updated. Updating story.
2. Re:Huh? by whipslash · 2016-02-16 13:39 · Score: 1
  
  Lol
3. Re:Huh? by Noah+Haders · 2016-02-16 13:41 · Score: 1
  
  The 5c originally shipped with iOS 7, which apple can get into if they want. It will be interesting to see what happens. Maybe apples claims about being 'locked out' of iOS 8 is bunk. Maybe they didn't password protect their phone. Maybe apple can guess their iCloud password ('12345'?), or access their gmail and reset the password. Once they have the iCloud password, and if there's an online backup, they can restore the backup to another phone. There are plenty of options beside brute forcing that hardware. Maybe the fib just enters all 10,000 lock screen combinations (as long as the option to erase the phone after ten failed tries is not turned on).
4. Re:Huh? by Anonymous Coward · 2016-02-16 13:44 · Score: 0
  
  I don't own one of these devices, so no experience here... but wait. You're saying there are only 10K different possible passwords? How can that be?
  I must be mistaken in assuming that is a password to decrypt the encrypted storage?
5. Re:Huh? by Anonymous Coward · 2016-02-16 13:59 · Score: 0
  
  The lock screen combinations have more to do with connecting the 9 available dots than any true "password".
  Passwords, on the other hand, are quite a different beast. May password systems accept 92 different characters (or more) meaning that 10K password combinations would require (about) 3 characters.
  I always thought the lock screen was a weak security barrier, but till I did the math, I didn't realize how weak it was. Besides, the wear on the glass from repeated unlocking often can tell one some aspect of how to unlock the screen. Ruling out even just a few of the dots dramatically reduces the attack space for a brute force unlock screen attack.
6. Re:Huh? by sims+2 · 2016-02-16 14:03 · Score: 1
  
  Assuming they used the 4 digit pin instead of a password yup just 10K passwords.
  Everyone just uses the 4 digit pin because typing anything longer several times a day just to use your phone is a serious pita.
  Otherwise what do they expect to find that they haven't already gotten from the phone company call recor--err "metadata"?
  
  --
  Minimum threshold fixed. Thanks!
7. Re:Huh? by Anonymous Coward · 2016-02-16 14:09 · Score: 0
  
  Nope it was there the whole time.
8. Re:Huh? by whipslash · 2016-02-16 14:09 · Score: 1
  
  Nope it wasn't. Stay on topic
9. Re:Huh? by olsmeister · 2016-02-16 14:14 · Score: 1
  
  Stuff that they got over wifi?
10. Re:Huh? by Anonymous Coward · 2016-02-16 14:21 · Score: 0
  
  Go, Whipslash!
11. Re:Huh? by Anonymous Coward · 2016-02-16 14:28 · Score: 0
  
  So our new overlord feels the need to respond to insulting comments.
  You're not going to last long that way.
12. Re:Huh? by adamstew · 2016-02-16 14:32 · Score: 5, Informative
  
  You mistake an iPhone's unlock code with the iPhone's encryption key. the iPhones do typically use a 4-6 digit pin as an unlock code. The user also has the ability to create a full alphanumeric password for the unlock code as well. However, that is simply the code that's used to unlock the actual full encryption key that is stored within dedicated crypto hardware. Apple uses a dedicated chip to store and process the encryption. They call this the Secure Enclave. The secure enclave stores a full 256-bit AES encryption key.
  Within the secure enclave itself, you have the device's Unique ID (UID) . The only place this information is stored is within the secure enclave. It can't be queried or accessed from any other part of the device or OS. Within the phone's processor you also have the device's Group ID (GID). Both of these numbers combine to create 1/2 of the encryption key. These are numbers that are burned into the silicon, aren't accessible outside of the chips themselves, and aren't recorded anywhere once they are burned into the silicon. Apple doesn't keep records of these numbers. Since these two different pieces of hardware combine together to make 1/2 of the encryption key, you can't separate the secure enclave from it's paired processor.
  The second half of the encryption key is generated using a random number generator chip. It creates entropy using the various sensors on the iPhone itself during boot (microphone, accelerometer, camera, etc.) This part of the key is stored within the Secure Enclave as well, where it resides and doesn't leave. This storage is tamper resistant and can't be accessed outside of the encryption system. Even if the UID and GID components of the encryption key are compromised on Apple's end, it still wouldn't be possible to decrypt an iPhone since that's only 1/2 of the key.
  The secure enclave is part of an overall hardware based encryption system that completely encrypts all of the user storage. It will only decrypt content if provided with the unlock code. The unlock code itself is entangled with the device's UDID so that all attempts to decrypt the storage must be done on the device itself. You must have all 3 pieces present: The specific secure enclave, the specific processor of the iphone, and the flash memory that you are trying to decrypt. Basically, you can't pull the device apart to attack an individual piece of the encryption or get around parts of the encryption storage process. You can't run the decryption or brute forcing of the unlock code in an emulator. It requires that the actual hardware components are present and can only be done on the specific device itself.
  The secure enclave also has hardware enforced time-delays and key-destruction. You can set the phone to wipe the encryption key (and all the data contained on the phone) after 10 failed attempts. If you have the data-wipe turned on, then the secure enclave will nuke the key that it stores after 10 failed attempts, effectively erasing all the data on the device. Whether the device-wipe feature is turned on or not, the secure enclave still has a hardware-enforced delay between attempts at entering the code: Attempts 1-4 have no delay, Attempt 5 has a delay of 1 minute. Attempt 6 has a delay of 5 minutes. Attempts 7 and 8 have a delay of 15 minutes. And attempts 9 or more have a delay of 1 hour. This delay is enforced by the secure enclave and can not be bypassed, even if you completely replace the operating system of the phone itself. If you have a 6-digit pin code, it will take, on average, nearly 6 years to brute-force the code. 4-digit pin will take almost a year. if you have an alpha-numeric password the amount of time required could extend beyond the heat-death of the universe. Key destruction is turned on by default.
  Even if you pull the flash storage out of the device, image it, and attempt to get around key destruction that way it won't be successful. The key isn't stored in the flash itself, it's only stored within the secure enclave itself which you can't remove the stora
13. Re:Huh? by Anonymous Coward · 2016-02-16 14:44 · Score: 0
  
  Dude, props for putting up with random trolls. You're better than I. I'd just IP ban jack asses like that if I were in your position.
14. Re:Huh? by whipslash · 2016-02-16 14:58 · Score: 1
  
  Feel the *want*
15. Re:Huh? by whipslash · 2016-02-16 14:58 · Score: 4, Informative
  
  Haha well... have you seen any APK spam lately?
16. Re:Huh? by BasilBrush · 2016-02-16 15:05 · Score: 1
  
  On a 5c (as in this case), probably nearly everyone does use a 4 digit pin. But from the 5s onwards, you can unlock with a fingerprint, so the password can easily be longer.
  Equally though, in that case, the FBI can get into a dead person's iPhone by using their dead finger.
17. Re:Huh? by 93+Escort+Wagon · 2016-02-16 15:32 · Score: 1
  
  Everyone just uses the 4 digit pin because typing anything longer several times a day just to use your phone is a serious pita.
  I've never used a 4-digit PIN unless I was forced to do so.
  I change my phone PIN regularly, and can say from experience a long PIN is not a big deal. A number pad is very conducive to typing a lot of digits quickly.
  
  --
  #DeleteChrome
18. Re:Huh? by Anonymous Coward · 2016-02-16 15:38 · Score: 1
  
  Thank you for that post! I could see Apple saying "OK, we'll give it a go! We are going to bill the FBI though for time/services rendered to complete this job though, Apple-style" That would end up being a $1billion project to crack the device and then charge triple for the proprietary hardware and services provided because they had to think different.
19. Re:Huh? by sims+2 · 2016-02-16 15:40 · Score: 1
  
  If you don't use a simple pin (4 digit) you get a full keyboard.
  
  --
  Minimum threshold fixed. Thanks!
20. Re:Huh? by Anonymous Coward · 2016-02-16 16:12 · Score: 0
  
  The only way I can possibly see to potentially unlock the phone without the unlock code is to use an electron microscope to read the encryption key from the secure enclave's own storage. This would take considerable time and expense (likely millions of dollars and several months) to accomplish. This also assumes that the secure enclave chip itself isn't built to be resistant to this kind of attack. The chip could be physically designed such that the very act of exposing the silicon to read it with an electron microscope could itself be destructive.
  TLDR: Brute forcing the unlock code isn't at all possible through pretty much any means...reasonable or even unreasonable...maybe...JUST MAYBE...it's possible through absurdly unreasonable means.
  -------------
  Here's the thing, it's done. Go chat with any firm that does chip IP or worse a pay TV security vendor who doesn't like their competitor. It can be done, it's not going to be cheap, but I doubt it matters. Get the micro-mills and microscopes ready cause I see a microscopic probe in these chips future.
  My crystal ball says it costs sub-1m..
21. Re:Huh? by MachineShedFred · 2016-02-16 16:14 · Score: 1
  
  Or, being the manufacturer, they set up 1000 phones on a room of computers capable of remote PIN entry, and each one tries 10 PINs. One phone unlocks, and then they reset the PIN to 1234 and hand it to the FBI.
  At least, that's the "parallelized" brute force solution.
  
  --
  Slashdot still doesnâ(TM)t support Unicode after it was added to the HTML standard in 1997.
22. Re:Huh? by MachineShedFred · 2016-02-16 16:14 · Score: 1
  
  (restoring an image of the phone in question onto each, of course)
  
  --
  Slashdot still doesnâ(TM)t support Unicode after it was added to the HTML standard in 1997.
23. Re:Huh? by MachineShedFred · 2016-02-16 16:16 · Score: 1
  
  And in that case, if it was my phone, I would cease caring.
  Because I'm dead.
  
  --
  Slashdot still doesnâ(TM)t support Unicode after it was added to the HTML standard in 1997.
24. Re:Huh? by Anonymous Coward · 2016-02-16 16:17 · Score: 0
  
  NSA could do the decapping and hardware hacking, why doesn't the FBI ask them for help?
  Apple would know where the key is stored on the silicon die.
  Seems like this would take a matter of weeks.
25. Re:Huh? by anegg · 2016-02-16 16:33 · Score: 1
  
  I have a 10-digit PIN on my iPhone, and I only get the numeric keypad, not the full keyboard. Its an ok compromise (for me).
26. Re:Huh? by JustAnotherOldGuy · 2016-02-16 16:33 · Score: 3, Funny
  
  Haha well... have you seen any APK spam lately?
  If you've managed to neuter that obnoxious scumbag (or even just slowed him way down), I salute you. Seriously.
  
  --
  Just cruising through this digital world at 33 1/3 rpm...
27. Re: Huh? by Anonymous Coward · 2016-02-16 16:34 · Score: 0
  
  Because of how Apple does layered key wrapping, and tying crypto keys to hardware, you have to break 2 distinct , machine generated random , AES 256 keys for this to work as a attack vector
28. Re:Huh? by Anonymous Coward · 2016-02-16 16:35 · Score: 0
  
  That's great and all, but you know what else it turned on by default in iOS?
  iCloud backup.
  And that ain't encrypted by the Secure Enclave or whatever because you can use it to restore your phone to a new phone should the old one break. Or Error 53 because you tried to repair it.
  Apple presumably has a nice copy of the phone stored on their servers that they could just hand over to the FBI if they weren't being obstructionist dicks.
29. Re:Huh? by sims+2 · 2016-02-16 16:38 · Score: 1
  
  Must be something new since 6.1.3 only the 4 digit pin gives numpad on my ipad.
  
  --
  Minimum threshold fixed. Thanks!
30. Re:Huh? by zugmeister · 2016-02-16 16:40 · Score: 1
  
  When you set an iPhone unlock code, you have an option for "Custom Alphanumeric Code", "Custom Numeric Code" and "4-Digit Numeric Code". Which of these you choose probably makes a big difference to how many passwords are possible.
31. Re:Huh? by FunkSoulBrother · 2016-02-16 16:50 · Score: 3, Funny
  
  Haha well... have you seen any APK spam lately?
  God-fucking bless man. Thank you. Dude must be stewing in his own juices angry
32. Re:Huh? by wickerprints · 2016-02-16 16:55 · Score: 5, Informative
  
  That isn't correct, according to the white paper:
  "The backup set is stored in the user’s iCloud account and consists of a copy of the user’s files, and the iCloud Backup keybag. The iCloud Backup keybag is protected by a random key, which is also stored with the backup set. (The user’s iCloud password is not utilized for encryption so that changing the iCloud password won’t invalidate existing backups.)
  While the user’s keychain database is backed up to iCloud, it remains protected by a UID-tangled key. This allows the keychain to be restored only to the same device from which it originated, and it means no one else, including Apple, can read the user’s keychain items.
  On restore, the backed-up files, iCloud Backup keybag, and the key for the keybag are retrieved from the user’s iCloud account. The iCloud Backup keybag is decrypted using its key, then the per-file keys in the keybag are used to decrypt the files in the backup set, which are written as new files to the file system, thus re-encrypting them as per their Data Protection class."
  The relevant sections begin at page 38, in which the paper discusses iCloud, Apple ID, and general Internet Services security. Your misunderstanding stems from the mistaken belief that you can just "restore" the iCloud backup of your phone to a new device. But to do this, you need access to the user's Apple ID password. If two-step verification is turned on, Apple definitely has no way to circumvent this.
33. Re:Huh? by Dorianny · 2016-02-16 16:58 · Score: 1
  
  From what I understand the Judge specifically instructed Apple to provide the FBI with a custom IPSW image to aid their efforts. Iphones will install any singed IPSW for which apple still providing the keys thru its network. IPhones have no mechanism to disable the installation of signed images. It remains unclear how much the FBI or Apple can tamper with secure enclave from root but having remote root shell access definitely opens up avenues of attack.
34. Re: Huh? by Anonymous Coward · 2016-02-16 17:05 · Score: 0
  
  Very nice explanation, thanks. But help me out here... at some point software reads that key and uses the key to create encrypted data. How safe is __that__ code from being used to detect the key. Is the whole crypto library located on the enclave?
35. Re:Huh? by Anonymous Coward · 2016-02-16 17:10 · Score: 0
  
  NSA could do the decapping and hardware hacking, why doesn't the FBI ask them for help? Apple would know where the key is stored on the silicon die. Seems like this would take a matter of weeks.
  NSA has probably infiltrated the chipmaker - regardless of whether it's infiltrated Apple, which it also probably has - to the point that they already know.
  But if it had such a capability (which nobody out here knows), why the fuck would it divulge that fact to the FBI? Catch-22: Regardless of what the judge rules, if the phone can be decrypted, nobody on either the military nor the civilian side can talk about how it happened -- unless Apple can implement a back door and give both sides plausible deniability.
  And that's what this case is about. If a judge can compel a private company to provide a software back door, NSA and FBI can share what they've learned with actual hacks, but more importantly, the need for them to have such hacks is diminished. Why break security when you can ban security? That is the precedent that FBI is trying to set here.
36. Re:Huh? by zugmeister · 2016-02-16 17:23 · Score: 1
  
  you can unlock with a fingerprint,
  Unless that option's turned off for "iPhone unlock".
37. Re:Huh? by zugmeister · 2016-02-16 17:25 · Score: 1
  
  If you choose the long number option you still get the 10 key.
38. Re:Huh? by Anonymous Coward · 2016-02-16 17:27 · Score: 0
  
  Well, gotta tell ya... You *are* learning the way of Slashdot just nicely. Troll-fu is a tough art to master. You seem to be coming along just nicely. ;-)
  Ha! What excellent timing for *this* to happen. So, I just ran out of posts - 50 posts per day, with max karma. How appropriate that it hits that threshold with this particular message. Ah well... At least it's very near perfect timing. And no, no I didn't count and plan on it. I'm not that attentive!
  KGIII (AC 'cause there's that silly threshold again.)
39. Re:Huh? by Anonymous Coward · 2016-02-16 17:41 · Score: 0
  
  I am not actually sure if that's legal? The NSA might not actually be allowed to assist, it's beyond the scope of their charter. And, this data might be needed as evidence in a court case. That would make it easy for a defense attorney to chuck out. Then, any warrants based on it, any evidence gathered, any statements made would all be inadmissible.
  I think they'd avoid that. From what I've read, it may not be recoverable. The fine post you replied to is a good description. A few people have taken the time to type out the process but that's the best description that I've seen so far.
  At any rate... I really don't think the NSA is allowed to help *if* they want to be able to use what they find as evidence and that's probably the biggest reason that they're trying to get in. I'll definitely be keeping tabs on this to see what happens. I probably still won't be buying an iPhone for myself (I am not a terrorist) but it'd be nice to know if they're truly "uncrackable."
  KGIII (AC 'cause I ran out of posts.)
40. Re:Huh? by Anonymous Coward · 2016-02-16 17:53 · Score: 0
  
  The second half of the encryption key is generated using a random number generator chip...Each boot, the secure enclave creates it's own temporary encryption key, based on it's own UID and random number generator with proper entropy, that it uses to store the full device encryption key in ram.
  If half of the full device encryption key is itself generated by a random number generator, how is that part going to be stable each time? Does this happen once, as needed, and then get saved in the secure enclave too?
41. Re:Huh? by dgatwood · 2016-02-16 17:57 · Score: 1
  
  Equally though, in that case, the FBI can get into a dead person's iPhone by using their dead finger.
  Only if they unlock the device and remove the passcode within 48 hours after the owner last used the device. Otherwise, that fingerprint won't do them any good.
  
  --
  Check out my sci-fi/humor trilogy at PatriotsBooks.
42. Re:Huh? by Anonymous Coward · 2016-02-16 17:58 · Score: 0
  
  Haha well... have you seen any APK spam lately?
  I'm not sure how I feel about that. On the one hand, Mr. Kowalski can be pretty terrible. I've made the mistake of being dragged into a grudge match with him before and he's very adept at dragging people down to his level. I'm still not even sure if he actually believes that anyone in the entire world believes that posts from his "supporters" are from third parties, rather than from him, or if it's just a cunning technique to drive people up the wall... I will also say that, on very rare occasions I have actually been involved in real, on-topic discussions with him and he actually took constructive criticism of what he was saying.
  On the other, more important, hand. Slashdot was traditionally self-moderated. The ideal was that everyone posted as they felt and, barring extreme abuse of the site or extraordinary circumstances (such as demands from litigious pseudo-religions) it was up to users to mod them down, and you could still read the site at -1 if you wanted. User comments being banned or comments simply being deleted by editors was seen as a _big_ deal. Seeing such a casual suggestion that anyone is simply being wiped off the site, even a notorious troublemaker, is a bit disturbing to longtime Slashdot readers.
  I suppose it makes the newbies pretty happy. Andy you can't please all the people all the time...
43. Re:Huh? by dgatwood · 2016-02-16 18:07 · Score: 1
  
  You mistake an iPhone's unlock code with the iPhone's encryption key. the iPhones do typically use a 4-6 digit pin as an unlock code. The user also has the ability to create a full alphanumeric password for the unlock code as well. However, that is simply the code that's used to unlock the actual full encryption key that is stored within dedicated crypto hardware. Apple uses a dedicated chip to store and process the encryption. They call this the Secure Enclave. The secure enclave stores a full 256-bit AES encryption key.
  That's true for a modern iPhone (5s and later). This is a 5c, which is basically just an iPhone 5 with a plastic case. It doesn't have a secure enclave, so the key is stored (encrypted with the passcode) in the external flash part along with all the other data.
  I think there is a hardware key that is burned into the CPU during manufacturing. If so, you can probably read that by uncapping the CPU and using an electron microscope on it. Not easy, but not impossible.
  
