Congressman: Court Order To Decrypt iPhone Has Far-Reaching Implications

Patrick O'Neill writes: Hours after Apple was ordered to help the FBI access the San Bernardino Shooters' iPhone, Rep. Ted Lieu (D-Calif.), a Stanford University computer-science graduate, wondered where the use of the All Writs Act—on which the magistrate judge based her ruling—might lead. "Can courts compel Facebook to provide analytics of who might be a criminal?" Lieu said in an email to the Daily Dot. "Or Google to give a list of names of people who searched for the term ISIS? At what point does this stop?"
Apple, so far, has vowed to fight the order that it decrypt the phone of San Bernadino shooter Syed Rizwan Farook, in no uncertain terms.

Don't see the problem

If you go through the legal process and get a court order that is the system working as intended. It's when they want backdoors and unregulated access to your information that it's a problem.

Re:Don't see the problem

[Errol+backfiring]

And if you read the article, you see that Apple states that this is a backdoor.

Re:Don't see the problem

If you go through the legal process and get a court order that is the system working as intended. It's when they want backdoors and unregulated access to your information that it's a problem.

If Apple can circumvent the protection of the private data, anyone with the right tools/data can do so. That's a backdoor by definition.

Re:Don't see the problem

[Holi]

Cooperating fully would mean implementing a backdoor, not patching one that already exists. Kind of kills your line of reasoning.

Re:Don't see the problem

[rickb928]

Government (U.S. government, to be clear) has not always had the ability to intercept any of my communications;

- Walking in a field, writing notes to a companion, who eats the note after reading it. I reciprocate. We shield these notes from being viewed overhead.

- One-time pads, sufficiently complex, are virtually unbreakable. I still have a working OTP email client, and can distribute it to a correspondent securely (in person) to establish an email method that will deny even state - level decryption. The publisher advises me I need to expand the recommended seed from 8 bytes to 24 bytes to be reasonably secure. Done.

I'm pretty certain there are other methods, including current iPhone encryption, apparently...

While the court system in this case is working as intended, I'll bet that the Federal government has already issued a FISA request, and we are unaware of it. Working as intended. But I do not believe FISA courts should operate entirely in the dark. I just don't know how to handle these requests.

Knowing that a former Secretary of State operated their own email server in a manner that a fairly knowledgeable system administrator would recognize as vulnerable to the known capabilities of state-sponsored attempts to compromise it and extract the contents, it's almost disingenuous for the government to claim security is both essential and working at the highest levels, when they knew or should have known that a Cabinet officer was subverting that security. They just were. Reasonable people and those skilled in the art cannot avoid coming to that conclusion baaed on the publicly known evidence.

Our government isn't very good at protecting our rights, nor at its own operations. Good enough reason to limit our government to essential activities only.

And I pray Apple actually tries to break their own encryption and fails. Security shouldn't be reserved to the few. In a nominally free society we will not have perfect security, but we will have, hopefully, more freedom than not.

Re:Don't see the problem

[stealth_finger]

the correct action would be to cooperate fully right now, and patch the back door. That way current case proceeds, and future similar situations are not feasible because the backdoor doesn't exist.

they'll have to open up a very public case "forcing" Apple to put in a back door, where apple would have a lot firmer leg to stand on as opposed to not cooperating with this investigation.

The problem is the FBI then have this version of iOS with stripped out security that they can then theoretically install on any iphone they want to grab all the data. They say it will only be used this one time for this one thing but if you believe that there's a lovely bridge I have for sale.

Re:Don't see the problem

There's no need to talk about slippery slopes. This is already it. This is the government asking for a fully back doored version of iOS to exist. Once that happens, it's only a matter of time before some set of bad guys (be that overzealous gvmnt employees without a court order, or criminals wanting to break into any iPhone they pick up off the street) gets hold of the back doored version, and exploits it.

Re: Don't see the problem

[JaiWing]

The point is, Apple doesn't have this data. The phone contains the data. The phone is in the possession of the FBI, not Apple. The FBI (most likely) NOT allow Apple to posses the phone.
So, the only solution is for Apple to create an OS for the phone that bypasses the security wipe feature, allowing a brute force attack to be carried out. Why Apple would want to create, at their expense (I am a taxpayer, and I don't want to pay for this), a product with no value to the public.
Effectively, a court ordered them to do exactly that.
Now another, unlikely, solution is for the FBI to place the phone in Apple's possession, Apple then applies the newly developed OS to the phone then runs the brute force attack to decrypt the phone then changes the pin then reinstalls a factory OS and then returns the phone to the FBI along with the new pin. All at Apple's expense. Unlikely for many reasons.

Re:Don't see the problem

[Obfuscant]

Apple states this is a backdoor, which THEY PUT INTO THE SYSTEM just so they could support customers who forget their encryption keys. They did this of their own free will, and they have no problem using it when a customer asks. They even have no problem using it when the employer of a customer asks. A friend of mine passed away, and Apple happily unlocked his Macbook so the employer could look through all his files for anything work related.

