Slashdot Mirror
Congressman: Court Order To Decrypt iPhone Has Far-Reaching Implications (dailydot.com)
Patrick O'Neill writes: Hours after Apple was ordered to help the FBI access the San Bernardino Shooters' iPhone, Rep. Ted Lieu (D-Calif.), a Stanford University computer-science graduate, wondered where the use of the All Writs Act—on which the magistrate judge based her ruling—might lead. "Can courts compel Facebook to provide analytics of who might be a criminal?" Lieu said in an email to the Daily Dot. "Or Google to give a list of names of people who searched for the term ISIS? At what point does this stop?"
Apple, so far, has vowed to fight the order that it decrypt the phone of San Bernadino shooter Syed Rizwan Farook, in no uncertain terms.
Apple, so far, has vowed to fight the order that it decrypt the phone of San Bernadino shooter Syed Rizwan Farook, in no uncertain terms.
This is the only good explanation I've seen of what the order is about: https://www.techdirt.com/artic... As long as Apple can install a signed update on the device without decrypting it first, this will be possible. They need to remedy that quickly.
Error 404 - Sig Not Found
>> "Can courts compel Facebook to provide analytics of who might be a criminal?...Or Google to give a list of names of people who searched for the term ISIS?
Facebook already publishes a guide for law enforcement: https://www.facebook.com/safet...
Google does too: https://www.google.com/transpa...
'The All Writs Act is a United States federal statute, codified at 28 U.S.C. 1651, which authorizes the United States federal courts to "issue all writs necessary or appropriate in aid of their respective jurisdictions and agreeable to the usages and principles of law.'
"On October 31, 2014, the act was used by the U.S. Attorney's Office in New York to compel an unnamed smartphone manufacturer to bypass the lock screen of a smartphone allegedly involved in a credit card fraud."
Looks like there is a precedent. Mind you Apple has lots of money for lawyers to make sure this doesn't happen.
I am not interested in articles about life extension advancements.
Technically they have. They've asked for a system to remove the passcode limitations to allow brute force attacks.
This screams backdoor...
The court isn't asking for Apple to decrypt the phone, but for them to provide a special signed firmware that disables certain features meant to protect the encrypted data against brute-forcing.
If the crypto is up to snuff and a strong key was used then brute force will fail anyway, so I don't understand why this is such a big deal to Apple.
You obviously didn't bother to read Apple's response to this. They are not asked to decrypt the phone, they have been asked to 1.) remove firmware protection that wipes the device after 10 unsuccessful access attempts, if enabled, and 2.) provide firmware that somehow circumvents the built-in progressive delays so that brute forcing the password is possible by hooking up some device to the phone.
Basically, they are asking Apple for custom firmware/OS that renders security features useless that would make attacks on the PIN codes or passphrase impractical. It is Apple's position that once Apple has created this custom firmware/OS combo, then they are virtually guaranteed that they will be forced to provide it again and again, thereby essentially creating a government backdoor.
You can't do the latter. The encryption key is split into fragments, baked into silicon in multiple chips, and the exponential timeout and wipe features are enforced by hardware.
iOS may be a walled garden, but damn, the walls go down to the bedrock.
See apple's own ios 9 security whitepaper or this fellow's succinct summary buried deep in the comments on techdirt.
This particular phone's owner deserves no mercy. But that's not the point, or at least not the whole point. If Apple can do this to one phone, they can do it to any phone; and if the government can make Apple do it to the phone of a dead murderer who doesn't deserve legal protection, then the government can make Apple do it do it to the phone of a live whistleblower who DOES deserve legal protection. My title comes from an era of free speech rights debates inspired by porn cases; the fact that a particular image is disgusting, like the fact that a particular case involves a murderer, does not justify changing our checks and balances for "just this case", because the precedent will be used to justify many more cases.
It's hardware based encryption, where half of the key comes out of a value burned into the CPU during manufacturing (and not recorded anywhere) combined with a value burned into the "Secure Enclave" during manufacturing (and not recorded anywhere). You take the storage image off the device, you lose half the key and you're fucked. You attempt to crack the PIN on device, you get 10 tries before the secure enclave overwrites the key with a new one, and you're fucked. If the auto-wipe was disabled by the user (it's on by default), then you get an ever-increasing time delay enforced by the hardware in between PIN attempts. It would take upwards of a year to brute-force a 4-digit PIN unless you get very lucky.
Oh, and the setting for the automatic wipe as well as the half of the key generated from sensor entropy is cryptographically stored in the Secure Enclave, which you cannot image or change values of. The crypto key for that is the user's PIN / password.
Is this impossible to break? Given near infinite resources, no. Is it hard enough that you could use the Theory of Limits from calculus to make it equal to impossible? Probably.
Slashdot still doesnâ(TM)t support Unicode after it was added to the HTML standard in 1997.
Knowing that a former Secretary of State operated their own email server in a manner that a fairly knowledgeable system administrator would recognize as vulnerable to the known capabilities of state-sponsored attempts to compromise it and extract the contents, it's almost disingenuous for the government to claim security is both essential and working at the highest levels, when they knew or should have known that a Cabinet officer was subverting that security. They just were. Reasonable people and those skilled in the art cannot avoid coming to that conclusion baaed on the publicly known evidence.
Our government isn't very good at protecting our rights, nor at its own operations. Good enough reason to limit our government to essential activities only.
And I pray Apple actually tries to break their own encryption and fails. Security shouldn't be reserved to the few. In a nominally free society we will not have perfect security, but we will have, hopefully, more freedom than not.
Don't overlook the Office of Personnel Management data breach, in which the OPM had such bad security that they effectively released to hackers the entire collection of background check information for all government personnel and contractors who need access to gov't facilities for everyone who filled out the forms from about 2000 to 2015. It wasn't just the form data (name, SSN, lists of associates to use for references, foreign travel history) - it was all the follow up data, too. Including responses from references, clearance interview details. It even included images of fingerprints if you went through the process since the PIV-II cards came into use. All of that information is now basically free on the internet. Forever. It's a phisher's (and foreign extortionist's) wet dream-- a complete set of collated, validated data, including associations and relationships, as well as potential dirt, on everyone who has worked for the US gov't (including many many contractors) for the past 15 years.
Apple states this is a backdoor...
Apple is in the wrong on this.
Read the actual order - it's absolute the first statement, and they are not wrong. The order asks for far more than you imply. It asks Apple to
As for your friend's macbook, anyone can unlock a macbook as long as file vault is not enabled. If it's enabled, not even Apple (AFIAK) can unlock it without resorting to brute force or some other truly black hat worthy exploit.
The cesspool just got a check and balance.
The court order says that Apple should hard code the ID of the target phone into the software so it can't be used elsewhere. Of course they need to sign the binary so the FBI can't just tweak a few bytes. However, that still means:
1. The FBI can say it's much less work next time, just change a few bytes and sign the binary! The "undue burden" defence goes away, unless Apple invests more time and energy in creating new undue burden.
2. Maybe the FBI or NSA has Apple's signing keys, or knows a way to circumvent the signing requirement.
const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
'Slippery slope' cannot be a logical fallacy because it is not a logical proposition.
He once inserted random mutations into his code, just so he could have the experience of debugging.