  --
  Check out my sci-fi/humor trilogy at PatriotsBooks.
44. Re:Huh? by Anonymous Coward · 2016-02-16 18:33 · Score: 0
  
  Not if the phone turned off or wasn't unlocked within the time window.
45. Re: Huh? by Anonymous Coward · 2016-02-16 18:37 · Score: 0
  
  Luther? Luther Stickell? Is that you? I've been looking all over for you!
46. Re:Huh? by ChoGGi · 2016-02-16 18:40 · Score: 1
  
  I would also like to add my sincere thanks. While Slashdot has traditionally relied on user moderation, it would be hard to find many people in defense of APK.
  Here's hoping he gives up and finds another place to spam.
  Thanks again
47. Re:Huh? by Anonymous Coward · 2016-02-16 18:42 · Score: 0
  
  Haha well... have you seen any APK spam lately?
  I didn't and thank you for that.
  Can you create a sub category "slashdot internals" or whatever you want to name it to goad these kind of discussions into?
  I'm currently off-topic if I'm not modded down the moderators aren't doing their jobs.
48. Re:Huh? by AaronW · 2016-02-16 18:56 · Score: 1
  
  It probably is not as expensive as you think to extract the key from the physical chip. Where I work we had a new chip with a critical bug in it that prevented it from working. We were able to use FIB (Focused Ion Beam) in order to correct a number of chips for development. It should be possible to go through the layers on the chip where the various fields are stored and extract them. Once you have all of the information it should be possible to use an FPGA or other setup (or even software) to brute force the user's pin and extract the data, completely bypassing the secure enclave. It certainly didn't cost millions of dollars to FIB our chips in order to fix the problem or we would have just skipped that step, updated the metal mask layer and made new chips.
  Once you decap a chip and have the right tools it should be possible to obtain all the needed data to brute-force the key. Usually the hard part is reverse engineering the chip layout, but Apple already has the design. Antifuse can make this rather difficult but I imagine that with a decent amount of money it should be possible to obtain the keys.
  
  --
  This post is encrypted twice with ROT-13. Documenting or attempting to crack this encryption is illegal.
49. Re:Huh? by AaronW · 2016-02-16 18:58 · Score: 1
  
  It's not as expensive as you might think, especially if you have the original chip design and layout available. It may be as low as $50-$100K, though it can also become quite a bit higher in some cases. It's amazing what can be done with FIB today.
  
  --
  This post is encrypted twice with ROT-13. Documenting or attempting to crack this encryption is illegal.
50. Re:Huh? by adamstew · 2016-02-16 19:07 · Score: 1
  
  I don't think this will help them. The secure enclave utilizes its own secure boot and personalized software update separate from the application processor. Basically, The secure enclave can have it's software updated, but it's firmware update is separate from the main firmware for the device. The secure enclave requires you to enter the unlock code before it will accept new firmware. Anytime you do an iOS update on your phone, it asks for the unlock code...This is why...you need it to put the secure enclave into a mode where it will accept a new firmware.
  The whole system is designed to be resilient even if the main kernel of the device has been compromised.
51. Re: Huh? by adamstew · 2016-02-16 19:15 · Score: 1
  
  The secure enclave does all the crypto itself. It sits between the OS kernel and the flash memory itself. The full key is never in a space where it is accessible to any part of the application processor.
  The secure enclave assembles the full crypto key using the 3 pieces... it's own 64-bit Unique Device ID (UID), the application processor's unique 64-bit Group ID (GID), and a 128-bit random number that the secure enclave generates during the initial device setup that is stored within the secure enclave chip itself.
  Quite simply, the full key never leaves the secure enclave.
52. Re:Huh? by adamstew · 2016-02-16 19:16 · Score: 1
  
  Yes. The random number is generated during the initial device setup process and then stored within the secure enclave itself.
53. Re:Huh? by adamstew · 2016-02-16 19:38 · Score: 1
  
  The secure enclave is physically built to resist these kinds of attacks...EM shielding and such. I'm not saying it's not possible, but it is very difficult, time consuming, and requires a lot of special tools. Tools that apple probably doesn't have because it never created them. And the secure enclave storage is still only 1/2 of the key.
  Another 1/4 of the key is physically burned in to the application processor, and the remaining 1/4 of the key is physically burned in to another part of the secure enclave.
  All of this adds expense in forcibly extracting the key from the device.
54. Re:Huh? by AaronW · 2016-02-16 19:52 · Score: 1
  
  I read one estimate that it probably costs $30K per chip, though it might be quite a bit more. It would likely be well within the FBI's budget, however, and probably no more than a few million dollars. Sure, Apple probably never created the tools, but having the design available should not make it all that difficult especially once the keys are extracted from the chips through physical means. Once the keys are extracted and the flash contents are extracted it then just becomes a software problem to brute force it.
  Chip reverse engineering happens all the time, and it's not like they have to reverse engineer the chip since Apple has access to everything, where every trace and transistor is on the chips. FIBing chips isn't particularly expensive these days either and is now becoming quite common in the chip development phase. Sure, Apple may not have the tools, but there are plenty of other people out there that do have the tools.
  
  --
  This post is encrypted twice with ROT-13. Documenting or attempting to crack this encryption is illegal.
55. Re:Huh? by Anonymous Coward · 2016-02-16 20:15 · Score: 0
  
  > The secure enclave also has hardware enforced time-delays and key-destruction.
  That "hardware enforced" is in fact, software enforce. ARM Trustzone is just a generic framework, relies on secure boot. Since Apple has the private key that can produce a legitimate secure boot image, they can produce a legitimate signed boot image along with a signed kernel, that allows brute-force "attack".
56. Re:Huh? by cfalcon · 2016-02-16 20:23 · Score: 2
  
  "Can your new site do 16 things?"
57. Re:Huh? by Falconhell · 2016-02-16 20:24 · Score: 1
  
  Excellent, well done.
58. Re:Huh? by cfalcon · 2016-02-16 20:30 · Score: 1
  
  > While Slashdot has traditionally relied on user moderation, it would be hard to find many people in defense of APK.
  I feel that he is fighting the good fight by having a piece of software that is well intentioned and appears to be functional. The fact that he would fill up a comment page back in the day with the same copy-pasta is indefensible, of course. I've argued with him a few times (there are weaknesses to host based blocking), and I never felt that he was a bad guy. He toned down his paste-rate in the last few months as well, but it was still disruptive and clearly required moderators to go through and delete manually. It seems whipslash has a more permanent fix.
59. Re:Huh? by Plumpaquatsch · 2016-02-16 20:31 · Score: 1
  
  Troll-fu is a tough art to master.
  Is trollfu like tofu, just made with trolls instead of the real thing?
  
  --
  Of course news about a fake are Fake News.
60. Re:Huh? by cfalcon · 2016-02-16 20:36 · Score: 1
  
  I've put this elsewhere in the thread but Apple seems to think they can provide plenty of stuff from icloud to law enforcement. The icloud stuff is encrypted with a passcode known to Apple:
  http://www.apple.com/privacy/d...
  This LEO guide seems to back that up:
  http://manhattanda.org/sites/d...
  So if it was in icloud, presumably they have it already, because Apple says "we can give you the icloud stuff, because we can access it". The locally encrypted stuff is locally encrypted, however- so presumably they want access to that.
61. Re:Huh? by wvmarle · 2016-02-16 21:11 · Score: 1
  
  This allows the keychain to be restored only to the same device from which it originated
  Sucks if you lose your device. Or it physically breaks.
  Two of the main reasons you'd want to keep a backup in the first place.
62. Re:Huh? by shilly · 2016-02-16 21:11 · Score: 1
  
  Erm, nope. Touch ID uses the steel capacitative sensor to sense the electrical charge in living tissue to begin the unlock process, and the process itself uses RF waves to scan living tissue and ignore dead tissue. Spoofing that is going to be quite tricky.
63. Re: Huh? by Plumpaquatsch · 2016-02-16 21:17 · Score: 1
  
  Very nice explanation, thanks. But help me out here... at some point software reads that key and uses the key to create encrypted data. How safe is __that__ code from being used to detect the key. Is the whole crypto library located on the enclave?
  "Every iOS device has a dedicated AES 256 crypto engine built into the DMA path between the flash storage and main system memory, making file encryption highly efficient.
  The device’s unique ID (UID) and a device group ID (GID) are AES 256-bit keys fused (UID) or compiled (GID) into the application processor and Secure Enclave during manufacturing. No software or firmware can read them directly; they can see only the results of encryption or decryption operations performed by dedicated AES engines implemented in silicon using the UID or GID as a key. Additionally, the Secure Enclave’s UID and GID can only be used by the AES engine dedicated to the Secure Enclave.
  
  --
  Of course news about a fake are Fake News.
64. Re:Huh? by sociocapitalist · 2016-02-16 21:55 · Score: 1
  
  " The unlock code itself is entangled with the device's UDID so that all attempts to decrypt the storage must be done on the device itself. You must have all 3 pieces present: The specific secure enclave, the specific processor of the iphone, and the flash memory that you are trying to decrypt. Basically, you can't pull the device apart to attack an individual piece of the encryption or get around parts of the encryption storage process. You can't run the decryption or brute forcing of the unlock code in an emulator. It requires that the actual hardware components are present and can only be done on the specific device itself."
  Be careful of accepting marketing materials as proof.
  Nothing stops Apple themselves from fabricating another phone with the same UDID. The flash and 'tamper resistant' secure enclave can probably be cold attacked and bit level duplicated and stored to allow brute forcing.
  While a single duplicate phone wouldn't be of much use, anything physical can be simulated and Apple is capable of doing so for their own product, though their marketing materials won't say so and they certainly won't want to set a precedent for being able to do so.
  
  --
  blindly antisocialist = antisocial
65. Re:Huh? by Anonymous Coward · 2016-02-16 22:26 · Score: 0
  
  God bless you..... *wipes away a tear*
66. Re:Huh? by BasilBrush · 2016-02-17 00:44 · Score: 1
  
  LOL! What do you think it's doing, sensing a beating heart?
  Don't fall for the hype. iTouch has been hacked with techniques involving photocopiers and glue. The actual finger of the dead owner would certainly work.
67. Re:Huh? by AmiMoJo · 2016-02-17 00:51 · Score: 1
  
  Whipslash, would you please tell us what you have done?
  Like many here, I support free speech and Slashdot has always been one of those places where it is allowed to the fullest extent possible. The moderation system stops it descending to 4chan levels, but unpopular opinions are still able to be posted.
  As someone of occasionally gets modded -1 Troll for saying unpopular things, I find this disturbing. Not least because the moderation system is far from perfect. Often what I say is repeated by someone else and ends up at +5, meaning it is simply people mod-bombing me. If we allow the tyranny of the majority to extend to actually blocking people from using the site then Slashdot will become and echo chamber and die.
  
  --
  const int one = 65536; (Silvermoon, Texture.cs)
  SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
68. Re:Huh? by Anonymous Coward · 2016-02-17 01:11 · Score: 0
  
  posts actually get deleted on slashdot? i've seen apk and gnaa spam on here months after the original article was posted.
69. Re:Huh? by Anonymous Coward · 2016-02-17 02:38 · Score: 0
  
  Perhaps watch the power when you make a passcode request and reset the secure enclave after it decides wrong passcode, but before it bumps the try counter?
  Having the ability to change the main s/w and having an understanding of the whole design seems a great leg up here.
70. Re:Huh? by adamstew · 2016-02-17 02:46 · Score: 1
  
  You confuse UDID with UID. The UID is unique and burned in to the processor of the phone. The GID is unique to the Secure Enclave and is burned in to the silicon of the secure enclave. Apple does not have any record of any phone's UID or GID. Both of which combine from separate hardware components to create 1/2 of the encryption key.
  The other 1/2 of the key is randomly generated during initial device setup by the user and stored in memory that is embedded within the secure enclave itself. It cannot be removed and imaged from the secure enclave...it's actually within the silicon of the chip. The chip has no method of querying for the key. The chip itself does all of the crypto calculations on board.
  Apple doesn't have any way of knowing the UID, GID, or randomly generated part of the encryption key. There isn't any memory that they can reasonably image. Because of this you require the actual hardware you are trying to get into. If you are missing any piece of it, you don't have the full key.
71. Re:Huh? by whipslash · 2016-02-17 04:34 · Score: 1
  
  Just put filters on his repeated commercial spam. It's not free speech, its hawking a product
72. Re: Huh? by dothasmurfysmurf · 2016-02-17 04:36 · Score: 1
  
  Best would be rigging it where apk can post, and see his posts but none of the rest of us can. I can see him already, typing out his manifesto length hosts file posts, getting more and more frustrated that no one is responding him, not even modding him down lol
73. Re:Huh? by Anonymous Coward · 2016-02-17 04:40 · Score: 0
  
  How would you install the IPSW without unlocking the phone? For USB, doesn't iOS have to ask you if you trust the computer you're connecting to?
74. Re:Huh? by AmiMoJo · 2016-02-17 04:49 · Score: 1
  
  Thanks for clarifying. Spam filters are of course fine, it's just been a bit worrying lately with all the various anti-feminists, MRAs, SJWs and assorted other factions calling for others to be silenced.
  Keep up the good work.
  
  --
  const int one = 65536; (Silvermoon, Texture.cs)
  SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
75. Re:Huh? by Anonymous Coward · 2016-02-17 05:36 · Score: 0
  
  [...] all attempts to decrypt the storage must be done on the device itself. You must have all 3 pieces present: The specific secure enclave, the specific processor of the iphone, and the flash memory that you are trying to decrypt.
  Technically it sounds possible to attack the encrypted flash alone - rather than the key storage. Then you're just trying to brute force 256bit AES encryption...
76. Re:Huh? by castionsosa · 2016-02-17 06:04 · Score: 1
  
  Since iOS 4.x, if I use an all digit password, type it in on the full keyboard, I'll get the numpad and the OK button. I have used a longer PIN just for peace of mind, and with the fingerprint scanner, no excuse not to use a decent passphrase.
77. Re:Huh? by Anonymous Coward · 2016-02-17 06:26 · Score: 0
  
  On the other, more important, hand. Slashdot was traditionally self-moderated [...] User comments being banned or comments simply being deleted by editors was seen as a _big_ deal.
  Slashdot has always taken steps to eliminate actual spam, which is what APK's posts usually were. (Remember the MyCleanPC spam? It didn't go away because of people downvoting the posts.) I saw a few cases of him actually responding to people, but most of the time his posts were no different than any other automatic spam-bot. I suspect that at times he was running a script that would cobble together various pre-canned phrases, and pepper a little bit of manual typing along with it, in order to avoid any kind of automatic filtering.
  The issue with him was that he put so much effort into flooding stories, and had so many sockpuppet accounts, that it was pointless to burn your points on downvoting his comments. The end result was that once he started hammering on a story, most people just quit commenting and moved on.
  And to be blunt, it's not like the guy can't still post on here. As long as he doesn't include things like the link to his stupid website or his signature copypasta phrases, it's not like there's any way to automatically kill his posts, and changing IP's is a trivial matter.
78. Re:Huh? by Anonymous Coward · 2016-02-17 06:42 · Score: 0
  
  If you have a 6-digit pin code, it will take, on average, nearly 6 years to brute-force the code. 4-digit pin will take almost a year.
  Can you please explain your reasoning here? My intution is that a 6 digit code would take 100 times as long to brute force as a 4 digit code.
79. Re:Huh? by whipslash · 2016-02-17 06:49 · Score: 1
  
  Thanks
80. Re:Huh? by hattig · 2016-02-17 07:03 · Score: 1
  
  Basically I think Apple is trying to tell the FBI to actually pull the device apart and risk breaking it.
  1) it's pretty much the only way to get any data, especially if a Secure Enclave is used
  2) Apple can't create a custom OS image without knowing information that is in the Secure Enclave anyway
  3) Using a high-end FIB that can work well against FIB-hardened Security Systems is still probably cheaper than creating the special OS and all that
  4) Apple doesn't want to spend its money on a dead end task
  5) There is reputational risk to Apple if they can somehow do this, their security isn't that good, etc (never mind the fact it's a 5x, not a 7S) - the cost could run to billions on their stock price. Are the FBI willing to put up a bond to cover this?
81. Re:Huh? by Anonymous Coward · 2016-02-17 12:50 · Score: 0
  
  Yeah. I guess Apple are super-dumb, and never thought of that.
  Oh. Wait. I've done that very thing! Restored my backup onto a new device! Perhaps it's because Apple store the keys encrypted with your apple ID and password or something? They truly are magicians!
82. Re:Huh? by Anonymous Coward · 2016-02-17 15:12 · Score: 0
  
  Commence Operation Blind Squirrel
83. Re:Huh? by Anonymous Coward · 2016-02-17 15:19 · Score: 0
  
  Hahahahahahahaha http://slashdot.org/comments.p...
84. Re:Huh? by shilly · 2016-02-17 19:09 · Score: 1
  
  Tell you what, why don't you chop your own finger off and give it a try. You can come back and tell us. If it doesn't work, you can always shove your finger up your ass, and ask it to wave hello to all your opinions up there, where they cluster safe from the facts.
85. Re:Huh? by BasilBrush · 2016-02-17 21:32 · Score: 1
  
  Photocopiers and glue. It's not like you even have to Google it, it's been a story here.
  Dumbass.
Maye be they have done the job correctly by Anonymous Coward · 2016-02-16 13:32 · Score: 0

then apple can render all the help they can but be still unable to provide the help needed?
Where's my tinfoil hat? by ptaff · 2016-02-16 13:34 · Score: 4, Insightful

I wouldn't be surprised if this was nothing more than a joint PR stunt to mislead people into assuming privacy on their cellphone so they wouldn't be afraid to use it for sensitive information. Government has nothing to win by disclosing they have a backdoor, neither does the cellphone manufacturer. Even thinking lo-fi decryption, how long must the passcode be before brute-forcing gets more inconvenient for the government than for the user?
1. Re:Where's my tinfoil hat? by Anonymous Coward · 2016-02-16 13:41 · Score: 0
  
  Far more likely to be a play to "What about terrorists?" and "Think of the children!" by the government than anything Apple is doing.
  Having said that, you are correct - using any computer in any way to commit a crime is pretty stupid. Pocket computers especially.
2. Re:Where's my tinfoil hat? by TsuruchiBrian · 2016-02-16 14:39 · Score: 5, Insightful
  
  Apple has nothing to gain (and everything to lose) by actually having a back door. Apple doesn't make money by spying on people.
3. Re: Where's my tinfoil hat? by Anonymous Coward · 2016-02-16 14:50 · Score: 0
  
  Apple has the company to lose now that they're actively advertising the iPhone as a tool to hide evidence of criminal activity. Additionally, you know it's BS because a device which a toddler can brick is not customer friendly.
4. Re:Where's my tinfoil hat? by AHuxley · 2016-02-16 15:07 · Score: 0
  
  If the phone is for sale and network use in the USA, it has to be Communications Assistance for Law Enforcement Act (CALEA) like ready.
  The need to tell the press that its still so difficult is about the optics of global sales and the US big brand gov encryption disclosures.
  If this access was the normal for cell tech a few years ago, "FBI taps cell phone mic as eavesdropping tool" (December 4, 2006)
  http://www.cnet.com/news/fbi-t...!
  what has changed in the US cell network access for any other gov data or network requests?
  A cell phone as sold for US network access has to be open to law enforcement as sold and designed.
  Stories like this keeps the cell phone faith and signals intelligence flowing as users still think their generations devices have "special" encryption or safe storage.
  No 5 eye nation would let the majority of public walk around secure communications for voice, data, storage or video.
  
  --
  Domestic spying is now "Benign Information Gathering"
5. Re: Where's my tinfoil hat? by Anonymous Coward · 2016-02-16 15:40 · Score: 0
  
  I may be recalling CALEA incorrectly but I think it applies to switching equipment not handsets
6. Re: Where's my tinfoil hat? by MachineShedFred · 2016-02-16 16:32 · Score: 1
  
  Yeah, except it's not "bricked". Don't use words you don't understand. The device is still fully functional, and you have many recovery methods to get it back to a usable state.
  "Bricked" means that it is no more functional than a brick. It's ballast. You can use it to prop open a door, or make sure papers don't blow away off your desk. And that's it.
  If a toddler figures out how to turn on the PIN lock and locks you out of your shit, you can always plug it into iTunes and wipe it. If you don't have a backup to then restore, then you're a damn idiot and deserve to lose all your shit, especially as Apple gives you 5GB of encrypted online backup storage for free.
  
  --
  Slashdot still doesnâ(TM)t support Unicode after it was added to the HTML standard in 1997.
7. Re:Where's my tinfoil hat? by MachineShedFred · 2016-02-16 16:37 · Score: 1
  
  CALEA doesn't apply to on-device storage, or even data networks. It applies to the voice network, and being able to run a court ordered wiretap for telephonic surveillance.
  