But when a court issues the appropriate warrant regarding one person's phone, who is under indictment for a mass-shooting incident of many innocent people in a disability assistance facility, they say "no way". It becomes a case of unwarranted government surveillance and eavesdropping on everyday citizens, and we certainly cannot have that. "What's next", some mass intrusion into the daily lives of Mom and Pop and little Billy for searching for the word ISIS on Google? No, what's next is the next warrant for the next alleged criminal to look at one phone for evidence of that specific crime.

Apple is in the wrong on this.

Re:Don't see the problem

[Etcetera]

If you go through the legal process and get a court order that is the system working as intended.

No, you're missing the point.
Apple is not on trial here. Apple is not part of the investigation or under investigation. Apple made a phone, and now the government wants to FORCE Apple to help them access the information on it. Because apparently the FBI is incompetent and the NSA apparently won't help them. You know, two agencies with massive operational budgets who exist specifically to be experts at this kind of shit.

You seem to fail to understand that that's perfectly allowed by both case law, and common law tradition. In some counties in some states, it's a crime to fail to assist a Sheriff in the making of an arrest, so long as the instruction is reasonable.

Thanks Apple

I'm not an iPhone user but I appreciate you standing up for people's privacy. I have a better chance of winning the lottery than dieing at the hands of a terrorist. Why would I want to lose my privacy over those odds.

Unless Apple Lied

[Holi]

If Apple was telling the truth, the court order should not matter. Apple has already claimed that they cannot decrypt the phone.

Re:Unless Apple Lied

[ugen]

It's a big deal because complying with *any* request to modify software for use of LEA now will mean that they (and other manufacturers) will have to comply with *all* requests to modify software in the future. In the eyes of the law there is no difference in what technical capability is being implemented, only that some sort of technical capability can be implemented at the direction of LEA. Once open, this door cannot be closed.

Re:Unless Apple Lied

[torkus]

And just to pound the point home, both are true:

Once the legal door has been opened (it becomes OK to require companies build back doors)...
Once the technical door has been opened (backdoor to firmware)...

Open either door and there's no closing them. What's truly ironic is there was a huge uproar a year or so about backdoors in network gear coming out of china ... and now the US is literally asking for the same thing to be created for them.

Re:Unless Apple Lied

[gstoddart]

And, the US (and US made products) will irrevocably cease to be trustworthy.

Once the US does this, everyone in the world MUST assume these companies have built this in, that the US government can access it, and that Apple will be forced to roll over for any other government.

I'm not sure people understand just how much of a global clusterfuck of undermining rights and freedoms the US is doing here -- it's time to stop pretending to be champions of freedom and liberty when you have actively decided to do the opposite.

If Apple caves on this, every piss-pot dictator will insist on the same access.

What the FBI is demanding is full Big Brother status.

Re:They aren't ordering Apple to decrypt it

[bigpat]

This is the only good explanation I've seen of what the order is about:

https://www.techdirt.com/artic...

As long as Apple can install a signed update on the device without decrypting it first, this will be possible. They need to remedy that quickly.

Yes, Apple has all along insisted that they can't break the encryption on the phone. But the FBI apparently knows they can and wants them to do it. That means there is already effectively a back door and they just need Apple to sign the software update. So Apple has been lying.

No uncertain terms?

If I read Apple's "customer letter" correctly, they very well have the ability to create the software that is demanded of them, and decrypt that phone. Whether that software already exists or not is immaterial. If it is possible to create the software and use it on existing devices, then for all intents and purposes the backdoor is already there. Apple just doesn't want to open it, because they rightly fear losing the trust of their customers - trust which, following this interpretation, is unfounded.

Re:No uncertain terms?

[TheCastro1689]

You can't force a company to spend money and man hours making something that doesn't exist so that you can use their product they way you want to,

Re:Shielding murderers and the accomplices

[moronoxyd]

This isn't just about two terrorists.
Once Apple complied and build the tools necessary, the tool can and will be used elsewhere.

And what the LEOs don't understand or willfully ignore, is that if a backdoor exists, pretty much everybody can use it. If Apple creates this modified firmware for the US government, other governments around the world will demand access, too. And sooner or later, this firmware will get in the hand of non-government actors with criminal intend, too.

Backdoors for everyone

[sjbe]

If you go through the legal process and get a court order that is the system working as intended.

Not when the court doesn't really understand the full ramifications of what they are ordering. You can have due process and end up with a terrible ruling if the court is clueless. Hopefully it will be sorted out in due course. Apple is clearly correct in their position as far as I can tell.

It's when they want backdoors and unregulated access to your information that it's a problem.

In this case the court is apparently ordering Apple to CREATE a backdoor since one supposedly does not currently exist. This is a terrible idea for reasons too numerous for me to mention here. You cannot create a backdoor for one party without creating it for ALL parties. If you don't see how that is a problem then I can't help you.