  --
  Slashdot still doesnâ(TM)t support Unicode after it was added to the HTML standard in 1997.
8. Re:Where's my tinfoil hat? by AHuxley · 2016-02-16 17:35 · Score: 1
  
  danheskett "carriers and manufacturers" should give a hint about a root or hardware way in.
  The "manufacturers or providers of handsets for regular commercial use" is getting more interesting and is why I said "(CALEA) like".
  The older laws should show what the US gov historically expected from generations of devices connecting to wider US networks.
  What is a "manufacturer" now in 2016 with huge production lines been in China vs designers in USA? Low taxes in the EU?
  The result will be total access for the US government for a product sold in the USA and connected to US networks.
  The quoted "any phone conversations" has also moved to VOIP as was shown with the kind of support that was given in other areas by OS makers. Recall the help PRISM got?
  https://en.wikipedia.org/wiki/PRISM_%28surveillance_program%29#PRISM_overview
  Chat – video, voice, stored data, file transfers
  and recall "iPhone has secret software that can be remotely activated to spy on people, says Snowden" ( 21 January 2015)
  http://www.independent.co.uk/l... ".. published files from the NSA showed that British agency GCHQ used the phones UDIDs — the unique identifier that each iPhone has — to track users."
  "has special software that can activate itself without the owner having to press a button and gather information about him, that’s why on security grounds he refused to have this phone."
  CALEA support was public and people can now draw more information.
  
  --
  Domestic spying is now "Benign Information Gathering"
9. Re:Where's my tinfoil hat? by Anonymous Coward · 2016-02-16 19:10 · Score: 0
  
  BINGO
10. Re:Where's my tinfoil hat? by Plumpaquatsch · 2016-02-16 21:44 · Score: 1
  
  and recall "iPhone has secret software that can be remotely activated to spy on people, says Snowden" ( 21 January 2015) http://www.independent.co.uk/l... ".. published files from the NSA showed that British agency GCHQ used the phones UDIDs — the unique identifier that each iPhone has — to track users."
  Well, that software obviously needs the user to type in his passkey to be used, else the FBI could just use it, no?
  
  --
  Of course news about a fake are Fake News.
11. Re:Where's my tinfoil hat? by Anonymous Coward · 2016-02-16 22:45 · Score: 0
  
  Apple has nothing to gain and everything to lose) by actually having a back door.
  Except for not having their exuctives in jail and not having mysterious 'evidence' of fraud appearing.
12. Re:Where's my tinfoil hat? by Anonymous Coward · 2016-02-17 02:54 · Score: 0
  
  They make money by selling phones in the USA, which the NSA will make hellish if they refuse to comply with their NSL.
13. Re:Where's my tinfoil hat? by Anonymous Coward · 2016-02-17 05:17 · Score: 0
  
  San Bernardino Shooting Story Shot Full of Holes, Was this a False Flag Event?
14. Re:Where's my tinfoil hat? by david_thornley · 2016-02-17 06:32 · Score: 1
  
  Another thing I find interesting is that CALEA doesn't really hurt my security. When I'm telecommunicating, I'm using the phone company's central hardware. If they've got a tap there, it doesn't mean just anybody can listen in. It can easily be set up so only the phone company can, so it can be restricted to people with warrants or good Fast Talk skill, and it can be recorded to find the impostors later.
  The security on my iPhone is based on my iPhone. If someone has my iPhone, they have physical access to everything in it. This means that, if authorized agency (like the FBI) can get my data, so can any bad guy (like ISIS, organized crime, or the FBI). Setting up a CALEA-type requirement would hurt everyone's security.
  
  --
  "When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
15. Re: Where's my tinfoil hat? by TsuruchiBrian · 2016-02-18 12:34 · Score: 1
  
  That's like saying safes are tools to hide criminal activity, and therefore Safe company X should manufacture safes in a way where they can be unlocked by an FBI master key.
  1. Forcing a particular company to manufacture insecure safes does not force criminals to use those safes. They can easily just use any other safe that is not insecure.
  2. This existence of an FBI master key makes these safes vulnerable to anyone who possesses a copy of that key whether they are the FBI or a Russian hacker.
  The math for secure encryption is public knowledge. The US government can't make this information unknowable. Getting Apple to use an insecure crypto system, simply forces criminals to switch to secure ones.
16. Re:Where's my tinfoil hat? by TsuruchiBrian · 2016-02-18 13:44 · Score: 1
  
  They are a powerful corporation in a country run by corporations. I think they'll be fine.
17. Re:Where's my tinfoil hat? by TsuruchiBrian · 2016-02-18 13:47 · Score: 1
  
  This government is completely bought by corporations. Generally it's a pretty bad idea to jail the people that own you. Without their support, you will be out of power pretty quickly.
18. Re:Where's my tinfoil hat? by Anonymous Coward · 2016-02-18 14:30 · Score: 0
  
  But what if the Apple executives or security engineers were part of Tony Soprano's crew? If that ever happened, it wouldn't exactly be true that Apple doesn't make money spying on people. But I'm sure something like that could only happen on TV.
The deed is done by Anonymous Coward · 2016-02-16 13:35 · Score: 0

The perp is dead. This is where they should stop investigating.
1. Re:The deed is done by wickerprints · 2016-02-16 13:48 · Score: 4, Insightful
  
  It stands to reason that the purpose of trying to decrypt the phone after the event, and after the death of the perpetrators, is to see if there might be any information that might implicate other individuals as accomplices or sympathizers, so that those individuals can be investigated. But if it is not possible for Apple to decrypt the phone, then other avenues of investigation will need to be considered.
  Of course, mathematics being what it is, and lawyers and judges being who they are, it is not the least bit surprising that the latter should be ignorant of the former. It's a unique form of hubris to think that one can somehow circumvent a secure cryptographic system by the mere force of law, as if jurisprudence supersedes mathematical truth.
2. Re:The deed is done by Lumpy · 2016-02-16 14:11 · Score: 4, Insightful
  
  Or you know the FBI can look through all the phone records and use their other sources of information. These people had twitter, they know that, they can also easily find their email accounts.
  It's the FBI being whiney.
  
  --
  Do not look at laser with remaining good eye.
3. Re:The deed is done by Anonymous Coward · 2016-02-16 14:29 · Score: 0
  
  "If the law thinks that, the law is an ass!" - C. Dickens
4. Re:The deed is done by KitFox · 2016-02-16 14:33 · Score: 4, Insightful
  
  The problem is that cryptography is mathematics and doesn't know the difference between criminals and innocent people.
  It also doesn't know the difference between law enforcement requests to unlock the phone and criminal requests.
  If they can get into a criminal's phone, they can get into anybody's phone. If they can get into anybody's phone, any criminal who gets the key can get into anybody's phone. As to "how likely is it for the criminals to get the keys?"... well, pretty much every system (FBI, DHS, Apple, etc) that could theoretically hold the keys has been breached at some point. Holding that capability also makes a huge target. So "Very Likely", even to the point that when things were previously unlockable, hackers were doing so already.
  Thus it comes down to "Do you want to allow criminals to access your iPhone so that law enforcement can also access a criminal's iPhone?" at that level. And in the event that a smart criminal had an indication that Apple could defeat the encryption and lockout, they'd just store the important data in a place that no company controlled or had access to.
  
  --
  @Whee
5. Re:The deed is done by jedidiah · 2016-02-16 14:53 · Score: 4, Insightful
  
  > Except for the Criminal Rights crowd
  You mean like the Son's of Liberty? THAT "criminal rights" crowd.
  You're such an ignorant moron.
  
  --
  A Pirate and a Puritan look the same on a balance sheet.
6. Re:The deed is done by spire3661 · 2016-02-16 15:10 · Score: 5, Interesting
  
  The right to encryption and by extension privacy is more important than any one crime. The State has to accept its limitations, not wail and moan about how its 'not fair' they cant have absolute control over humans. Some things are beyond government's reach, accept it.
  
  --
  Good-bye
7. Re:The deed is done by Anonymous Coward · 2016-02-16 15:49 · Score: 0
  
  So first of all, CALEA is just about wiretapping. Apple is in the clear until someone proves users are downloading apps from apple that securely encrypt their devices and communications. If the users are writing applications and using the devices to form their own secure communications overlay network, that's their business and as far as CALEA is concerned the manufacturer is in the clear. If the FBI is screaming "CALEA!!!", this is the definition of jack-booted tyranny.
  What we are discussing here is intentionally weakening systems to ensure access by law enforcement. This requires either handing the government a key to the city, or providing access upon request (and reasonable payment) to a back door.
  Both of these solutions introduce intentional weaknesses into the code that security researchers will eventually discover or employee's, under absolutely no contractual, moral, ethical, or legal requirement to keep said information private, performs their own risk and reward discovery, and determines selling access to interested parties is a low risk high reward situation.
  Lets look at the risk/reward of granting these requests:
  At best, the bad guys get reliably caught. How many? Nobody's ever quantified it.
  At worst, the government uses this authority in a totalitarian manner and hactivist groups retaliate by using the same systems the government relies upon to perform wiretapping as either an effective measure to either block the governments access to said tools by threats or instigating actual damage (Hey you have to give us another back door; OK they'll take 6 months but the patch for this will get pushed tomorrow so access will be down for 5ish months), or they use their capability to burn the city to the ground (Example: Sony, which still hasn't recovered economically from the attack they got hit by).
  The fundamental issue is there's accountability for these spying tools; companies have no incentive to effectively secure them because everyone is getting hit right now. Cisco, Fortinet, Juniper, Watchguard, Pal Alto; just in the last year or two everyone in the aforementioned list has a vulnerability in their firewall's remote vpn infrastructure granting remote access. These companies will quickly patch if the exploit if it is released publicly obviously. On the other side, the government just asks for them to comply with the law which to the companies is a cost of doing business.
  The net effect of this is we are continuously producing weakened infrastructure; once the support stops, it stays vulnerable. Companies will make financial decisions to keep equipment around and to pay support contracts and despite conventional wisdom this is becoming an increasingly regular occurrence.
  All to deliver to the government and the public the unquantifiable benefit of "parallel construction".
  I'll remind everyone here a hospital just got hacked and it's systems taken hostage.
  https://www.technologyreview.com/s/600817/hospital-forced-back-to-pre-computer-era-shows-the-power-of-ransomware/
  The decision seems to be to shut down mass surveillance programs and give the people the responsibility of self-defense, or ensure infrastructure is insecure and hope nobody takes advantage of it. Without the ability or public will to secure infrastructure from nation-state actors, I think we can expect a red triangle shirtwaist factory incident or two within the next several years in which a few thousand people die because of these requirements.
8. Re:The deed is done by fnj · 2016-02-16 15:52 · Score: 1
  
  The problem is that cryptography is mathematics and doesn't know the difference between criminals and innocent people.
  Problem? Problem? How is that a problem? The power structure can make anyone it wants a criminal just by having bullshit laws. Turing was a "criminal" by UK law at the time. There was a time it was "criminal" to shelter escaped slaves in the US. Or to consume alcohol. It is criminal even now to use certain drugs and substances on your own goddam body.
  Cryptography is a little like free speech. If it is only effective for people you like, it isn't real.
9. Re:The deed is done by Anonymous Coward · 2016-02-16 16:16 · Score: 0
  
  > Except for the Criminal Rights crowd
  Which are the Republicans because they want to hide their crimes. That's why they support encryption so hard.
10. Re:The deed is done by cold+fjord · 2016-02-16 16:25 · Score: 0
  
  As to "how likely is it for the criminals to get the keys?"... well, pretty much every system (FBI, DHS, Apple, etc) that could theoretically hold the keys has been breached at some point.
  Those breaches tend to involve exploits of bugs or weaknesses in the operating system or applications, not an actual breaking of encryption schemes. Big difference.
  
  --
  much of left-wing thought is a kind of playing with fire by people who don't even know that fire is hot - George Orwell
11. Re:The deed is done by MachineShedFred · 2016-02-16 16:38 · Score: 1
  
  You can't take down co-conspirators with that kind of quitter talk.
  
  --
  Slashdot still doesnâ(TM)t support Unicode after it was added to the HTML standard in 1997.
12. Re:The deed is done by Anonymous Coward · 2016-02-16 16:53 · Score: 0
  
  To be fair, I can't tell the difference between law enforcement and criminals either.
13. Re:The deed is done by Anonymous Coward · 2016-02-16 17:33 · Score: 0
  
  TSA luggage keys anyone? Now there are copies and data files allowing duplication of the keys floating all around the world.
  See what happens when you allow the government to hold keys to your stuff?
  Would you give them keys to your home, just because you MIGHT do something naughty?
  Would you allow them to hold the keys to your phones, your computers and other personal devices ?
14. Re:The deed is done by Anonymous Coward · 2016-02-16 17:49 · Score: 0
  
  breaking into locked devices of CRIMINALS
  No, all 18 million iphone owners are not all criminals.
  The shooters are, and you very well may be, but you need to stop projecting your own life failures on the rest of the worlds population because the rest of us are NOT criminals.
  Also I changed my mind - the fact you wish to grant every criminal on the planet access to every law abiding citizens phone and computer and bank accounts and everything - if that act isn't criminal it should be.
  Either way, why should we care about what a person with such evil intentions says?
15. Re:The deed is done by Anonymous Coward · 2016-02-16 17:54 · Score: 0
  
  Not sure this belongs marked as "troll" guys. Reread the post. He's saying that you shouldn't oppose them trying to break into the device, not that there should be a back door. The difference is huge. A back door is stupid and I think unixisc knows this. However, it's perfectly find it the government wants to try to break in. It's perfectly find that Apple is helping them try to break in. I believe you'll find he's saying that you shouldn't be against them trying to break in with a lawful warrant. He's not saying that encryption is a bad thing or that the device is a bad thing.
  Hell, it's a good thing that they're trying to break in. Their success, or lack of it, will be a good indicator. They'll be wanting to have this evidence with the proper chain of custody so that it can be used in a court of law. So, it will likely be public knowledge if the device can be broken into or not.
  It's fine - even good - that they're trying to break in. It's lawful. There's nothing illegal or immoral about this.
  unixisc did not say that it's bad to have encryption or that it's bad to have unbreakable devices. Stop reading into things that weren't said. Holy shit.
16. Re:The deed is done by KitFox · 2016-02-16 18:12 · Score: 1
  
  I was just referring to the problem with the concept of "Effective encryption (that protects against criminals) with a backdoor (to fight against criminals)". "Secure/Effective" and "Backdoored" are mutually-exclusive in encryption.
  
  --
  @Whee
17. Re:The deed is done by KitFox · 2016-02-16 18:36 · Score: 2
  
  From one point of view, it could be said that I did not say the encryption scheme would be broken in that case. It would be the misappropriation of "legitimate" keys used to access the back door of the encryption system.
  From another point of view, if the point of the encryption is to prevent any but explicitly-authorized entities - as defined by the data holder and assumed to not include the pool of "and whoever has backdoor keys to the encryption system" - from accessing the data, the very existence of a backdoor breaks the encryption scheme (though not the cipher-generation algorithm) to a degree as it both creates an unknown third party "authorized entity" and a larger attack surface against which a successful attack can compromise the security of your data.
  The encryption scheme, taken as a whole, is the entirety of everything from the key storage to (in)secure hardware to the strength of the key against various attacks to the cipher algorithm and stuff in between and around. So the algorithm that generates the encrypted result and reverses that process may be "very secure", but the scheme as a whole can have other faults. Like "password written on a post it note and stuck to the back" or "intercept the self-destruct process to be allowed to brute-force 10,000 4-digit possibilities" to "offload the stored key and use knowledge of the pin-to-key process to extract the key by brute force on an external system".
  Encryption cipher algorithms as we know them today is not "unbreakable". It's just "currently so hard to break that it cannot feasibly be assumed to be doable in a useful time period." But a sticky note with the password renders even an "unbreakable" quantum cipher useless in short order. So you protect the key.
  If you are the only one in control of the key, you can make your own choices (within some limitations) on where that key exists and who/what has access to it. The moment there is a back door, you no longer have control over the fully-inclusive key set to your data and the people who do have proven that there is a strong potential for their backdoor key to become compromised, thus compromising the security of your data.
  
  --
  @Whee
18. Re:The deed is done by Anonymous Coward · 2016-02-16 22:35 · Score: 0
  
  " Apple is in the clear until someone proves users are downloading apps from apple that securely encrypt their devices and communications."
  Apple would still be in the clear.
19. Re:The deed is done by Anonymous Coward · 2016-02-16 22:51 · Score: 0
  
  This is in the United States. The state and criminals are pretty much indistinguishable in behaviour.
20. Re:The deed is done by Anonymous Coward · 2016-02-16 22:57 · Score: 0
  
  The problem is that cryptography is mathematics and doesn't know the difference between criminals and innocent people.
  The difference between a criminal and an innocent person is not in the person, but in the law.
  
  It also doesn't know the difference between law enforcement requests to unlock the phone and criminal requests.
  There is no fundamental difference.
21. Re:The deed is done by Anonymous Coward · 2016-02-17 00:57 · Score: 0
  
  Ok your honor. First, we will need 1 billion top end servers, and another billion years to crack the code. I presume the court will pay costs, including cooling and electricity for the equipment racks and the staff needed to maintain them?
22. Re:The deed is done by rsborg · 2016-02-17 11:24 · Score: 1
  
  The right to encryption and by extension privacy is more important than any one crime. The State has to accept its limitations, not wail and moan about how its 'not fair' they cant have absolute control over humans. Some things are beyond government's reach, accept it.
  Furthermore - maybe if they didn't just wantonly kill the suspects (aim to disable) and then allow the press to ransack the suspect's home then maybe, just maybe I might have some sympathy for the FBI here.
  But no - they fucked up and and now are asking for Apple to bail them out.
  
  --
  Make sure everyone's vote counts: Verified Voting
Let's also order the gun manufacturer by Anonymous Coward · 2016-02-16 13:35 · Score: 5, Funny

to revive the dead people.
What does he expect? by SwashbucklingCowboy · 2016-02-16 13:39 · Score: 1

Apple to setup a cloud system to try to brute force PBKDF2???
1. Re:What does he expect? by Tablizer · 2016-02-16 13:49 · Score: 1
  
  Apple to setup a cloud system to try to brute force [unlocking]
  Why not? We spend jillions for a lame fighter jet. What's a big server farm in comparison?
  
  --
  Table-ized A.I.
2. Re:What does he expect? by Darinbob · 2016-02-16 14:13 · Score: 1
  
  You just gotta ask yourself in these situations... What Would The Donald Do?
3. Re:What does he expect? by Tablizer · 2016-02-16 15:27 · Score: 1
  
  Blame it on Bush family, accuse Tim Cook of not having a birth cert, and make ISIS pay for decrypt.
  
  --
  Table-ized A.I.
4. Re:What does he expect? by gweihir · 2016-02-16 17:03 · Score: 2
  
  Brute forcing BPKDF2 is easy in comparison to what he wants. This is about breaking a secure microcontroller. A few orders of magnitude harder and pure software-attacks will very likely not work.
  
  --
  Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
5. Re:What does he expect? by Bongo · 2016-02-16 22:40 · Score: 1
  
  "Donald J Trump is gonna get Apple to start calculating their damn mathematics and encryption in this country instead of in other countries."
6. Re:What does he expect? by squiggleslash · 2016-02-17 00:59 · Score: 2
  
  No, they want Apple to create a "one-off" insecure version of iOS. Source: I was personally told this by Tim Cook.
  Well, OK, he wrote me a letter.
  Well, OK, he wrote a lot of people that same letter and has probably never heard of me or had me in mind when writing it. But he is a person, and he did tell me this via said open letter, so that counts as being personally told this by Tim Cook right?
  
  --
  You are not alone. This is not normal. None of this is normal.
7. Re:What does he expect? by Darinbob · 2016-02-17 07:09 · Score: 1
  
  Ha, I posed the question as a joke. But today the news says that Donald Trump is backing the FBI on this:
  "Who do they think they are? They have to open it up."
  "I agree 100% with the courts. In that case, we should open it up."
  "I think security, overall, we have to open it up and we have to use our heads. We have to use common sense."
8. Re:What does he expect? by brantondaveperson · 2016-02-17 13:18 · Score: 1
  
  So I read that, and I'm confused. The backdoored OS as described in the letter wouldn't help the FBI break into this phone, because you can't install it without the passcode anyway.
Let Apple Try by Your+Anus · 2016-02-16 13:39 · Score: 1

Once the phone bricks itself from the tampering, it won't be an issue.

--

In the USA, we like stuff watered down, like beer, television, and freedom.
1. Re:Let Apple Try by Anonymous Coward · 2016-02-16 13:46 · Score: 0
  
  I rather suspect Apple can disable that feature if they want.
2. Re:Let Apple Try by Anonymous Coward · 2016-02-16 14:05 · Score: 0
  
  I rather suspect Apple can disable that feature if they want.
  If apple can disable it, or just somehow copy the encrypted file system, they should be able to eventually decrypt it, though it might still be more complex than it appears.
  If you can copy the encrypted file system, then you just need to setup a process that somehow tests each possible key. The number of possible keys on a phone you have to be able to unlock in about 5 seconds is not all that huge. Of course if the tech is good, there might be parts of the encryption process burned into the iPhone, such that you effectively have another 256 bits there, and have no particularly easy way to retrieve them. In other words, it might be possible to make it so just copying the encrypted data means nothing, since that unique phone itself is part of the essential process of decryption. That would bring you back to stopping the bricking and just entering combinations, though possibly with electronically generated key presses.
  There was a name for making hardware specific variations in cryptography. I don't happen to recall it. Basically, imagine if you created a coprocessor that did math, but had no idea how it would respond to multiplying two N bit numbers, but you knew that the results would be the same every time for that coprocessor, and knew the results for the next chip in the line would be different, then you can do this kind of thing. I doubt that kind of thing is in an iphone, but who knows.
3. Re:Let Apple Try by PPH · 2016-02-16 14:42 · Score: 1
  
  I doubt that kind of thing is in an iphone, but who knows.
  I would expect that Apple knows. And if there is a procedure that involves getting at the phone's innards or encrypted disk, they will know how.
  
  --
  Have gnu, will travel.
4. Re:Let Apple Try by MachineShedFred · 2016-02-16 16:48 · Score: 1
  
  Yeah, you have no idea how Apple implemented this, so of course it should be easy.
  The amount of tries you get has an ever-increasing delay between that is hardware enforced by the secure device that holds the key, and that device cannot have it's storage copied. That device cannot be removed from the phone, as the processor contains part of the key's salt burned in, so they must be paired. And, it's possible that the default behavior of wiping the device, which is accomplished by wiping the key, happens after 10 incorrect tries. A better explanation from someone above: http://yro.slashdot.org/commen...
  So, if you want to do what you're suggesting, which is to image the device and then try to brute force the AES-256 key to decrypt the image, have fun. We'll get the results of that somewhere between now and after the Sun consumes the planet as it turns into a red dwarf. Either way, it is very improbable that anyone who would see the phone unlock would be born yet, or care about a very limited event in history from so many years ago from their point of view.
  More info: https://www.apple.com/business...
  
  --
  Slashdot still doesnâ(TM)t support Unicode after it was added to the HTML standard in 1997.
5. Re:Let Apple Try by Dutch+Gun · 2016-02-16 18:34 · Score: 1
  
  Everything is easy when you're a "big picture" guy. Like the judge: "I hereby order you to crack your unbreakable encryption."
  Hell, why not order Apple to end all wars, crime, hunger, and disease here on earth? He's thinking too small if he's going to make wishes.
  
  --
  Irony: Agile development has too much intertia to be abandoned now.
6. Re:Let Apple Try by Anonymous Coward · 2016-02-16 19:09 · Score: 0
  
  https://www.apple.com/business...
  
  I really need to read that. It sounds incredibly interesting. Still, I don't think anyone suggested that decrypting 256 bits would be easy or even remotely reasonable. The previous was more focused on, if you could create a way to replicate the environment and keep trying 4 digit codes, but it seems that Apple has dotted their I's fairly carefully. (A microscope level analysis of the residues on the glass might yield which 4 digits, if not their order.) If it really is that good, I'm half surprised they were allowed to sell it, since what I'm hearing is essentially very easy to use unbreakable encryption in consumer devices. Of course, Apply may internally know the weak points that could be used for a more realistic attack against the secure key storage, or at least where to point the specialist when they go digging for the key physically layer by layer through the silicon. That being said, who pays for the reputation damage if it gets out that Apple had a way to attack their own hardware?
  It sounds like the best approach is just to somehow modify the actual hardware very very carefully to stop the key wipe and then disable or trick the timer. That sounds like very specialized skills requiring a lot of highly specialized knowledge.
  Of course, if the phone's owner was still alive, then apple could probably send a "important update" that improves phone (in)security, by making sure the next backup is encrypted under a chosen key, and then of course enable that backup.
7. Re:Let Apple Try by david_thornley · 2016-02-17 06:36 · Score: 1
  
  We'll get the results of that somewhere between now and after the Sun consumes the planet as it turns into a red dwarf.
  
  Actually, that's very probably false. Decrypting an AES-256 key, even with quantum processors of great power, is really really hard. I mean, you might think the chemist has a hard time deciphering the doctor's writing, but...
  
  --
  "When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
8. Re:Let Apple Try by Anonymous Coward · 2016-02-17 06:52 · Score: 0
  
  Try reading TFA. The judge ordered Apple to help the FBI brute-force the PIN code. Very doable if the auto-erase and PIN entry time delay are implemented in software.
The code is.... by ChadSmith4920 · 2016-02-16 13:41 · Score: 4, Funny

Unlock code: 072 (Virgins)
1. Re:The code is.... by Tablizer · 2016-02-16 15:22 · Score: 1
  
  No, this guy knows better. "72experiencedSluts"
  
  --
  Table-ized A.I.
2. Re:The code is.... by 93+Escort+Wagon · 2016-02-16 15:43 · Score: 1
  
  Unlock code: 072 (Virgins)
  Not if it's the wife's phone.
  
  --
  #DeleteChrome
3. Re:The code is.... by Bongo · 2016-02-16 23:04 · Score: 1
  
  You laugh but there is a 3 digit number that's meaningful to Muslims and often used (a Muslim pal of mine once unlocked another Muslim's phone using this trick). I for one forget what the number was tho.
4. Re:The code is.... by Anonymous Coward · 2016-02-17 01:34 · Score: 0
  
  Unlock code: 072 (Virgins)
  No, it is: 072 (Perpetual Virgins)
5. Re:The code is.... by Anonymous Coward · 2016-02-17 02:50 · Score: 0
  
  Alahu Akbar
  Mohammed
  Aisha
  Starbucks
  BoomBoom
6. Re:The code is.... by Anonymous Coward · 2016-02-17 20:01 · Score: 0
  
  I'm pretty sure that's 0110 (assuming a zero-prefix means octal).
It's easy Mr Judge by penguinoid · 2016-02-16 13:42 · Score: 4, Insightful

All you gotta do is put the password here and it opens right up. What's that? You don't know the password? Neither do we.

--
Don't waste your vote! Vote for whoever you want, unless you live in a swing state it won't matter anyways
1. Re:It's easy Mr Judge by Darinbob · 2016-02-16 14:14 · Score: 1
  
  I honestly think that the FBI doesn't believe this and think Apple is holding out. Well, the FBI workers probably believe it, but the FBI managers who don't understand technology don't believe it. They've got so much experience with data leaking out left and right from unsecure web sites that they suspect the same thing from Apple.
2. Re:It's easy Mr Judge by Anonymous Coward · 2016-02-16 14:27 · Score: 0
  
  The idea that FBI managers don't understand technology is absurd.
3. Re:It's easy Mr Judge by jsrjsr · 2016-02-16 15:14 · Score: 3, Insightful
  
  Yeah, it is absurd. But it is probably also true.
4. Re:It's easy Mr Judge by cfalcon · 2016-02-16 17:49 · Score: 2
  
  The idea that a judge doesn't understand technology is NOT absurd, however.
5. Re:It's easy Mr Judge by cfalcon · 2016-02-16 17:50 · Score: 1
  
  There aren't enough terrorists to make a difference in sales.
  However, I will say this: if Apple can break in, it makes me less likely to trust anything Apple says or sells, because I expect encryption, not backdoored bullshit.
6. Re:It's easy Mr Judge by Sabalon · 2016-02-17 01:33 · Score: 1
  
  "C'mon Jim - don't feed me that bull that it can't be done. I was watching CSI last night and they typed "PASSWORD OVERRIDE" in and it let them in the system. Call apple back and have them try that."
7. Re:It's easy Mr Judge by david_thornley · 2016-02-17 06:38 · Score: 1
  
  Judges are not supposed to need to understand technology, or anything else in particular except the law. The danger is a judge who thinks he or she understands technology, and is wrong.
  
  --
  "When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
What if Apple cannot access the info? by mark-t · 2016-02-16 13:44 · Score: 4, Interesting

Is it contempt of court to refuse to try and do something that one already knows they cannot possibly do?

--
File under 'M' for 'Manic ranting'
1. Re: What if Apple cannot access the info? by Anonymous Coward · 2016-02-16 13:58 · Score: 0
  
  In a word, yes.
  In more words, the key is substantial compliance. Apple will have to demonstrate that they made an effort to try. This will have to convince the judge that they did enough to show they made enough of an attempt. Likely they will have to document their process for the FBI.
2. Re: What if Apple cannot access the info? by fustakrakich · 2016-02-16 14:06 · Score: 1
  
  Likely they will have to document their process for the FBI.
  They can divert some power from the Bitcoin mines, leaving just enough for life support.
  
  --
  “He’s not deformed, he’s just drunk!”
3. Re: What if Apple cannot access the info? by Anonymous Coward · 2016-02-16 14:09 · Score: 2, Informative
  
  And since we have judges who do not understand encryption or technology whatsoever, the judge will simply find Apple didn't do enough to decrypt the phone.
4. Re:What if Apple cannot access the info? by Anonymous Coward · 2016-02-16 14:17 · Score: 0
  
  Is it contempt of court to refuse to try and do something that one already knows they cannot possibly do?
  Apple has a few day to comply, or to explain why doing so is "unduly burdensome". "impossible" is a subset of "unduly burdensome".
5. Re:What if Apple cannot access the info? by argumentsockpuppet · 2016-02-16 14:24 · Score: 3, Insightful
  
  The phone is encrypted so that it takes a key that is randomly generated and unguessable, however the password that encrypts the key is not unguessable. Running a password guessing program against the key would work, except that the hardware limits how many guesses can be tried over a period of time. What you could do is modify the hardware to allow guessing the password without the limits, but modifying the hardware is extremely difficult. I know that many years ago when I worked with machines intended to prevent tampering, they had light sensitive components that would wipe the key if exposed. There are doubtless other similar failsafes built into the hardware to prevent attempts to modify the components. For example, they might have a tiny drop of mercury enclosed in a thin plastic bubble surrounded by a mesh of wires that would cause a short which would wipe the keys if the equipment is crushed or sawed. So if those two things were known, working on the device without light while frozen might allow microscopic layers to be removed until the bubble and wire mesh can revealed. If I were trying to design a keystore, that's the sort of thing I'd do and I'd know it is theoretically possible, but practically impossible to modify the hardware without triggering a key wipe. I'm just theorizing about how Apple might approach the tech, but I'm confident that it's a fair analogy.
  Apple can legitimately be compelled to provide documentation and expert consultants with the explanations on what can go wrong with each step with an encryption key recovery technique. It's likely that disassembling the hardware in the right ways and modifying it exactly right with just the right tools could give a modification allowing an attempt to brute force the password to retrieve the key. It is also likely that trying it could permanently destroy the key. If you have the steps and tools and information along with clear descriptions of what is likely to permanently destroy the keys and turn that over to the court, they'll likely screw it up, but Apple is off the hook.
  I assume that physical access is sufficient to break into any system humans have the ability to use normally, particularly with a password. That doesn't mean I think it can be done with reasonable tools or normal methods. In fact, I expect it is very, very hard. Honestly though, it's all I really ask of any company I trust.
6. Re: What if Apple cannot access the info? by mark-t · 2016-02-16 14:29 · Score: 3, Insightful
  
  how do you show that you tried when it is something you cannot really show progress on until you succeed, and you do not have any ability to guarantee success?
  The reason the fbi is blocked is because they don't know the passcode, and this would be equally true for Apple. Apple may be utterly unable to do anything that the fbi cannot do and may have even already tried
  The judge may as well have told them to try and go faster than light. There are mathematical reasons why breaking encryption is hard, and being a big company with lots of money doesn't allow one to break the rules of mathematics
  
  --
  File under 'M' for 'Manic ranting'
7. Re:What if Apple cannot access the info? by Anonymous Coward · 2016-02-16 15:09 · Score: 1
  
  Also, apple is a third party to this. It's as if I have a safe, and they grabbed some locksmith from the company and said "open this safe". whats the safe maker got to do with my court case?
8. Re:What if Apple cannot access the info? by Anonymous Coward · 2016-02-16 15:16 · Score: 0
  
  The part I have a hard time believing, is that there is more on his phone, useful to the FBI, than what info...
  a) the cellular company provided; i.e. , every number he ever called, and possibly text he ever sent...
  b) what pictures he took, websites he browsed, and apps he downloaded and installed from the app store.
  The latter, might be of use, but parts of that Apple could provide without locking the phone, as well as web traffic, which the cellular provider might be able to provide. This seems like a stretch need by the FBI, beyond the
  a) 'this gives us legal precedent' if ruled in our favor, and we can then use at will, refusers be damned...
  On the cover, it just seems it wants the courts to force a Corporate giant to do the heavy lifting, so the FBI doesn't have to spend the resources, (see personnel and tech. development.. i.e. $$$), to create a solution.
9. Re:What if Apple cannot access the info? by Anonymous Coward · 2016-02-16 15:54 · Score: 0
  
  Contempt requires disrespect or willful disobedience. A few expert witnesses and I am sure the judge can be presented with sufficient evidence that what is asked is beyond the ability to obtain in one's lifetime. Now, if it later becomes possible, and it is released that Apple knew an easy way that they didn't publicize earlier, then you might get a contempt charge.
10. Re:What if Apple cannot access the info? by MachineShedFred · 2016-02-16 16:51 · Score: 1
  
  Well, a judge ordered them to do the impossible. The judge didn't order that it had to be done within a certain time period. So, pull an image from the device and set a "reasonable" amount of computing power at guessing keys. In a couple thousand years when it gets unlocked, no one will care, and the order was complied with.
  
  --
  Slashdot still doesnâ(TM)t support Unicode after it was added to the HTML standard in 1997.
11. Re: What if Apple cannot access the info? by MachineShedFred · 2016-02-16 16:53 · Score: 4, Insightful
  
  This is why you pay a team of lawyers to show what extravagant actions were done in order to comply with the court order, and convince the judge.
  You act like a Federal Judge is a fucking moron or something. They may not understand technology, but they aren't stupid by any means.
  
  --
  Slashdot still doesnâ(TM)t support Unicode after it was added to the HTML standard in 1997.
12. Re:What if Apple cannot access the info? by mark-t · 2016-02-16 18:55 · Score: 1
  
  Contempt requires disrespect or willful disobedience. A few expert witnesses and I am sure the judge can be presented with sufficient evidence that what is asked is beyond the ability to obtain in one's lifetime.
  There are distinctly mathematical reasons why breaking encryption is hard, and those reasons are why the fbi was having a hard time breaking it. Apple can't break the rules of mathematics any more than the fbi can, but try explaining that to somebody who doesn't understand the mathematics behind encryption. They will end up either having to take it on faith that you are telling the truth or else they will simply doubt the conclusion you might present that it is genuinely as hard for you as for anyone else in the first place. This judge probably isn't the sort of person to just take Apple at their word if they say they can't do it, but there's no way they or anyone else can really prove that they can't do it to a person who doesn't appear to understand the mathematical reasons why breaking strong encryption is genuinely hard unless the person is prepared to accept that fact on faith.
  
  --
  File under 'M' for 'Manic ranting'
13. Re: What if Apple cannot access the info? by pla · 2016-02-16 23:46 · Score: 1
  
  ...Almost like we have a system that considers people guilty until proven innocent. Huh, imagine that - If only we had some sort of rules against that!
14. Re: What if Apple cannot access the info? by Trailer+Trash · 2016-02-17 01:59 · Score: 1
  
  This is why you pay a team of lawyers to show what extravagant actions were done in order to comply with the court order, and convince the judge.
  You act like a Federal Judge is a fucking moron or something. They may not understand technology, but they aren't stupid by any means.
  She's not stupid, but she also doesn't know her limitations. Sometimes, that's worse than plain old "stupid" as it causes someone who's highly qualified in one area to fancy themselves equally qualified in other areas where they absolutely are not qualified.
  If Apple comes in and says "we can't help you here" - and there is a chorus of people like us repeating "they can't help you here" - then she needs to step back and say "maybe I don't understand all of this as well as I think I do, so I'll choose to believe these people who probably do understand it". That's the delineation between "smart" and "wise".
  I read plenty of court cases and I've sent plenty of emails to judges along the lines of "As a judge, you have really poor judgement".
  
  --
  Do you have ESP?
15. Re:What if Apple cannot access the info? by c · 2016-02-17 02:14 · Score: 1
  
  Is it contempt of court to refuse to try and do something that one already knows they cannot possibly do?
  IANAL, but the law generally frowns on requiring that someone prove a negative. That is, it's the job of the prosecution to prove that Apple can do this, not for Apple to prove that they can't.
  
  --
  Log in or piss off.
16. Re: What if Apple cannot access the info? by mark-t · 2016-02-17 03:46 · Score: 1
  
  This is why you pay a team of lawyers to show what extravagant actions were done in order to comply with the court order, and convince the judge.
  Such extravagant actions would, in this case, amount to trying to break the rules of mathematics, since there are mathematical reasons why breaking encryption is hard. This is absurd. There isn't even anything one could begin to actually do to even give an appearance of trying to break such rules, let alone succeeding.
  
  --
  File under 'M' for 'Manic ranting'
17. Re: What if Apple cannot access the info? by MachineShedFred · 2016-02-17 03:51 · Score: 1
  
  Which is why you pay a lawyer 4 hours to sit down with a cryptographer ("expert witness") who then writes a legal brief saying as much. You continue by saying that the only possible strategies for accomplishing what is asked in the court order is extravagantly expensive in either time, resources, or in this case, both. You provide documentation proving it to be true.
  The legal phrase of note here is "unduly burdensome" and running a supercomputer that doesn't yet exist for a couple hundred years probably meets that definition.
  
  --
  Slashdot still doesnâ(TM)t support Unicode after it was added to the HTML standard in 1997.
18. Re:What if Apple cannot access the info? by david_thornley · 2016-02-17 06:41 · Score: 1
  
  Physical access will not give access to encrypted information. The interesting thing is whether it can give adequate access to the key. Apple wanted to make it to not do that, and Apple is a high-tech company with approximately three gazillion dollars vacuumed out of the sofas in the executive suite they can spend to make it work the way they want.
  
  --
  "When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
19. Re:What if Apple cannot access the info? by Anonymous Coward · 2016-02-17 06:55 · Score: 0
  
  Not so. Read TFA. The judge ordered them to help the FBI brute-force the passcode by making a custom version of IOS that lets them enter more than 10 tries.
20. Re:What if Apple cannot access the info? by argumentsockpuppet · 2016-02-17 14:58 · Score: 1
  
  Did you come here for an argument? You must have come here for an argument, else why reply to me (notice the nick?) in that way. Fine.
  "Physical access will not give access to encrypted information" sounds like "takes a key that is randomly generated and unguessable" but it's not. Poor encryption doesn't protect data. Flawed encryption doesn't protect data. Physical access to a system where the data is encrypted but the key is stored unencrypted in the physical medium doesn't protect the data. In this case, the key is encrypted and the data is encrypted with the key, but the key isn't encrypted with an unguessable password. It is totally guessable. Therefore the key can be decrypted with a standard brute force guessing process. There's no reasonable argument against that obvious truth.
  So, given that the password can be decrypted with physical access, there is nothing but hardware protection to prevent the key from being decrypted by guessing the password. Nothing except the design and manufacturing technique prevent the application of a standard brute force guessing process. So, yes, absolutely, the physical access can be combined with sufficient knowledge of the hardware and disassembly techniques to guarantee the data can be decrypted.
  The question isn't whether the key can be retrieved, it can be. The question isn't whether the password can be guessed, it can be. The only question is whether the built in hardware protections are sufficient, in this case, to prevent successful modification.
  Did Apple put forth three gazillion dollars worth of effort into making the hardware too difficult to modify? Doubtful. But maybe, just barely maybe, they put enough work into designing and manufacturing the hardware to prevent this court or these experts from being able to do it.
21. Re:What if Apple cannot access the info? by Anonymous Coward · 2016-02-18 09:08 · Score: 0
  
  What if the goal here is to force Apple to give up it's encryption methods
  to the court, who will then hand it over to ISIS? Why? Well, you know,
  because "apple didn't build that, anyway".
Encryption by Anonymous Coward · 2016-02-16 13:45 · Score: 0

http://i.imgur.com/KITvkT4l.jpg
I think you just missed the *point* of encryption.
Try all combinations by Anonymous Coward · 2016-02-16 13:46 · Score: 0

iOS revels how many digits are in the passcode right? If it's a 4 digit passcode that's 10,000 combinations? Can you just try all combinations infrequently enough to not lock the phone? Or am I wrong or ignorant of something, just a thought
1. Re:Try all combinations by Falconhell · 2016-02-16 13:54 · Score: 3, Informative
  
  They can be set so 10 failed tries wipes the phone. They can also set larger passwords than 4 digits.
2. Re:Try all combinations by fustakrakich · 2016-02-16 14:08 · Score: 2
  
  I assume they would image the drive first...
  