Is what the FBI ask Apple feasible, or not ?

[fgrieu]

There is something that does not add up in Apple's discourse at http://www.apple.com/customer-...

Specifically, the FBI wants us to make a new version of the iPhone operating system, circumventing several important security features, and install it on an iPhone recovered during the investigation. In the wrong hands, this software — which does not exist today — would have the potential to unlock any iPhone in someone’s physical possession.

The FBI may use different words to describe this tool, but make no mistake: Building a version of iOS that bypasses security in this way would undeniably create a backdoor.

I read what the FBI asks as: install a piece of code that allows the phone's content to be examined. I see no middle ground between

1) running such piece of code (probably: after getting it signed by Apple) is possible without the owner's passcode; the iPhone is in fact already backdoored, with Apple holding the key, the FBI wants Apple to exploit the vulnerability/open the backdoor, and Apple does not want to bow, because that's against their policy.

2) running a piece of code signed by Apple also requires he owner's passcode; then the solution pushed by the FBI just can't work.

If the facts where 2, Apple could just state this to the FBI, showing the source code as proof. The FBI would have no choice but take it as fact (perhaps they would ask a change in the future, but it would not help immediately for this iPhone). I conclude the true story is 1, and Apple slightly misrepresents things stating the FBI wants the creation of a backdoor, when there's already one, only well locked and never previously used for nefarious purposes.

Because politicians believe in magic...

[gestalt_n_pepper]

There Is No Such Thing as Magic. If there is a known backdoor, it will be found and exploited. This can't be prevented, and honestly (Take not, politicians)...

That means that the content on anyone's phone can be stolen. Not just anyone's phone, but the phone of every politician in the world.

Be careful what you wish for.

Another analogy

[bangular]

Government to Apple: "Develop the atom bomb. It will only be used just this once and then you can throw away the technology. Also, develop it on your dime."

Re:Shielding murderers and the accomplices

[kilfarsnar]

Why would Apple want to shield the communications of mass murderers and their accomplices whom the FBI is trying to track down?

Mass murderers? Has someone been convicted?

What we have here are people being accused of murder. To my knowledge no one has been convicted. So let's not go throwing out the presumption of innocence just because you saw something on TV.

Re:Preaching to the choir

[halivar]

You joke, but many people there are actually saying things like this. I see comments calling for Tim Cook to be charged with treason, saying Apple shouldn't be able to do business in the U.S., etc.

To be fair, you see these same exact comments on Slashdot; just for different reasons.

What this (probably) means to you!

[cfalcon]

The order implies that Apple is capable of delivering a remote update, or that forcing an update locally is possible if you have physical access. It also implies that portions of the security models are enforced by software that is vulnerable to "update", such as the wipe-after-ten-tries (presumably that code will be replaced with a no-op) and the code entry delay in excess of that which is enforced by hardware.

Whether Apple is compelled to do this or not, the natural concern is "well how much of my data is shielded by math, how much by hardware, and how much by software"?

You can't bargain with math, you have a devil of a time working out hardware, and software along is meaningless as a defense.

It appears that your best bet for security is either:

1)- A multi-character password that is easy to enter (and you'll remember it if its your phone password, lol), but reasonably short. This is if you trust that the 80ms hardware delay can't be broken. This precludes the use of 4 and 6 digit PINs, as a 4 digit PIN will usually fall after a few minutes of this treatment, and a 6 digit PIN after around half a day. An 8 digit password consisting of a completely random set of just the visible lowercase letters (aka, no actual english words) at this rate is hundreds of years, and adding stuff that's harder to enter quickly (capitals, numbers, special characters) makes it much more secure, as does lengthening the password slightly. The challenge here is that passwords are usually chosen to be words, greatly reducing the entropy. And again, this assumes that the 80ms hardware delay is not defeatable.

2)- A fully secure crypto passhprase. This is the level of drama you would go through to password protect a drive or something you take very seriously, and as such it would be a lot more than 8 characters. Your passphrase is long, contains several unpredictable parts, and makes use of more than just a statistically predictable subset of words and characters. You can set this on the iphone, of course, but this kind of protection is not trivial to type in. In this case, you are trusting the math only, however, and assuming that the software will be compelled by the government, and the hardware will be owned by a team skilled in this matter.

Going forward, Apple should probably move the "erase after 10 tries" into the secure portion of the phone, such that it has a protected portion that can't be overwritten without access to the PIN. This will also make them immune to this sort of order in the future.

It's realy nice they're letting Apple fight it

[HeckRuler]

I presume that some congressman pushed the FBI to make this request out in the open just for the purpose of fighting it in court. All in all it's a good thing. Defending civil rights and all that.

But if the FBI ACTUALLY wanted this information they would have simply given Apple a gag order along with it. Or asked the NSA to do that for them. It's even their purpose, fighting terrorism, right? This falls SQUARELY under the domain of shit they've strong-armed and gagged companys into helping them with. The fact that we're even hearing about it has to be some sort of process manipulation.