  --
  “He’s not deformed, he’s just drunk!”
3. Re:Try all combinations by sims+2 · 2016-02-16 14:24 · Score: 1
  
  Iirc iPhones use hardware encryption when the reset is hit it changes the hardware key. So then that backup is worthless.
  
  --
  Minimum threshold fixed. Thanks!
4. Re: Try all combinations by Anonymous Coward · 2016-02-16 14:31 · Score: 0
  
  The default is a 4-digit PIN, but you can use any length alphanumeric password (and if it is not 4 digits it doesn't tell you how many characters). The default is also that 10 failures will erase the phone's contents.
  Were I so desperate to get into the phone, I'd image it (which might require some hardware work), then I'd copy the image, try a password, lather rinse repeat. It would be slow and complicated, but it would break eventually. The FBI should be able to do that without Apple's help.
5. Re:Try all combinations by guruevi · 2016-02-16 16:02 · Score: 1
  
  They are ALL set so 10 failed passwords wipe the phones (although it would take you 2 hours to do so as it progressively time locks). You can't just hack an Apple iPhone like you do an Android; they have designed a very good security chip and to circumvent it would require insane amounts of engineering.
  
  --
  Custom electronics and digital signage for your business: www.evcircuits.com
6. Re:Try all combinations by Anonymous Coward · 2016-02-16 16:35 · Score: 0
  
  If Apple has the software, they could run a brute force method on a virtual machine. Desktop emulation of Android is already part of development.
7. Re:Try all combinations by MachineShedFred · 2016-02-16 16:58 · Score: 1
  
  That gets you the AES-256 encrypted image.
  When he says "wipes the phone" what he really meant is "wipes the decryption key from the secure hardware storage" and you're fucked. Then it's brute force for thousands of years time.
  
  --
  Slashdot still doesnâ(TM)t support Unicode after it was added to the HTML standard in 1997.
8. Re:Try all combinations by gweihir · 2016-02-16 17:01 · Score: 1
  
  They would need to image the secure microcontroller holding the key. That is a bit harder. Might take a few years of research by some really bright people and some really expensive equipment.
  
  --
  Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
9. Re:Try all combinations by Anonymous Coward · 2016-02-16 17:24 · Score: 0
  
  Mine isn't set to wipe after 10. Don't remember specifically turning it off, but I vaguely recall not turning it on when I set up my phone initially.
10. Re:Try all combinations by Torodung · 2016-02-16 17:30 · Score: 1
  
  So two hours time and any fool can trivially wipe any iPhone? Um, that doesn't sound okay at all.
11. Re:Try all combinations by cfalcon · 2016-02-16 17:55 · Score: 1
  
  > Mine isn't set to wipe after 10.
  Easily fixable. Settings -> Touch ID and Passcode -> Turn on "Erase Data" at the bottom.
12. Re:Try all combinations by fustakrakich · 2016-02-16 17:57 · Score: 1
  
  They would need to image the secure microcontroller holding the key.
  I have a hard time believing that can't be done already, unless there is an internal, on the die self destruct triggered by 'improper' access.
  
  --
  “He’s not deformed, he’s just drunk!”
13. Re:Try all combinations by cfalcon · 2016-02-16 18:03 · Score: 1
  
  You can turn the feature off- but under what circumstances would you want someone to have access to your phone for two hours and it continue to have all your personal stuff on it?
  Remember that restoring an iphone is trivial once its in your possession, from itunes or icloud.
  Anyway, it's not on by default.
14. Re:Try all combinations by gweihir · 2016-02-16 18:47 · Score: 1
  
  And why exactly do you believe that one of the world's most capable tech companies does not use such elementary and well-understood precautions?
  
  --
  Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
15. Re:Try all combinations by fustakrakich · 2016-02-16 18:57 · Score: 1
  
  I don't know, mandated back doors maybe?
  
  --
  “He’s not deformed, he’s just drunk!”
16. Re: Try all combinations by cfalcon · 2016-02-16 19:46 · Score: 1
  
  You have three options:
  The first is a 4 digit PIN.
  The second is a 6 digit PIN.
  The third is any passphrase of any length.
  It's trivially obvious which mode it is in- the first two bring up a number pad and have 4 or 6 boxes to fill in, the third brings up a screen with a keyboard.
  > Were I so desperate to get into the phone, I'd image it
  Right, so now you have an AES-128 image sitting around, and you destroyed the key when you imaged it. Unless they dicked up the AES-128, it should be pretty hard to break that. The key in question isn't the PIN, obviously, the PIN protects the key.
17. Re:Try all combinations by david_thornley · 2016-02-17 07:34 · Score: 1
  
  If I have physical access to your iPhone I bet I can wipe the data a lot faster than that, particularly if I'm allowed some simple tools like a hammer and a chisel and a microwave.
  
  --
  "When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
18. Re:Try all combinations by david_thornley · 2016-02-17 07:52 · Score: 1
  
  Then it's brute force for thousands of years time.
  
  Everybody seems to get this wrong. This is real encryption, guys, and is intended to be proof against simple things like rich nation-states determined to break it no matter how long it takes. It's not going to be brute-forced in millennia, or even in a few billion years. Unless there's something fundamentally wrong with our understanding of computation, it's not going to be brute-forced using only the resources of the Solar System. Taking a look at the Kardashev Scale (which I keep thinking of as the Kardashian Scale), a mere Type III civilization (one that uses the resources of an entire large galaxy) isn't likely to brute-force it either, since it looks like only a hundred billion times the power of a Type II and we're talking about AES-256, unless they can make enough sufficiently powerful quantum computers.
  You can sometimes convince a cryptographer that something is secure because of the difficulty involved in breaking it, but nowadays it seems like they want to make things resistant to Kardashev Type II civilizations at the very least.
  Given a Kardashev Type III civilization and an iPhone I wanted broken, I'd probably either have it imaged at the atomic level and processed in a planetary server farm, or have a few billion brilliant cryptographers gather on a planet and try to come up with an actual break of AES. Either would be more promising than brute-forcing the key.
  
  --
  "When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
19. Re:Try all combinations by gweihir · 2016-02-17 08:26 · Score: 1
  
  Then neither side would make this public as these would need to be kept secret at this time. No, this is the FBI trying to call Apples bluff. Thing is, I think it is not a bluff at all. Oh, sure, if you throw, say, 100 Million and 10 really capable people at the problem, they would get the phone open and it may even take less than a year. But the FBI cannot legally order Apple to spend that effort.
  In any case, it will be very interesting so see how this unfolds. I predict Apple is going to win and we all will have a better world for it.
  
  --
  Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
20. Re:Try all combinations by MachineShedFred · 2016-02-19 03:39 · Score: 1
  
  The point behind the phrase "thousands of years" isn't to be accurate in any way, but to instead show that it is an insurmountable task which would require a fantastic amount of resources for a ludicrous amount of time in order to do.
  And, "thousands of years" is also a subset of a few billion years, so you can still take it literally and it would be true, if inaccurate.
  
  --
  Slashdot still doesnâ(TM)t support Unicode after it was added to the HTML standard in 1997.
Re: TROLL by Anonymous Coward · 2016-02-16 13:49 · Score: 0

Are you dead because of niggerness? Didn't quite understand the rant
Re: TROLL by sims+2 · 2016-02-16 13:52 · Score: 1

I don't understand why he keeps posting dead links.

--
Minimum threshold fixed. Thanks!
The FBI are LUDDITES! by Anonymous Coward · 2016-02-16 13:54 · Score: 0

Modern app appers know that ONLY apps can app apps, not the LUDDITES at the FBI or Apple!
Apps!
I want to post by rmdingler · 2016-02-16 13:56 · Score: 1

I am just in serious jeopardy of sounding like an Apple fanboi.
fock it. Clap, clap, clap

--
Happiness in intelligent people is the rarest thing I know.
Ernest Hemingway
Did they write down their passwords? by Lakitu · 2016-02-16 14:00 · Score: 3

Maybe they should ask one of the 5,000,000 various reporters, journalists, and random people eating popsicles if they saw what looked like an iPhone passcode written down somewhere in their house while it was being ransacked live on television a day or two after the attack.
1. Re:Did they write down their passwords? by Anonymous Coward · 2016-02-16 19:24 · Score: 0
  
  Sure has approved a lot of drone strikes against Islamist extremists for this theory to have any weight behind it...
2. Re:Did they write down their passwords? by Anonymous Coward · 2016-02-16 23:19 · Score: 0
  
  Of course they didn't. It was all a setup. And so is TFA just more propaganda.
Involuntary Servitude by Anonymous Coward · 2016-02-16 14:02 · Score: 0

Involuntary servitude is outlawed in the Constitution. The judge has now misbehaved in violation of the Constitution, and should be impeached.
4 Digit Pin? by Greyfox · 2016-02-16 14:06 · Score: 1, Funny

No problem. 0000. Nope. 0001. Nope. 0002. Nope...

--
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
1. Re:4 Digit Pin? by Anonymous Coward · 2016-02-16 14:35 · Score: 5, Informative
  
  No problem. 0000. Nope. 0001. Nope. 0002. Nope...
  0009. Too many invalid password attempts. Full disk encryption key has been erased. Initiating factory reset of device...
2. Re:4 Digit Pin? by Anonymous Coward · 2016-02-16 14:58 · Score: 0
  
  Phone erases itself after 10 tries. You can use more than four digits.
  The article explains that the prosecutor specifically asked apple is to disable the "erase phone after ten tries".
3. Re:4 Digit Pin? by Anonymous Coward · 2016-02-16 15:37 · Score: 2, Funny
  
  Well, your honor, we tried.
4. Re:4 Digit Pin? by pla · 2016-02-16 23:53 · Score: 1
  
  And this, despite all the FUD in this thread, amounts to what the judge wants Apple to get around.
  
  Considering Apple implemented this purely in software (since it applies even to pre-iOS8 phones upgraded to that version), they don't have their encryption baked into tamper-resistant hardware. Satisfying this request, therefore, amounts to "clone the phone's encrypted contents and run it in an emulator; each time it self-destructs, restart the emulator".
  
  Lots of folks throwing around BS about cracking RSA keys and hardware wipes in this thread. No. Realistically, it should take under a second to try all four-digit codes, and just a few minutes even if they used a "highly secure" 8-digit code. The FBI doesn't count as that stupid, they just need access to Apple's Holy ICE.
5. Re:4 Digit Pin? by fox171171 · 2016-02-17 02:16 · Score: 1
  
  No problem. 0000. Nope. 0001. Nope. 0002. Nope...
  That's why 9999 is always the best PIN.
6. Re:4 Digit Pin? by Nixoloco · 2016-02-17 08:29 · Score: 1
  
  Since this is an old iPhone 5c with the A6 SoC, you are mostly correct. This is not true of the newer phones with A7+ SoC's that have the Secure Enclave.
Judge by Anonymous Coward · 2016-02-16 14:08 · Score: 0

Dang - you'd think that there were no criminals nor terrorists before cell phones. Remember when phones didn't have memory? Besides tapping phone lines (which used to require warrants), what did law enforcement / FBI do to gather intel after such crimes? Absurd request.
Judges are not bright. by Lumpy · 2016-02-16 14:10 · Score: 1

But they do have an inflated sense of power and get all pissy when people don't do the impossible if they demand it.

--
Do not look at laser with remaining good eye.
pull phone image and run in an emulator? by Anonymous Coward · 2016-02-16 14:17 · Score: 0

Couldn't they just pull an image of the phone's memory(yes, that means tearing the phone apart), run that in an emulator and try 10 pin combinations, reimage, retry. ad infinitum until they get the phone unlocked? Add some parallelization and you're off to the races...
1. Re:pull phone image and run in an emulator? by adamstew · 2016-02-16 14:36 · Score: 1
  
  No. In short: The iPhone's encryption is tied to the physical hardware. Within the chips themselves lies a full 256-bit AES encryption key. The 4-digit pin simply unlocks the encryption key from the chips. They are tamper resistant and you can't just write software to get around their protection of the full encryption key as it's all hardware enforced.
  For a full explanation, see my previous post earlier in the article: http://yro.slashdot.org/commen...
2. Re:pull phone image and run in an emulator? by gweihir · 2016-02-16 16:59 · Score: 1
  
  No. They need to pull the encryption-keys from a secure microcontroller. If you can throw a lot of money and time at the problem, that is doable. To get an idea, I recommend "Hacking the Xbox" by Bunny. One PhD by one very smart guy that invested several years. The iPhone will be much harder. Also, the people that _can_ do it may not want to work for the FBI in the first place.
  
  --
  Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
3. Re:pull phone image and run in an emulator? by MachineShedFred · 2016-02-16 17:04 · Score: 1
  
  The key isn't in an image-able bit of memory. It's in the secure chip. And that secure chip can't be removed from the device without fucking the key, as it's paired with a burned-in value in the CPU. The password try delay is enforced by that chip, and that chip erases itself after 10 tries unless you disable that feature, which (presumably) Apple will not be able to do, because that preference would be stored on-chip.
  The only off-phone method you'd have is directly attacking the AES-256 encrypted image by brute-forcing the whole key. Good luck with that.
  
  --
  Slashdot still doesnâ(TM)t support Unicode after it was added to the HTML standard in 1997.
4. Re:pull phone image and run in an emulator? by Anonymous Coward · 2016-02-16 17:40 · Score: 0
  
  For 5s and up, yes
  but this is a 5c
Judge tells man to lick own elbow by ihtoit · 2016-02-16 14:18 · Score: 1

You can't order someone to do the impossible. For practical purposes, breaking the end to end encryption on an iphone is impossible. Who better than the people who developed the software to know this??

--
Political debates have me rolling my eyes so much I think I got optical whiplash. I should sue. - Foamy The Squirrel
1. Re:Judge tells man to lick own elbow by Jeremi · 2016-02-16 14:31 · Score: 1
  
  You can't order someone to do the impossible. For practical purposes, breaking the end to end encryption on an iphone is impossible. Who better than the people who developed the software to know this??
  I thought that once you had physical access to a device, it was just a matter of time and expertise before you could crack it. Does Apple know some secret techniques that nobody else does, such that an iPhone 5c is physically tamper-proof even by the people who built it and know everything about its design and manufacturing?
  That's possible I suppose, but I doubt it.
  
  --
  
  I don't care if it's 90,000 hectares. That lake was not my doing.
2. Re:Judge tells man to lick own elbow by rahvin112 · 2016-02-16 14:41 · Score: 1
  
  You can't order someone to do the impossible.
  The reality would belay that conclusion. There was a news article today about a guy that had a marshals swat team raid is house, arrest him and take him to jail then court where a bank lawyer acting as a prosecutor took him before a judge about an unpaid student loan from 30 year ago that they didn't even bother writing him a letter about. He was ordered to pay triple the amount in 2 weeks or they would arrest him again.
  Debtors prisons are apparently back.
3. Re:Judge tells man to lick own elbow by Anonymous Coward · 2016-02-16 14:47 · Score: 0
  
  I thought that once you had physical access to a device, it was just a matter of time and expertise before you could crack it.
  It is just a matter of time. But the question is how much time, and without the encryption key the answer is "way more than you've got".
4. Re:Judge tells man to lick own elbow by Anonymous Coward · 2016-02-16 14:51 · Score: 0
  
  Though it's true that if you have physical access to a device it's only a matter of time to crack it, if the encryption was properly implemented and the passwords adequately created, the amount of time could very easily exceed the time until the heat death of the universe.
5. Re:Judge tells man to lick own elbow by Anonymous Coward · 2016-02-16 14:58 · Score: 0
  
  If the phone's data is stored on its physical memory in encrypted form, and the cipher is long/strong enough, then unless you have a fuckin' Quammadore 64 quantum computer, it might as well be tamper-proof.
  Ordinarily, if it would take years of supercomputer time to break the encryption, they would use the $5 hammer trick instead ... but that won't work this time, because the only people who might have known the password are dead.
  Heh, captcha says "subdue"
6. Re:Judge tells man to lick own elbow by guruevi · 2016-02-16 16:07 · Score: 1
  
  That's one way for Apple to make sure they continue being in business. "Yes your honor, we have calculated we can do this in 500 million years, to do so, please have the government mandate our business' existence for said period of time"
  
  --
  Custom electronics and digital signage for your business: www.evcircuits.com
7. Re:Judge tells man to lick own elbow by gweihir · 2016-02-16 16:54 · Score: 1
  
  Not quite. But the people they developed it will certainly not be able to break is, as every thing they could think of they made impossible. Whether others can get in or not is an interesting question, but AFAIK, all jail-breaks require the phone to be unlocked and jail-breaks for the iPhone are getting harder and harder. It is an actual problem for security-testing now and Apple will have to do something about that, like offering a simulator or special devices with intentionally broken security.
  
  --
  Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
8. Re:Judge tells man to lick own elbow by Anonymous Coward · 2016-02-17 02:26 · Score: 0
  
  Your reply is off topic, so this reply is too. Still....
  There is more to that story than you know or write. The former is fixed by education of the issue, the latter can't be fixed. Which are you?
  If you ignore multiple attempted communications of a court request, you WILL get the shit end of the stick. His arrest wasn't because of bad loans. His arrest is because he felt he was above the law.
  http://money.cnn.com/2016/02/16/pf/college/arrested-student-loan-marshals/
  
  The U.S. Marshals Service made several attempts to serve Aker with a court order requesting that he appear in federal court and searched numerous known addresses, the agency said in a statement. The Marshals Service said it spoke with him by phone in 2012 requesting he appear in court, but he refused.
  
  A judge issued a warrant for his arrest in December of 2012 after he failed to appear in court, the Marshals Service said.
9. Re:Judge tells man to lick own elbow by rsborg · 2016-02-17 11:21 · Score: 1
  
  You can't order someone to do the impossible. For practical purposes, breaking the end to end encryption on an iphone is impossible. Who better than the people who developed the software to know this??
  I thought that once you had physical access to a device, it was just a matter of time and expertise before you could crack it. Does Apple know some secret techniques that nobody else does, such that an iPhone 5c is physically tamper-proof even by the people who built it and know everything about its design and manufacturing?
  That's possible I suppose, but I doubt it.
  If that's the case, then why hasn't the FBI already cracked it? Oh, maybe it's really that difficult to crack? Apple might well have made a lock that they themselves couldn't pick - at least not without a herculean effort.
  
  --
  Make sure everyone's vote counts: Verified Voting
10. Re:Judge tells man to lick own elbow by ihtoit · 2016-02-17 17:21 · Score: 1
  
  jailbreaking the iphone involves obliteration of the AES-256 seed key, which in turn renders the data residing in user memory utterly irrecoverable. Unless you've found a shortcut to something that's been calculated to require every human brain and every CPU ever to have lived or produced respectively, the entire lifetime of the universe to bruteforce, then you're not retrieving that data without ALL THREE of the following: the hardware UID (which sits in a sequestered part of the CPU hence is not externally readable), the AES-256 key (which is generated when you set the passcode, used to encrypt the filesystem then destroyed after the first reboot/logon cycle) and the user passcode. Since the device in question is locked with a passcode known only to a person who is now dead (thought experiment time), calculate the possibility of extracting useful data from his locked phone?
  
  --
  Political debates have me rolling my eyes so much I think I got optical whiplash. I should sue. - Foamy The Squirrel
They could try this... by Press2ToContinue · 2016-02-16 14:19 · Score: 1

If the OS was updated to IOS 9 then there's this fun hack...
Maybe Apple could try a web search to find other vulnerabilities.
Just a thought.

--
Sent from my ENIAC
1. Re:They could try this... by cfalcon · 2016-02-16 19:30 · Score: 1
  
  It's possible he turned Siri off on lockscreen. It's much more possible that the few things accessible in that manner aren't what they are looking for.
The vast majority of passcodes are 4 digits. by Bartles · 2016-02-16 14:21 · Score: 1

That's 10,000 possibilities. It seems someone could put together a lego robot to try all 10,000. If they were forced to wait 60 minutes between attempts it would be 416 days at most.
1. Re:The vast majority of passcodes are 4 digits. by Bartles · 2016-02-16 14:24 · Score: 1
  
  And if you pace attempts correcty, it appears that you only have to wait 1 or 2 minutes between attempts, which is 14 days at worst.
2. Re:The vast majority of passcodes are 4 digits. by Bartles · 2016-02-16 14:34 · Score: 1
  
  I'm assuming the FBI could build one of these.
3. Re:The vast majority of passcodes are 4 digits. by mangamaster03 · 2016-02-16 14:56 · Score: 1
  
  The time increases after each improper guess.
4. Re:The vast majority of passcodes are 4 digits. by Bartles · 2016-02-16 15:06 · Score: 1
  
  See the link in my last post. I see no reason that will not work.
5. Re:The vast majority of passcodes are 4 digits. by The+Good+Reverend · 2016-02-16 17:57 · Score: 1
  
  Except that the phone will erase itself after 10 tries.
6. Re:The vast majority of passcodes are 4 digits. by Bartles · 2016-02-16 18:07 · Score: 1
  
  You didn't read anything on the link, did you? They even have a video of it. They cut the power to the phone before it can log the failed attempt. So every attempt is the first attempt, but you have to wait 44 seconds for the phone to reboot between attempts.
7. Re:The vast majority of passcodes are 4 digits. by The+Good+Reverend · 2016-02-16 18:17 · Score: 1
  
  From your link:
  Note the âoetryâ in that last sentence: while weâ(TM)re still waiting on confirmation from Apple on this one, thereâ(TM)s a good chance that the trickery at play here only works if youâ(TM)re on a build of iOS older than iOS 8.1.1 (Shipped November 2014).
  One would assume that if the FBI could have done this, they would have.
8. Re:The vast majority of passcodes are 4 digits. by Bartles · 2016-02-16 18:23 · Score: 1
  
  The numerous youtube videos showing this exploit are published well into 2015. In the comments to the link I posted, a believable sounding person says that this is a hardware limitation and can not be corrected by software. Who knows, I hope the FBI would be smart enough to do this.
9. Re:The vast majority of passcodes are 4 digits. by cfalcon · 2016-02-16 19:29 · Score: 1
  
  Actually, it will only take 2 hours before it has had enough tries to fire the 10-tries-delete-AES-key failsafe. Then it's gone for good.
If i were apple... by Anonymous Coward · 2016-02-16 14:35 · Score: 0

... enter 10 passcode attempts, phone self-wipes.
"We did all we could"
Re:Publicity by TsuruchiBrian · 2016-02-16 14:37 · Score: 1

Or apple could simply have implemented proper encryption in which they actually can't help. Given that the government is not their primary customer, I don't think they care that much about helping them. If anything, the government probably wants a phone that can't be hacked by Apple (or anyone with Apple's secrets) for themselves, even if they don't want others to have that.
Perhaps Apple could by Anonymous Coward · 2016-02-16 14:45 · Score: 0

push a forced s/w update to the phone with a special code build that has no delay and brick after 10 trys code.
Then let the FBI play at guessing the password all they want.
Seems like if Apple could get a memory image from the phone, then they could make a program to dump anything they want.
Unless there is something special about the h/w which makes the really hard.
Like maybe they have a special place in the asic to hold the keys and this place limits the tries and timeouts?
Is there anything published about how this security is implemented?
1. Re:Perhaps Apple could by gweihir · 2016-02-16 16:51 · Score: 1
  
  If Apple did this right, then they cannot do that. And doing this right is likely not that hard if you have a small number of really capable people doing it.
  
  --
  Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
2. Re:Perhaps Apple could by Anonymous Coward · 2016-02-17 14:57 · Score: 0
  
  Stop talking. You're out of your depth.
On-device key useful for secure deletion by perpenso · 2016-02-16 14:47 · Score: 1

That only works if the key is stored on the device, and the text the user types is merely a password to authorize use of the key, which would be a damn silly implementation.
Actually isn't that how it works on a modern iPhone, the key to decrypt storage is only on-device? What makes it not silly is that to "erase" a phone prior to transfer to someone else all that needs to be done is that the on-device key is destroyed and replaced with a new key by which data on media will now be encrypted/decrypted.
1. Re:On-device key useful for secure deletion by lgw · 2016-02-16 14:57 · Score: 1
  
  Any key that's stored on the device can easily (but not cheaply) be retrieved, unless the device is FIPS 140-2 Level 3 (and eventually be retrieved unless it's Level 4). It can be as trivial as bypassing the instruction that checks the password, or as tedious as forcing the key to leak through side-channel attacks, but Apple could certainly do it.
  
  --
  Socialism: a lie told by totalitarians and believed by fools.
2. Re:On-device key useful for secure deletion by bill_mcgonigle · 2016-02-16 15:13 · Score: 4, Insightful
  
  Apple devices from the iPhone 5s and onward use a "Secure Enclave" which is basically tamper-proof hardware key management.
  This phone in question is the 5c, so Apple might actually be able to attack it. Unfortunately, this will make the judge think any iPhone can be attacked by Apple.
  Although, I'm really not clear under what authority the Judge believes he has the power to compel Apple to do all this work against their business interests. It used to be they'd have to threaten, in secret, to put the CEO in prison to get this kind of cooperation. Now a judge just commands it? #ussa
  
  --
  My God, it's Full of Source!
  OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
3. Re:On-device key useful for secure deletion by bugs2squash · 2016-02-16 16:30 · Score: 1
  
  I suspect Apple are fine with helping track down terrorists (I would be too) and that in effect the judge has given them permission / a shield against being accused of rolling over too easily. It's not as if there is any doubt that this couple were terrorists.
  
  --
  Nullius in verba
4. Re:On-device key useful for secure deletion by N1AK · 2016-02-17 01:53 · Score: 1
  
  Even assuming they can help decrypt it, I expect there concern is more about being seen to help override the security of devices they sell to customers and the precedent of having to do the government's job for it whenever a TLA wants.
5. Re:On-device key useful for secure deletion by Anonymous Coward · 2016-02-17 02:24 · Score: 0
  
  That link says:
  "For devices with an A7 or later A-series processor, the Secure Enclave coprocessor also
  utilizes a secure boot process that ensures its separate software is verified and signed
  by Apple."
  So could they not just put in an alternate signed boot image that lets you in?
  Unless the keys are stored in separate secure hardware that you have to give a password and only get a few tries, I don't see the security from Apple?
6. Re:On-device key useful for secure deletion by lgw · 2016-02-17 04:19 · Score: 1
  
  Most security pronouncements by companies are bogus. That's why there are federal standards for real encryption. Apple might have done the right thing - but if they did, you'd think they'd mention the standard they complied with, and not make up marketing terms like "secure enclave". I don't see "tamper-proof" in that marketing material. Does it wipe the key if the voltage goes too low? If the temperature goes out of range? Heck, if the case is opened?
  I suspect it's easier to break than getting the PIN off a chip-and-PIN credit card.
  
  --
  Socialism: a lie told by totalitarians and believed by fools.
7. Re:On-device key useful for secure deletion by Dr.+Evil · 2016-02-17 10:52 · Score: 1
  "Tamper-proof" is not a thing in infosec.
  "you'd think they'd mention the standard they complied with"
  p.17 of the paper:
  
  Cryptographic Validation (FIPS 140-2)
  
  Common Criteria Certification (ISO 15408)
  
  Commercial Solutions for Classified (CSfC)
Ah, encryption the good, bad,and ugly of security by Anonymous Coward · 2016-02-16 14:48 · Score: 0

To me the problem is not the inability to crack the information on the iPhone. But the fact these two got into the country with no red flags, no surveillance and not even a hint of what they were doing. This is very troubling and a definite warning that we simply cannot properly verify people entering the country from these areas of question. Europe is facing this ver sobering fact, that islamic extremists can come in forms we do not recognize as potential threats. The question is, will this ever go away?
Fishing Expedition by Tokolosh · 2016-02-16 14:49 · Score: 1

The FBI is trying to find out whether Apple is telling the truth. If not, great, they have their data. If yes, they at least get Apple to reveal everything about their hardware, firmware and software to provide Big Brother with something to work on.
My question is, will we ever know whether is phone is cracked?

--
Prove anything by multiplying Huge Number times Tiny Number
Damned if you, damned if you don't by Anonymous Coward · 2016-02-16 15:02 · Score: 0

Bet the judge owns Alphabet stock
read the Ex Parte DOJ filing for the correct story by supernova87a · 2016-02-16 15:03 · Score: 4, Insightful

Just so that the debate here is a little more well-informed:

The government is not asking that Apple give out the user's password, or decrypt the phone, both of which they cannot just do (i.e. are incapable of performing). The request is that Apple produce a piece of iOS software or boot image (as I understand it), that would:
1) Disable the auto-erase feature
2) Allow the FBI to brute force submit password guesses to the phone, and
3) Disable or reduce the increasing-delay-between-guesses feature of the passcode lock.

I would be curious to know whether for this iPhone 5c (with iOS 9) this is even possible for Apple to do.

You can see why Apple wanted to get very far away from the business of being in a position to be asked constantly by law enforcement to help decrypt its phones, just for the sheer volume of requests that will be coming if they do....
Re:Publicity by Anonymous Coward · 2016-02-16 15:07 · Score: 0

Yeah, they are so rogue.
I find it amazing you buy that advertising game. So the company our President is happy to brag about like a son is really just an uncontrollable adolescent?
One thing that always seemed odd is the presidential pardon in the Apple vs Samsung case.... You know, that part where big bad American Apple picked a fight with Samsung, and then actually lost and had their IPhones ruled illegal.... Yeah after they lost the president just came out and pardoned the case. Anyone wonder what kind of underhanded deal Apple owed them for that? Perhaps allowing the gov to spy on all the Iphones?
source, http://www.zdnet.com/article/obamas-apple-patent-pardon-reflects-global-ip-hypocrisy/ [ZDNET]
No other means huh? by LeonPierre · 2016-02-16 15:11 · Score: 2

What could be learned from that phone that could not be collected from all the other electronics the couple owned and used?
Without accessing that phone the govt could find who the couple have called and texted, subpena social media sites for their exchanges, and collect who knows how much information under an NSL from Internet Service Providers.
I find it difficult to believe that something so nefarious or so important exists on that phone and that phone alone that can't be gathered elsewhere through other fashions.
This feels like the govt trying to flex its muscle using a high profile case in order to persuade public opinion regarding encryption and back doors.
Remember folks: a backdoor for one is a backdoor for all. And who cares about a back door when you have an intelligence agency monitoring all the comings and goings of the front door.

--
"If it ain't broke, it doesn't have enough features yet"
Sold me on Iphone by Anonymous Coward · 2016-02-16 15:14 · Score: 0

I am apple fan now.
Comment removed by account_deleted · 2016-02-16 15:19 · Score: 4, Informative

Comment removed based on user account deletion
Trying to help the FBI by Anonymous Coward · 2016-02-16 15:42 · Score: 0

try 123456
Except that never happened and you are a liar. by Brannon · 2016-02-16 15:46 · Score: 1

There was no pardon, pardons are for crimes. This was the one agency exercising its perogative to override another agency under the President's authority. The reason for the veto was that the patents in question were part of an industry standard and thus under FRAND terms. Samsung was violating those FRAND conditions in an effort to squeeze Apple.
1. Re:Except that never happened and you are a liar. by MachineShedFred · 2016-02-16 16:28 · Score: 1
  
  There you go, using facts and logic to try to set an irrational person right.
  Won't work - they're irrational.
  
  --
  Slashdot still doesnâ(TM)t support Unicode after it was added to the HTML standard in 1997.
2. Re:Except that never happened and you are a liar. by Anonymous Coward · 2016-02-16 17:41 · Score: 0
  
  And Apple STILL hasn't refuses to pay anything for using those patents !
Re: read the Ex Parte DOJ filing for the correct s by HagbardCeline6909 · 2016-02-16 15:49 · Score: 1

Can't Apple just turn over the iCloud backups?
Re: read the Ex Parte DOJ filing for the correct s by guruevi · 2016-02-16 16:10 · Score: 1

iCloud backups are also fully encrypted. Apple is the only business that 'gets' security it seems like.

--
Custom electronics and digital signage for your business: www.evcircuits.com
This will become a campaign issue by Anonymous Coward · 2016-02-16 16:15 · Score: 0

Expect this to become an issue that politicians focus on. They are already saying "there's got to be a way". This will give them more ammo. Just imagine: "they couldn't help us unlock that San Bernadino terrorist's data, so we need them to build in a way around this".
Honestly, Apple is kinda fucked either way, now that the FBI has asked in public. Either they unlock it and prove to everyone that their phones aren't secure, or they say they can't and thus look like they are refusing to help in the Fight Against Terrorism. Either way they look bad. This was a calculated move on the FBI's part, I think.
1. Re:This will become a campaign issue by cfalcon · 2016-02-16 17:53 · Score: 1
  
  "We provide a product that works as advertised, and it can't be broken into" might be slammed by some pundits, but it's certainly not going to make them look bad to their potential customers.
Re: read the Ex Parte DOJ filing for the correct s by Nixoloco · 2016-02-16 16:37 · Score: 1

Yup, and brute force decrypting the icloud backups would be much much more difficult than brute forcing the likely 4 or 6 digit PIN code on the device.
They do not need that phone by gweihir · 2016-02-16 16:41 · Score: 2

The perpetrators are contained. Finding out why they did it has time and can be done slowly and the old-fashioned way. The only thing they are doing here is to push (again) stupidly for a thing that makes everybody much less safe: backdoors. They must not be allowed to make the current global computing infrastructure even less secure as it is today, just to cater to their laziness. These people are more of a threat than any criminal could ever be.

--
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
1. Re:They do not need that phone by Anonymous Coward · 2016-02-18 17:19 · Score: 0
  
  That's not for you to decide.
Re:read the Ex Parte DOJ filing for the correct st by gweihir · 2016-02-16 16:43 · Score: 1

If apple did it right, they cannot supply any of that with reasonable effort (or possibly at all).

--
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
Re:Ah, encryption the good, bad,and ugly of securi by gweihir · 2016-02-16 16:50 · Score: 1, Insightful

It will not. Even full fascism is not enough to screen people reliable in larger numbers. It can simply not be done. Trying to can cause an incredible amount of damage though, as the aftermath of 9/11 demonstrates very nicely.
The answer to crimes like these is resilience: Put them in context, see that they are not more tragic than if these people had been run over by cars (just as horrible, but accepted as an everyday risk), mourn them and move on. But do not panic and sacrifice a free society or give lying snake-oil vendors like the FBI or the NSA more power just because they claim they can do something. They cannot. But it is not required to do anything as these events are so exceptionally rare and society is not threatened by them at all.

--
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
Re:read the Ex Parte DOJ filing for the correct st by wickerprints · 2016-02-16 17:19 · Score: 4, Informative

After reading Apple's iOS Security Guide white paper, it is doubtful that Apple can write any kind of software to load onto the device to permit any of those options. This is because once the device is locked, it will not install any updates to the operating system. The boot firmware is already installed and automatically runs when the device is turned on. Updating the operating system requires the device password. These functions are cryptographically secured. See the section "Keybags," subsection "Escrow Keybag" in the paper. The auto-erase and time delay features are enforced by the Secure Enclave in hardware, and cannot be circumvented.
why? guilt is not in question by johncandale · 2016-02-16 17:25 · Score: 2

why? guilt is not in question. It's just a precedent thing. fbi is overfunded and now they have something to do. Why don't they use these resources on future crimes unrealated? I'll tell you why. because it's easier and more fun to tinker with this. fuck the fbi, do something useful for us.
Re:read the Ex Parte DOJ filing for the correct st by Anonymous Coward · 2016-02-16 17:25 · Score: 1

All three of those numbered items are hardware-enforced by the secure enclave chip. If they could be disabled in this way, the cryptosystem as a whole would be essentially worthless.
Re:read the Ex Parte DOJ filing for the correct st by Anonymous Coward · 2016-02-16 17:30 · Score: 1

Actually, this might not be right – the 5c uses an Apple A6; the secure enclave was introduced with the A7.
Resurrection? by Anonymous Coward · 2016-02-16 18:17 · Score: 0

Of course not. This isn't to bring anyone back to life, and most especially not to prevent anything like this from happening in the future.
It's all about setting a useful precedent that ensures companies can't just protect the privacy of their clients.
Brute Force by watice · 2016-02-16 18:27 · Score: 1

idk if it's been stated before, but the court order sounds more like "help us brute force the key" not "help us decrypt the data". I guess philosophically it's one in the same, but slightly technically different. Here's the exact text.

important functions: (1) it will bypass or disable the auto-erase function whether or not it has been enabled; (2) it will enable the FBI to submit passcodes to the SUBJECT DEVICE for testing electronically via the physical device port, Bluetooth, Wi-Fi, or other protocol available on the SUBJECT DEVICE and (3) it will ensure that when the FBI submits passcodes to the SUBJECT DEVICE, software running on the device will not purposefully introduce any additional delay between passcode attempts beyond what is incurred by Apple hardware. Apple's reasonable technical assistance may include, but is not limited to: providing the FBI with a signed iPhone Software file, recovery bundle, or other Software Image File ("SIF") that can be loaded onto the SUBJECT DEVICE. The SIF will load and run from Random Access Memory and will not modify the iOS on the actual phone, the user data partition or system partition on the device's flash memory. The SIF will be coded by Apple with a unique identifier of the phone so that the SIF would only load and execute on the SUBJECT DEVICE. The SIF will be loaded via Device Firmware Upgrade ("DFU") mode, recovery mode, or other applicable mode available to the FBI. Once active on the SUBJECT DEVICE, the SIF will accomplish the three functions specified in paragraph 2. The SIF will be loaded on the SUBJECT DEVICE at either a government facility, or alternatively, at an Apple facility; if the latter, Apple shall provide the government with remote access to the SUBJECT DEVICE through a computer allowing the government to conduct passcode recovery analysis. If Apple determines that it can achieve the three functions stated above in paragraph 2, as well as the functionality set forth in paragraph 3, using an alternate technological means from that recommended by the government, and the government concurs, Apple may comply with this Order in that way.
1. Re:Brute Force by david_thornley · 2016-02-17 07:18 · Score: 1
  
  If I read that aright, Apple must provide a Software Image File (SIF) to the FBI that will, if installed, allow the FBI to brute-force the PIN. Apple is not responsible for installing it so that it will work. The SIF can be loaded at a government facility, using some method available to the FBI. Apple is required to provide "reasonable technical assistance", but is not actually on the hook for failure to install.
  This also looks like it was written at least with the help of someone who knows the technical aspects, and appears to have some idea as to what is possible and what isn't. (When I hear a story about a ridiculous court order, it usually turns out that it wasn't that far-fetched in context. In the previous sentence, "usually" was deliberately inserted and should not be taken to mean anything like "always". I assume that the real stinkers are likely to appear on loweringthebar.com.)
  And, for all I know, it's possible to do this on a 5 or 5C, but it won't necessarily work on a 5S (what I have) or later, because Apple's made the hardware security better. I do appreciate Apple fighting against the order using legal channels, but that may be because they can't refuse based on technical impossibility.
  
  --
  "When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
IF I EVER MEET YOU, I WILL... BUY YOU A BEER! by Anonymous Coward · 2016-02-16 18:33 · Score: 0

Subject posted as this classic troll would do it.
I've been critical of you with other posts, but props for stopping the APK spam. I noticed he hadn't been following around a few users the past couple of days. Good work!
Now if only the "Republicans want us to die" troll can be next out the door.
1. Re:IF I EVER MEET YOU, I WILL... BUY YOU A BEER! by Anonymous Coward · 2016-02-17 07:37 · Score: 0
  
  Now if only the "Republicans want us to die" troll can be next out the door.
  No. I don't want to see anything like that happen. APK got the hammer because he crossed the line from trolling to not just spam, but spam flooding. I'm fine with them getting rid of spam floods and obvious spam bots, but everything else needs to be left to the user moderation system.
Maybe they should have waited by Plumpaquatsch · 2016-02-16 18:52 · Score: 1

Maybe they shouldn't have shot him before they had the password?

--
Of course news about a fake are Fake News.
1. Re:Maybe they should have waited by Anonymous Coward · 2016-02-16 20:00 · Score: 0
  
  You're a mostly right. But IMHO, they should've shot him with a tranquilizer dart, and then question him with some extreme prejudice. In fact, with the recent proliferation of devices sporting such tight security, I think the good old profession of torturer will soon make a spectacular comeback. In light of that, I might even need rethink my own career choice.
Same issue, different problem by petes_PoV · 2016-02-16 19:21 · Score: 1

In the UK a person has a legal obligation to hand over a password to encrypted data when asked nicely by the people with guns.
However, a block of random data is indistinguishable from an encrypted file. So when asked to "decode" a couple of MB of random numbers it should be reasonable to require the authorities to prove that there is actual content within - and that an unlock key exists. This may sound like a philosophical point, but unless the data in question has been encrypted, a person cannot be asked to provide the key.

--
politicians are like babies' nappies: they should both be changed regularly and for the same reasons
Find password by checking security cam footage? by Anonymous Coward · 2016-02-16 19:36 · Score: 0

Instead of cracking code - why not search for the real one on security camera footage?
Assuming Apple (or carrier) can offer location data and the phone was in use for a few days, then there must be some security camera somewhere in the public which picked up the person entering his code? Looking at location data should give some indication where to check security cameras.
Re: read the Ex Parte DOJ filing for the correct s by cfalcon · 2016-02-16 19:40 · Score: 2

NO!
If he had it on icloud, Apple could turn it over. The icloud backups are encrypted BY APPLE.
Check page 4:
www.apple.com/privacy/docs/legal-process-guidelines-us.pdf
Here's some guidelines:
http://manhattanda.org/sites/d...
There's a part where the document sort of complains that users aren't required to back everything up to icloud, because they can just ask for anything in icloud at all and get it in plaintext immediately (as documented by the first link).
If you promise to encrypt "hunter2" your end with AES-256, is it encrypted? Sure, but it's also here on plaintext, in transit, and if asked, you could certainly retrieve it. Even though it's clearly my password that you can't see :P
This is why Touch ID is a problem by nbritton · 2016-02-16 20:00 · Score: 4, Informative

If the iPhone 5c had Touch ID this wouldn't be a problem, they could just use the persons finger to unlock the device. This illustrates why Touch ID is a bad idea if you care about your privacy. Since we only have ten fingers and the auto erase doesn't activate until after 10 failed attempts, the only thing needed to get into a Touch ID phone is a court order. The Fifth Amendment protection against self incrimination only applies to the contents of your mind, it's established precedent that it doesn't apply to your body (i.g. blood, DNA, finger prints, etc.) or property.
1. Re:This is why Touch ID is a problem by khchung · 2016-02-17 00:05 · Score: 1, Informative
  
  Since we only have ten fingers and the auto erase doesn't activate until after 10 failed attempts, the only thing needed to get into a Touch ID phone is a court order.
  Spoken like someone who had never used Touch ID on an iPhone. Why am I not surprised?
  Did you notice that most people's fingers are larger than the iPhone home button? When you register a finger for Touch ID, since your finger is bigger than the button, you have to choose where to put your finger during registration. Say, if you registered using the part closer to the tip of your finger, Touch ID would fail to recognize your finger if you used the side or base part of your finger.
  The criminal could easily make the Touch ID fail to recognize the registered finger(s) by putting his finger on differently than when he registered, and can cause 10 failed attempts easily.
  
  --
  Oliver.
2. Re:This is why Touch ID is a problem by Anonymous Coward · 2016-02-17 01:17 · Score: 0
  
  You have to reenter your pin every 48 hours. At least I do on my phone. The police would have had to unlock it within less than 48 hours, depending on when it was last unlocked by the pin. It's something they definitely could have done, but it would require forethought.
3. Re:This is why Touch ID is a problem by Anonymous Coward · 2016-02-17 02:53 · Score: 0
  
  But, is it his fingerprint or hers? 10x2.
4. Re:This is why Touch ID is a problem by Anonymous Coward · 2016-02-17 05:34 · Score: 0
  
  Normally, I would just call bullshit on your post and move on. But your perplexing choice of insults deserves special attention. you said:
  "Spoken like someone who had never used Touch ID on an iPhone....why am i not surprised"
  this must have made you feel very manly young pre-teen, sitting there in mama's basement with your little cock in your hand. how cool you felt, pointing out that he had never used Touch ID. here's the irony:
  YOU ARE A BULLSHITTING BULLSHITTER because you either NEVER used Touch ID, or you TOTALLY FAILED TO UNDERSTAND IT. omg, i don't even know where to start. sigh. another quote from your garbage post:
  "you have to choose where to put your finger during the registration."
  NO! NO! That's not even how it works or what happens, and it's not what apple says in the instructions! did you even pay attention? or is your WHOLE POST ONE GIGANTIC LIE and you've never touched and iphone and you got your silly ideas from a fucking youtube video somewhere??!
  since nobody else will bite, i'll explain the Touch ID setup process to everyone:
  0. initiate the Touch ID setup process.
  1. you put your finger on for a sample.
  2. it shows a graphic depicting the partial sample it has taken.
  3. it asks you to sample again.
  4. more data is collected, and the graphic is filled in a little more.
  5. repeat steps 3 and 4 several times, until the graphic is filled in.
  6. once the ENTIRE fingerprint has been sampled, including high on the tip, low on the base, and far wrap-arounds of both sides...THEN you're done.
  for all subsequent un-locks of the phone, THE SOFTWARE ONLY MATCHES A PART OF THE TOTAL DATA SINCE YOU WILL OBVIOUSLY BE ONLY PUTTING PART OF THE FINGERPRINT ON THE HOME BUTTON.
  just to recap, you sir an an idiot.
  and yes, i write software as a contractor here in Santa Clara for a major company which i can't name. our company uses the Touch ID feature extensively.
5. Re:This is why Touch ID is a problem by fonos · 2016-02-17 06:27 · Score: 1
  
  Touch ID stops working after 24 hours of not using it. After 24 hours you NEED the passcode to unlock the phone. Also, Touch ID requires a passcode after FIVE (5) failed Touch ID attempts.
6. Re:This is why Touch ID is a problem by Nixoloco · 2016-02-17 08:34 · Score: 1
  
  Besides that, you have to enter a passcode every 48 hours, if the phone is rebooted, or after just four misread fingerprint attempts.
7. Re:This is why Touch ID is a problem by shilly · 2016-02-17 19:06 · Score: 1
  
  You don't really understand how Touch ID works, do you?
  1. It would have been useless to the FBI in this case, as the finger needs to be alive.
  2. A Touch ID unlock can only be attempted 5 times and then a passcode is required.
8. Re:This is why Touch ID is a problem by Sabriel · 2016-02-17 20:40 · Score: 1
  
  The Fifth Amendment protection against self incrimination only applies to the contents of your mind, it's established precedent that it doesn't apply to your body (i.g. blood, DNA, finger prints, etc.) or property.
  Would that precedent put a potential expiry date on the Fifth, because sufficiently advanced technology will not care whether it's reading chromosomes from your blood cells or memories from your brain cells? "I plead the Fifth." "Not a problem, we also imaged your cerebral cortex while you were being fingerprinted at the station. Your Honor, we draw your attention to the defendant's engram record D0441-17-2016..."
Re:read the Ex Parte DOJ filing for the correct st by sociocapitalist · 2016-02-16 22:00 · Score: 1

Just so that the debate here is a little more well-informed:
The government is not asking that Apple give out the user's password, or decrypt the phone, both of which they cannot just do (i.e. are incapable of performing). The request is that Apple produce a piece of iOS software or boot image (as I understand it), that would:
1) Disable the auto-erase feature
2) Allow the FBI to brute force submit password guesses to the phone, and
3) Disable or reduce the increasing-delay-between-guesses feature of the passcode lock.
I would be curious to know whether for this iPhone 5c (with iOS 9) this is even possible for Apple to do.
You can see why Apple wanted to get very far away from the business of being in a position to be asked constantly by law enforcement to help decrypt its phones, just for the sheer volume of requests that will be coming if they do....
One per software release?
Once they have the image that does 1,2 and 3 of your points they don't need to ask Apple to do anything on an individual phone basis.

--
blindly antisocialist = antisocial
It is easy by terminal.dk · 2016-02-16 22:00 · Score: 1

Just use the fingerprints of the criminals. Or clone the phone and brute-force the pin-code.
Or use all the rest of the logging taking place to see who they communicated with and when, and ignore the little data on the phone. A phone is just a computer. The problem is, politicians don't realise this.
1. Re:It is easy by fonos · 2016-02-17 06:32 · Score: 1
  
  Just use the fingerprints of the criminals. Or clone the phone and brute-force the pin-code.
  Or use all the rest of the logging taking place to see who they communicated with and when, and ignore the little data on the phone. A phone is just a computer. The problem is, politicians don't realise this.
  After 24 hours of non-use, a passcode/password is REQUIRED to unlock the phone. TouchID won't do it after 24 hours. Also, touchID locks itself out after five failed fingerprint attempts. You need a passcode/password after that.
I'm missing something here yeah by connect4 · 2016-02-16 22:13 · Score: 1

Are you telling me that the default behaviour of an iphone is to destroy the keys if someone punches in some random unlock shit 10 times?
Imma have some fun with this.
"Hey that's a nice phone, mind if I have a look?"
1. Re:I'm missing something here yeah by Anonymous Coward · 2016-02-17 00:30 · Score: 0
  
  Are you telling me that the default behaviour of an iphone is to destroy the keys if someone punches in some random unlock shit 10 times?
  Imma have some fun with this.
  "Hey that's a nice phone, mind if I have a look?"
  Well every BlackBerry smartphone self-erases after N failed attempts to unlock the smartphone. Apple has implemented the same security strategy. But your government boot licking fetish is all too obvious. I hope the IRS audits you this year and for the past 100 years.
2. Re:I'm missing something here yeah by Plumpaquatsch · 2016-02-17 01:27 · Score: 1
  
  Are you telling me that the default behaviour of an iphone is to destroy the keys if someone punches in some random unlock shit 10 times?
  Imma have some fun with this.
  "Hey that's a nice phone, mind if I have a look?"
  "To further discourage brute-force passcode attacks, there are escalating time delays after the entry of an invalid passcode at the Lock screen. "
  
  --
  Of course news about a fake are Fake News.
3. Re:I'm missing something here yeah by WorBlux · 2016-02-17 05:40 · Score: 1
  
  The default is increase wait, but you can set an option to erase after 10 consecutive fails.
4. Re:I'm missing something here yeah by WorBlux · 2016-02-17 05:42 · Score: 1
  
  It's also like to see an option to erase data on boot if last successful login was more than X days ago. How likely are you not to pick up your phone for a week unless it's stolen or lost?
5. Re:I'm missing something here yeah by david_thornley · 2016-02-17 06:05 · Score: 1
  
  I believe it'll take a while, since there are lockout intervals when the phone just won't pay attention to a PIN.
  Not to mention that there are so many other ways to lose data on a mobile phone that one more awkward one isn't a big deal. If someone has the phone and wants to destroy the information on it, I'd think a hammer would do quite well. Some people keep stuff only on their phone, not on a computer or on the iCloud, but that stuff is going to go away sometime. Any data will go away sometime if not backed up, and data on a phone is more vulnerable than most.
  
  --
  "When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
6. Re:I'm missing something here yeah by h4ck7h3p14n37 · 2016-02-17 06:18 · Score: 1
  
  My understanding is that iOS wipes the phone after 10 invalid login attempts.
  A friend of mine discovered this the hard way when his phone suddenly started vibrating in his pocket. He had been pocket-dialing.
  I have heard of other people who let their kids play with the phone not knowing about the auto-wipe feature.
7. Re:I'm missing something here yeah by gweihir · 2016-02-17 08:28 · Score: 1
  
  It is. Together with progressive delays going up to years after failed tries. The designers of this thing are not stupid, the occasional mess-up (antenna-gate, e.g.) non-withstanding.
  
  --
  Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
8. Re:I'm missing something here yeah by gweihir · 2016-02-17 08:29 · Score: 1
  
  Good idea.
  
  --
  Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
9. Re:I'm missing something here yeah by gweihir · 2016-02-17 08:31 · Score: 1
  
  I very much agree on all your points. In particular, someone with physical access can already kill it in many ways, so this additional one does not matter much.
  
  --
  Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
10. Re:I'm missing something here yeah by gweihir · 2016-02-17 08:32 · Score: 1
  
  Security involves trade-offs. This is one of them. There is really no good way to make something both fool-proof and attacker-proof at the same time.
  
  --
  Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
11. Re:I'm missing something here yeah by Anonymous Coward · 2016-02-17 12:03 · Score: 0
  
  "Hey that's a nice phone, mind if I have a look?"
  You have backups, right? Anyway, even without a 'wipe on ten incorrect entries' feature, you could just chuck the phone into a lake if you're being a cunt. In fact, that's more likely to succeed given the amount of time it takes to enter ten incorrect pins, vs. the amount of time it takes to chuck a phone into a lake.
  Next time you want to 'have some fun' with something, you should consider trying to be at least partially intelligent too.
  Idiot.
12. Re:I'm missing something here yeah by Anonymous Coward · 2016-02-17 12:06 · Score: 0
  
  He had been pocket-dealing.
  Which is weird on a capacitive touch screen, but I guess if you're sweaty enough.
  
  not knowing about the auto-wipe feature.
  It's optional, not the default, and clearly stated in the text on the settings screen. I know lots of idiots too.
13. Re: I'm missing something here yeah by Anonymous Coward · 2016-02-17 16:01 · Score: 0
  
  Well, the wipe is optional, not default, and it takes over an hour to enter an invalid pin 10 times. Have fun.
Whom to believe... by Max_W · 2016-02-16 22:46 · Score: 1

Russian lawmakers consider banning state officials from using foreign-made smartphones, such as iPhones, over spying concerns: https://www.rt.com/politics/ip...
This is clever by dhaen · 2016-02-17 00:26 · Score: 1

The FBI tells Apple to decrypt but the attempt "fails". Apple sells more to non-friedly countries. US security agencies open the back doors they previously arranged with Apple, and savour the intel.
sooo by Anonymous Coward · 2016-02-17 00:46 · Score: 0

they set up a false flag operation and now an iphone is so safe operation,,, this movie is really boring
No mention of the 'm' word in the article... by Anonymous Coward · 2016-02-17 00:47 · Score: 0

Gee... I wonder why.
It was just "a couple" who shot fourteen people, not MUSLIMS, of course...
1. Re:No mention of the 'm' word in the article... by Anonymous Coward · 2016-02-17 03:02 · Score: 0
  
  And I see not ONE poster here has dared to say that they were MUSLIMS, either... Good luck with putting your head in the sand, when your very LIFE is on the line.
  Unbelievable.
Re: read the Ex Parte DOJ filing for the correct s by crankyspice · 2016-02-17 00:49 · Score: 1

Yeah, and they already have:

They alleged in their filing that Farook may have disabled the iCloud data feature to hide evidence. Although investigators have been able to obtain several backup versions of Farook's iCloud data, the most recent version they've been able to access dates from about a month and a half before the shooting. They said this showed Farook "may have disabled the feature to hide evidence."
http://www.nbcnews.com/storyline/san-bernardino-shooting/apple-fights-order-unlock-san-bernardino-shooters-iphone-n519881

--
geek. lawyer.
Re:Ah, encryption the good, bad,and ugly of securi by Plumpaquatsch · 2016-02-17 00:59 · Score: 1

To me the problem is not the inability to crack the information on the iPhone. But the fact these two got into the country with no red flags, no surveillance and not even a hint of what they were doing.
What do you mean - "got in"? Unlike Ted Cruz, the guy was actually Born in the USA.

--
Of course news about a fake are Fake News.
Re:read the Ex Parte DOJ filing for the correct st by Plumpaquatsch · 2016-02-17 01:03 · Score: 1

Just so that the debate here is a little more well-informed: The government is not asking that Apple give out the user's password, or decrypt the phone, both of which they cannot just do (i.e. are incapable of performing). The request is that Apple produce a piece of iOS software or boot image (as I understand it), that would: 1) Disable the auto-erase feature 2) Allow the FBI to brute force submit password guesses to the phone, and 3) Disable or reduce the increasing-delay-between-guesses feature of the passcode lock. I would be curious to know whether for this iPhone 5c (with iOS 9) this is even possible for Apple to do.

http://blog.cryptographyengineering.com/2014/10/why-cant-apple-decrypt-your-iphone.html:

Addendum: how did Apple's "old" backdoor work?
One wrinkle in this story is that allegedly Apple has been helping law enforcement agencies unlock iPhones for a while. This is probably why so many folks are baffled by the new policy. If Apple could crack a phone last year, why can't they do it today?
But the most likely explanation for this policy is probably the simplest one: Apple was never really 'cracking' anything. Rather, they simply had a custom boot image that allowed them to bypass the 'passcode lock' screen on a phone. This would be purely a UI hack and it wouldn't grant Apple access to any of the passcode-encrypted data on the device. However, since earlier versions of iOS didn't encrypt all of the phone's interesting data using the passcode, the unencrypted data would be accessible upon boot.
No way to be sure this is the case, but it seems like the most likely explanation.

--
Of course news about a fake are Fake News.
Years ago I worked at a place with a SEM... by Anonymous Coward · 2016-02-17 01:05 · Score: 0

Scanning Electron Microscope. I was able to pull the top off some ICs (PALs) to look at the fuses
that were blown, because I was curious. The guys also said if you RAN the chip the different
voltages of the traces could be discerned. The SEM even had a sealed input plug with lots of
connectors for just that purpose. Never tried it, but it seemed plausible. But they also
said you could glue an ant to a slide, put it in, pump it down, and image the sucker before he died,
so I don't know how much they were pulling my leg.
So it might be possible to pull the security chip, extract it from the housing, fire it up, and somehow
read out the bits.
1. Re:Years ago I worked at a place with a SEM... by adamstew · 2016-02-17 02:48 · Score: 1
  
  My apologies. Rereading my initial post, I realize I made a mistake. I did say "UDID", but I meant "UID".
  These are two separate numbers within the phone. The UDID is known to the OS and can be queried. But it is not a part of the encryption key.
  The UID is burned in to the silicon and is only known within the encryption system itself. Not even software running at the kernel level can query the UID.
It is OK to hack your customers by Anonymous Coward · 2016-02-17 01:46 · Score: 0

when they use your products to help commit mass murder and the FBI is trying to investigate? There are undoubtedly accomplices of these mutants at large. Information in the phone will help reveal the perps support network. Why does Apple want to keep them hidden? Don't the victim's families deserve better?
NSA already has the text and calls!. by Anonymous Coward · 2016-02-17 01:54 · Score: 0

Who cares about the pass code?
The NSA has the contents of all the text messages and phone calls.
This is what they are trying to hide. They already have the information.
God bless Apple and curse Google/Microsoft! by yuvcifjt · 2016-02-17 02:08 · Score: 0

Although I don't use any smartphone, this is one of the reasons why I advocate iPhone over the spyware-ridden android/windows os - if people MUST have a smartphone.
Apple appears to be the only major company fighting the real terrorists in the government, rather than collaborating and selling their customers' private data to them (unlike Google / Microsoft).
If it wasn't for encryption and companies like Apple / Lavabit / ProtonMail creating products to ensure customers' privacy, we wouldn't have people like Snowden / Assange / Glenn Greenwald / reporters etc, who are able to reveal the terrorist and war-driven / blood-thirsty nature of our western rulers and the crimes against humanity that they constantly commit around the world.
It's funny also the fact that when the UN and America bombs and destroys several hospitals/schools, it's perfectly fine, "because terrorists were hiding there"!
But if (supposedly) Russia/any-other-country does so, it's crimes against humanity!
What utter hypocrisy!
Oh and by the way, America/Britain has butchered hundreds-of-thousands of civilians in countries like Afghanistan/Iraq, and you won't come across a single family in Iraq who's family member hasn't been blown-up to bits by the American terrorist government.
Easy by geantvert · 2016-02-17 03:14 · Score: 1

All they need to do is use one of those password cracker devices: http://thumbs.randomenthusiasm...
Apple's Tim Cook, Accomplice To Murder by Anonymous Coward · 2016-02-17 04:05 · Score: 0

Great!
Cook's refusal and false claim of the FBI wanting Apple to install a backdoor places Cook in jeopardy of being named an accomplice to the terror act and murders. He can be arrested, arraigned and locked in the "slammer" to await trial.
On conviction, Cook will face the Death Penalty for his aiding and abetting the murders.
Best of all, Cook can be disposed from Apple, leaving Apple to "Clean House" of the "others" within.
Great day for Apple, i.e. the other employees and stock holders.
Ha ha
1. Re:Apple's Tim Cook, Accomplice To Murder by jcr · 2016-02-17 07:19 · Score: 1
  
  Blow it out your ass, you bootlicking piece of shit. Tim is standing up for our right to privacy, in the face of massive pressure from idiots and thugs. I've always admired him, and never more so than today.
  -jcr
  
  --
  The only title of honor that a tyrant can grant is "Enemy of the State."
Backdoor pin by slashkitty · 2016-02-17 04:35 · Score: 1

is Lisa's birthday, right? Everyone at apple should know that one.

--
-- these are only opinions and they might not be mine.
no uncertain terms underlined by epine · 2016-02-17 04:47 · Score: 1

We'll start at the beginning with the low-hanging fruit, and build from there.

This moment calls for public discussion ...
From Apple this translates as follows: "we didn't get what we wanted prowling in the dark corridors".

... the contents of your iPhone are none of our business ...
Assume the Tor position! All your child porn R not belong to us!

We were shocked and outraged ...
Translation: Shit happens. Because human nature. [long sigh]

Specifically, the FBI wants us to make a new version of the iPhone operating system, circumventing several important security features, and install it on an iPhone recovered during the investigation. In the wrong hands, this software — which does not exist today — would have the potential to unlock any iPhone in someone's physical possession.
Where for the love of God is the adamant denial that they can actually build such a thing for the device in question? If the only barrier to accessing this device's data is a long night of hammering out source code, then I think this backdoor already exists, like a door that opens onto the back side of the second floor which is sealed from active use because no exterior stairwell has so far been erected.
"But we'd have to drain the moat and relocate the alligators to set the foundation! It would take weeks." Doesn't matter. If that's your last and most severe impediment, the door in my opinion already exists.

Some would argue that building a backdoor for just one iPhone is a simple, clean-cut solution.
Others would argue that the mere possibility of providing a backdoor after the fact calls the competence and unbending will of your organization into a harsh light.

In the physical world, it would be the equivalent of a master key, capable of opening hundreds of millions of locks — from restaurants and banks to stores and homes. No reasonable person would find that acceptable.
Pfffffft. What reasonably people find acceptable concerning their physical security in practice seems to have almost no bearing on how people behave with respect to their digital assets. Perhaps eventually as a society—in another generation or two—we'll get there.
Here's one simple distinction. Criminals who break into your house can be shot with a gun. Things you can shoot with a gun go to a different (more vivid) mental lobe in the human brain. Cyberfilth is almost impossible to shoot with a gun. Bleach might be a better option, but you're going to need to bring Dow Chemical Company onside with your plan, just for starters.
William Gibson: Reasonable behaviour is already here — it's just not very evenly distributed.
To avoid flattery, it's probably best to frame this sentiment as "no reasonable person's future progeny would find that acceptable", because I've seen the "reasonable" people now living and breathing among us, and let me tell you, it isn't pretty.
Rhetorically, Apple is in a bit of a rush here to close this one gap sooner rather than later, out of thousands of similar gaps.

The same engineers who built strong encryption into the iPhone to protect our users would, ironically, be ordered to weaken those protections and make our users less safe.
You see "irony" here? Wow. Just wow.
News flash for Tom Cook. The "same people" who authored the American constitution granting powers to the American state also engineered its limitations. It's a human process sometimes called "striking a balance".
Furthermore, allow me to hazard a guess: the same people who toiled cea
San Bernardino Shooting Story Shot Full of Holes . by Anonymous Coward · 2016-02-17 05:12 · Score: 0

San Bernardino Shooting Story Shot Full of Holes, Was this a False Flag Event?
Secure enclave? by Anonymous Coward · 2016-02-17 07:45 · Score: 0

WTF?
You can always spot shills when they use the company's stupid terminology.
Fuck off
1. Re:Secure enclave? by dgatwood · 2016-02-17 18:39 · Score: 1
  
  The company's terminology? You mean "secure enclave"? That's a fairly common, industry-standard term in the field of data security, though it is more commonly used in the context of networks rather than parts of a specific device. And Intel also uses that term. But if your hatred for Apple runs so deep that you can't stand to use Apple's terminology while talking about an Apple product, I suppose we could call it a Trusted Execution Environment....
  
  --
  Check out my sci-fi/humor trilogy at PatriotsBooks.
Dear FBI by DirkDaring · 2016-02-17 08:37 · Score: 1

The Judge has told us to help you get into the iPhone. When you turn it on, you need to guess the passcode. You have 10 attempts. Guess well. You're welcome in advance for the help.
Sincerely,
Apple
Nice filters (unlike my product they don't work) by Anonymous Coward · 2016-02-17 13:30 · Score: 0

APK Hosts File Engine 9.0++ SR-4 32/64-bit http://start64.com/index.php?o...
-
FREE, not 'souled-out' to advertisers, adds speed, security & reliability.
Does far more w/ far less more efficiently vs. addons (clarityray blockable, redundant + RAM/CPU wasteful & 'souled-out' crippled by default) & local DNS servers @ home.
Fixes DNS' security issues & stops tracking @ webpage + DNS levels via 1 file you NATIVELY have!
(Firewalls do rest on FAR less used IP address trackers/threats vs. host-domain names).
-
Obtains data vs. online threats & ads via 10 reputable security community sites - easily edited by you using my program.
-
SPEEDS YOU UP 2 ways:
Adblocking ALL ads + local RAM cached favorite sites @ TOP of hosts for faster resolution vs. remote DNS (for reliability + speed) vs. other "so-called security 'solutions'" SLOWING YOU!
-
All via what you already have vs. illogically "bolting on browser addons 'MOAR'" (clarityray detected/blockable + usermode slow & increased messagepassing, cpu + ram overheads)
-
MalwareBytes' hpHosts Admin (MalwareBytes employee verified it's source as safe http://forum.hosts-file.net/vi... ) hosts & recommends it -> http://hosts-file.net/?s=Downl...
&
MalwareBytes = BEST antivirus per a VERY recent testing of them all http://www.av-test.org/en/news...
&
It's safe proven by 57 antivirus programs in BOTH its 64-bit model https://www.virustotal.com/en/...
+
32-bit model https://www.virustotal.com/en/...
&
Installer-> http://f.virscan.org/APKHostsF...
-
* "The premise is quite simple: Take something designed by nature & reprogram it to make it work for the body rather than against it..." - Dr. Alice Krippen: "I am legend".
APK
P.S.=> By "yours truly" - "The Lord of Hosts" so-to-speak:
"The image this title brings to mind is a mighty military commander who can at a mere word summon rank upon rank of protective power" -> https://answers.yahoo.com/ques... & THE WORD = hosts!
(Accept NO substitutes)
...apk
It's not spam & so much for YOUR "filters" lol by Anonymous Coward · 2016-02-17 13:36 · Score: 0

APK Hosts File Engine 9.0++ SR-4 32/64-bit http://start64.com/index.php?o...
-
FREE, not 'souled-out' to advertisers, adds speed, security & reliability.
Does far more w/ far less more efficiently vs. addons (clarityray blockable, redundant + RAM/CPU wasteful & 'souled-out' crippled by default) & local DNS servers @ home.
Fixes DNS' security issues & stops tracking @ webpage + DNS levels via 1 file you NATIVELY have!
(Firewalls do rest on FAR less used IP address trackers/threats vs. host-domain names).
-
Obtains data vs. online threats & ads via 10 reputable security community sites - easily edited by you using my program.
-
SPEEDS YOU UP 2 ways:
Adblocking ALL ads + local RAM cached favorite sites @ TOP of hosts for faster resolution vs. remote DNS (for reliability + speed) vs. other "so-called security 'solutions'" SLOWING YOU!
-
All via what you already have vs. illogically "bolting on browser addons 'MOAR'" (clarityray detected/blockable + usermode slow & increased messagepassing, cpu + ram overheads)
-
MalwareBytes' hpHosts Admin (MalwareBytes employee verified it's source as safe http://forum.hosts-file.net/vi... ) hosts & recommends it -> http://hosts-file.net/?s=Downl...
&
MalwareBytes = BEST antivirus per a VERY recent testing of them all http://www.av-test.org/en/news...
&
It's safe proven by 57 antivirus programs in BOTH its 64-bit model https://www.virustotal.com/en/...
+
32-bit model https://www.virustotal.com/en/...
&
Installer-> http://f.virscan.org/APKHostsF...
-
* "The premise is quite simple: Take something designed by nature & reprogram it to make it work for the body rather than against it..." - Dr. Alice Krippen: "I am legend".
APK
P.S.=> By "yours truly" - "The Lord of Hosts" so-to-speak:
"The image this title brings to mind is a mighty military commander who can at a mere word summon rank upon rank of protective power" -> https://answers.yahoo.com/ques... & THE WORD = hosts!
(Accept NO substitutes)
...apk
I neutered you with 1 question WALLY, lol by Anonymous Coward · 2016-02-17 13:42 · Score: 0

"Run, Forrest: RUN!!!" = JustAnotherOLDBitch who WENT SILENT & RAN from a simple question -> http://it.slashdot.org/comment...
LMAO!
APK
P.S.=> Ah yes, those "POWERFUL FILTERS" by 'whipslash', lol that don't WORK, unlike MY WORK which does and YOU ARE SCARED SHITLESS OF IT WEBMASTER (who doesn't mind AlmostALLAdsBlocked since he's paid by those to NOT WORK RIGHT, like "whipslash's filters", lol, who let its ads thru)-> http://slashdot.org/comments.p... )
1. Re:I neutered you with 1 question WALLY, lol by JustAnotherOldGuy · 2016-02-17 16:04 · Score: 1
  
  Lol, it's so cute how I can push your buttons. :)
  Anyway, to answer the questions you asked at your link.......
  
  Which sites & do you get paid by ads on them? Finish the answer & point them out so I can verify this...
  Lol, like I would tell a scumbag like you specifically what sites I run. Thanks, but I don't need some shitbag like you trying to DDOS me or hack my sites.
  To answer your second question, some some make money from ads, some some sell products.
  So choke on it, baby, that's about as much info as I'll give out to a pedophile like you.
  
  --
  Just cruising through this digital world at 33 1/3 rpm...
It does work (unlike "whipslash's" filter 'work') by Anonymous Coward · 2016-02-17 13:48 · Score: 0

See subject & this post of mine cfalcon (so much for "WALLIES" & THEIR INFERIOR 'work' vs. me)-> http://slashdot.org/comments.p...
APK
P.S.=> Little wallys, lol... their "kind"? Makes me laugh (@ them most of all)... apk
Hahahahaha, ANSWER = NO, it can't even do 1 by Anonymous Coward · 2016-02-17 13:50 · Score: 0

See subject (LMAO) - it can't even work vainly & effetely TRYING to 'filter' my posts -> http://slashdot.org/comments.p...
* :)
(That PUNY Web-Wally "whipslash"? He makes me laugh!)
APK
P.S.=> I'm LAUGHING @ YOU wally... apk
Whipslash's PUNY "hammer" shatters on me by Anonymous Coward · 2016-02-17 13:53 · Score: 0

See subject & this post of mine in this very exchange that PROVES my subject-> http://slashdot.org/comments.p...
* So much for "web-wallies" from "sourceforge"... lol!
APK
P.S.=> PUNY wallies... apk
Whipslash's PUNY script served up "well done" by Anonymous Coward · 2016-02-17 13:57 · Score: 0

See subject & this post:Cooked & burnt, EASILY, (it doesn't work) since he's a "webwally"-> http://slashdot.org/comments.p...
* As only "yours truly" can manage it...
APK
P.S.=> Web-Wally from "SOURCEFORGE"? Bah... apk
1. Re:Whipslash's PUNY script served up "well done" by Falconhell · 2016-02-19 12:25 · Score: 1
  
  It it just prevents 10% of you paranoid delusional rants, it's a good start! just keep poking the bear.
AmiMojo, a BETTER question to ask "webwally"! by Anonymous Coward · 2016-02-17 14:12 · Score: 0

See subject: ASK "WEB-WALLY FROM SOURCEFORGE" what it tasted like "EATING HIS WORDS" (lmao)-> http://slashdot.org/comments.p...
* :)
(So much for "web-wallies" like "whipslash", lol... puny web-wally opened his MOUTH & inserted his FOOT!)
APK
P.S.=> Go on - ask BIGMOUTH that question... lol!
... apk
It's because "webwally whipslash" eats his words by Anonymous Coward · 2016-02-17 14:16 · Score: 0

See subject & SO MUCH FOR HIS "script kiddie" filters http://slashdot.org/comments.p...
* :)
(Ask "Web Wally WhipSlash" how it tastes "EATING HIS WORDS" from his BIG mouth now... lol!)
APK
P.S.=> He's a PUNY "Web-wally" from SourceForge - his work? DOESN'T WORK... but mine does (which scares the HELL OUT OF HIM because he's a greedy little webmaster profiting by YOU & all like you)... apk
LMAO - no, other way around... apk by Anonymous Coward · 2016-02-17 14:38 · Score: 0

Ask "Web Wally Whipslash" how it TASTES "eating his words" http://slashdot.org/comments.p...
* :)
(A puny little WEB-WALLY like Whipslash, the greedy little webmasters who is TERRIFIED of my ware, can't stop me...)
APK
P.S.=> He ought to have some MANNERS @ least & NOT TALK WITH HIS BIG MOUTH FULL as he "eats his words", lol... I made him EAT THEM, easily... apk
"Try to override - SHUT IT OFF!" Capt. Kirk by Anonymous Coward · 2016-02-17 14:52 · Score: 0

Do you like StarTrek TOS, Web-Wally? Specifically episode 26 "Assignment Earth" with "The Mysterious Mr. 7"??
See subject & that line from it - IT IS EXACTLY WHAT I SHOW EVERYONE I CAN DO TO YOU easily just like Gary 7 temporal agent from that episode - they couldn't STOP HIM from beaming to earth or in my case, writing posts on /. - (& you CAN'T STOP ME, you effete bigmouth fool... lol!)
APK
P.S.=> Especially THIS -> http://slashdot.org/comments.p...
TELL US: How does it TASTE "eating your words", web-wally from sourceforge (home of malware)? Like YOUR FOOT IN YOUR MOUTH washed down with the BITTER taste of SELF-defeat?? LMAO @ U, web-wally - now go finish your meal (of YOUR words you must eat)... apk
Why not post using your "registered luser" name? by Anonymous Coward · 2016-02-17 15:02 · Score: 0

Is it since I can show I made you EAT YOUR WORDS as I have ww/ web-wally whipslash & his puny script-> http://slashdot.org/comments.p...
?
(Hahahahaha @ the LOT of you...)
APK
P.S.=> PUNY "web-wallies" webmasters, TERRIFIED of my program (as it's not paid off to let your precious pennies in ads thru)... apk
Oh, really? LMAO @ U webwallies... apk by Anonymous Coward · 2016-02-17 15:04 · Score: 0

APK Hosts File Engine 9.0++ SR-4 32/64-bit http://start64.com/index.php?o...
-
FREE, not 'souled-out' to advertisers, adds speed, security & reliability.
Does far more w/ far less more efficiently vs. addons (clarityray blockable, redundant + RAM/CPU wasteful & 'souled-out' crippled by default) & local DNS servers @ home.
Fixes DNS' security issues & stops tracking @ webpage + DNS levels via 1 file you NATIVELY have!
(Firewalls do rest on FAR less used IP address trackers/threats vs. host-domain names).
-
Obtains data vs. online threats & ads via 10 reputable security community sites - easily edited by you using my program.
-
SPEEDS YOU UP 2 ways:
Adblocking ALL ads + local RAM cached favorite sites @ TOP of hosts for faster resolution vs. remote DNS (for reliability + speed) vs. other "so-called security 'solutions'" SLOWING YOU!
-
All via what you already have vs. illogically "bolting on browser addons 'MOAR'" (clarityray detected/blockable + usermode slow & increased messagepassing, cpu + ram overheads)
-
MalwareBytes' hpHosts Admin (MalwareBytes employee verified it's source as safe http://forum.hosts-file.net/vi... ) hosts & recommends it -> http://hosts-file.net/?s=Downl...
&
MalwareBytes = BEST antivirus per a VERY recent testing of them all http://www.av-test.org/en/news...
&
It's safe proven by 57 antivirus programs in BOTH its 64-bit model https://www.virustotal.com/en/...
+
32-bit model https://www.virustotal.com/en/...
&
Installer-> http://f.virscan.org/APKHostsF...
-
* "The premise is quite simple: Take something designed by nature & reprogram it to make it work for the body rather than against it..." - Dr. Alice Krippen: "I am legend".
APK
P.S.=> By "yours truly" - "The Lord of Hosts" so-to-speak:
"The image this title brings to mind is a mighty military commander who can at a mere word summon rank upon rank of protective power" -> https://answers.yahoo.com/ques... & THE WORD = hosts!
(Accept NO substitutes)
...apk
Petition for redress by Anonymous Coward · 2016-02-17 15:52 · Score: 0

https://petitions.whitehouse.gov//petition/quash-apple-iphone-order-disable-security-protocols
ITUNES account? by Anonymous Coward · 2016-02-17 18:25 · Score: 0

So I have limited experience with iPhones. I use on for work to make calls and check email, but that's about it. When I locked myself out of it after being on vacation for a while, I was able to reset it via iTunes and it offered me the option to back up my data. I opted to just wipe the thong since I didn't care and needed to update IOS anyway so I have not done this, but can't the government just subpoena Apple to change the iTunes pasword and then do the backup to iTunes and reset the phone, change the lock code and then log in?
P.S. I bet the PIN is 1911.
Awww, poor webwally EXPOSED... apk by Anonymous Coward · 2016-02-17 19:27 · Score: 0

I'm no pedo and you're the one "ReAcTiNg" to my making YOU dance to truth, webweasel!
APK
P.S.=> And you KNOW it - everyone else does... lol! apk
finger swipe by Anonymous Coward · 2016-02-18 00:38 · Score: 0

use his dead finger to open the phone if it has fingerprint biometrics...
Demanding access is not the right solution by Anonymous Coward · 2016-02-18 05:33 · Score: 0

Why not employ hackers, really smart people who can bypass the security and access the content without any problem? All this muscle really.. Brawl instead of brain hmmm...
We need new judges by rhyous · 2016-02-18 06:22 · Score: 1

This is not how I want our government to operate.
Governments must NOT have back doors. The threat of such power outweighs the benefit.
This might be a very silly idea ... by Anonymous Coward · 2016-02-18 08:11 · Score: 0

But could the locked data be duplicated several times in order to allow more tries? It might take well over a million duplications, and be quite wasteful in any normal situation...but when dealing with terrorists...
Re:read the Ex Parte DOJ filing for the correct st by Anonymous Coward · 2016-02-18 12:29 · Score: 0

but can they be removed and installed on another device with the correct hardware and software?
Re:read the Ex Parte DOJ filing for the correct st by Anonymous Coward · 2016-02-18 14:39 · Score: 0

nice comment, but it only highlights the elephant in the room- why the fuck doesn't the fbi just do it themselves? Are they really claiming to lack the skill? Sounds to me like they are being embarassingly (to all of us as our nations protectors) lazy.
The Stupid! It BURRRNNNZES US! by metaforest · 2016-02-18 14:51 · Score: 1

I could not believe the amount of stupid this story generated here and in the rest of the media. Only 5 posts here referenced the definitive white paper that explains in gloriously gory detail what Apple did to secure the iPhone 5 and later models.
If Apple implemented this encryption system correctly, as described in that document, it cannot be broken*, even with a custom iOS image, because all key material and control over the internal parameters, preferences, and machine-state of the Secure Enclave are dependent on iOS tossing the correct user PIN/PASSPHRASE over the wall to that chip. Until that is done, the only way to decrypt the storage on that iPhone is to brute force AES-256.
IMO: The FBI is pursuing a Hail Mary and the judge is buying it hook line and sinker**, because they are even more ignorant that the FBI and the rest of of us here about how this security system works. If anything this will be used by the Gov. to attempt to stir Legislators to get backdoors mandated. As anyone with half a functioning braincell knows, mandating such is pure, undiluted, stupid! And I think the Gov. knows this. I think they simply don't give a shit.
*without a truly heroic effort from top shelf hackers, who make absolutely zero mistakes in their execution.
**I don't think this judge believes that Apple did what that White Paper claims they did. It will be interesting to see if Apple can prove that the system is implemented correctly, because I think that will be a key factor in how this all settles out, and what comes next.
Government Tech. CHANGED it!!! by linuxiac · 2016-02-21 02:33 · Score: 1

Latest news is: within 24 hours of getting custody of the phone, a Government Technician, without asking, and having no mandate, no permission, to do so, CHANGED the password!!! That action just might have lost data that had not been uploaded to iCloud since 1-1/2 months BEFORE the massacre in the County "GUN FREE ZONE"!!! Government again inserts foot into mouth, then shoots foot, hits brain!
Brute-force AES by Anonymous Coward · 2016-02-21 19:44 · Score: 0

Why can't they just brute force the AES key using the birthday attack?