Slashdot Mirror
Congressman: Court Order To Decrypt iPhone Has Far-Reaching Implications (dailydot.com)
Patrick O'Neill writes: Hours after Apple was ordered to help the FBI access the San Bernardino Shooters' iPhone, Rep. Ted Lieu (D-Calif.), a Stanford University computer-science graduate, wondered where the use of the All Writs Act—on which the magistrate judge based her ruling—might lead. "Can courts compel Facebook to provide analytics of who might be a criminal?" Lieu said in an email to the Daily Dot. "Or Google to give a list of names of people who searched for the term ISIS? At what point does this stop?"
Apple, so far, has vowed to fight the order that it decrypt the phone of San Bernadino shooter Syed Rizwan Farook, in no uncertain terms.
Apple, so far, has vowed to fight the order that it decrypt the phone of San Bernadino shooter Syed Rizwan Farook, in no uncertain terms.
If you go through the legal process and get a court order that is the system working as intended. It's when they want backdoors and unregulated access to your information that it's a problem.
This is the only good explanation I've seen of what the order is about: https://www.techdirt.com/artic... As long as Apple can install a signed update on the device without decrypting it first, this will be possible. They need to remedy that quickly.
Error 404 - Sig Not Found
>> "Can courts compel Facebook to provide analytics of who might be a criminal?...Or Google to give a list of names of people who searched for the term ISIS?
Facebook already publishes a guide for law enforcement: https://www.facebook.com/safet...
Google does too: https://www.google.com/transpa...
'The All Writs Act is a United States federal statute, codified at 28 U.S.C. 1651, which authorizes the United States federal courts to "issue all writs necessary or appropriate in aid of their respective jurisdictions and agreeable to the usages and principles of law.'
"On October 31, 2014, the act was used by the U.S. Attorney's Office in New York to compel an unnamed smartphone manufacturer to bypass the lock screen of a smartphone allegedly involved in a credit card fraud."
Looks like there is a precedent. Mind you Apple has lots of money for lawyers to make sure this doesn't happen.
I am not interested in articles about life extension advancements.
If they stuck to specific warrants like they were supposed to, people would have less problem.
As for your idea, there are billions around the world who do not share your joy at government officials being able to read their stuff, limited only to their self-decided limits of appropriateness, like Russia, China, and the Mid East.
We must forbid building the 1984-like tools of tyrrany.
(-1: Post disagrees with my already-settled worldview) is not a valid mod option.
I'm not an iPhone user but I appreciate you standing up for people's privacy. I have a better chance of winning the lottery than dieing at the hands of a terrorist. Why would I want to lose my privacy over those odds.
If I read Apple's "customer letter" correctly, they very well have the ability to create the software that is demanded of them, and decrypt that phone. Whether that software already exists or not is immaterial. If it is possible to create the software and use it on existing devices, then for all intents and purposes the backdoor is already there. Apple just doesn't want to open it, because they rightly fear losing the trust of their customers - trust which, following this interpretation, is unfounded.
The court isn't asking for Apple to decrypt the phone, but for them to provide a special signed firmware that disables certain features meant to protect the encrypted data against brute-forcing.
If the crypto is up to snuff and a strong key was used then brute force will fail anyway, so I don't understand why this is such a big deal to Apple.
You obviously didn't bother to read Apple's response to this. They are not asked to decrypt the phone, they have been asked to 1.) remove firmware protection that wipes the device after 10 unsuccessful access attempts, if enabled, and 2.) provide firmware that somehow circumvents the built-in progressive delays so that brute forcing the password is possible by hooking up some device to the phone.
Basically, they are asking Apple for custom firmware/OS that renders security features useless that would make attacks on the PIN codes or passphrase impractical. It is Apple's position that once Apple has created this custom firmware/OS combo, then they are virtually guaranteed that they will be forced to provide it again and again, thereby essentially creating a government backdoor.
This isn't just about two terrorists.
Once Apple complied and build the tools necessary, the tool can and will be used elsewhere.
And what the LEOs don't understand or willfully ignore, is that if a backdoor exists, pretty much everybody can use it. If Apple creates this modified firmware for the US government, other governments around the world will demand access, too. And sooner or later, this firmware will get in the hand of non-government actors with criminal intend, too.
It's a big deal because complying with *any* request to modify software for use of LEA now will mean that they (and other manufacturers) will have to comply with *all* requests to modify software in the future. In the eyes of the law there is no difference in what technical capability is being implemented, only that some sort of technical capability can be implemented at the direction of LEA. Once open, this door cannot be closed.
There is something that does not add up in Apple's discourse at http://www.apple.com/customer-...
Specifically, the FBI wants us to make a new version of the iPhone operating system, circumventing several important security features, and install it on an iPhone recovered during the investigation. In the wrong hands, this software — which does not exist today — would have the potential to unlock any iPhone in someone’s physical possession.
The FBI may use different words to describe this tool, but make no mistake: Building a version of iOS that bypasses security in this way would undeniably create a backdoor.
I read what the FBI asks as: install a piece of code that allows the phone's content to be examined. I see no middle ground between
1) running such piece of code (probably: after getting it signed by Apple) is possible without the owner's passcode; the iPhone is in fact already backdoored, with Apple holding the key, the FBI wants Apple to exploit the vulnerability/open the backdoor, and Apple does not want to bow, because that's against their policy.
2) running a piece of code signed by Apple also requires he owner's passcode; then the solution pushed by the FBI just can't work.
If the facts where 2, Apple could just state this to the FBI, showing the source code as proof. The FBI would have no choice but take it as fact (perhaps they would ask a change in the future, but it would not help immediately for this iPhone). I conclude the true story is 1, and Apple slightly misrepresents things stating the FBI wants the creation of a backdoor, when there's already one, only well locked and never previously used for nefarious purposes.
There Is No Such Thing as Magic. If there is a known backdoor, it will be found and exploited. This can't be prevented, and honestly (Take not, politicians)...
That means that the content on anyone's phone can be stolen. Not just anyone's phone, but the phone of every politician in the world.
Be careful what you wish for.
Please do not read this sig. Thank you.
Head over to NY Times and Washington Post websites and look at the comments. You joke, but many people there are actually saying things like this. I see comments calling for Tim Cook to be charged with treason, saying Apple shouldn't be able to do business in the U.S., etc. The reason shit like this flies in the U.S. is not because of slashdoters, it's people like that who vote congress critters into office.
Government to Apple: "Develop the atom bomb. It will only be used just this once and then you can throw away the technology. Also, develop it on your dime."
And just to pound the point home, both are true:
Once the legal door has been opened (it becomes OK to require companies build back doors)...
Once the technical door has been opened (backdoor to firmware)...
Open either door and there's no closing them. What's truly ironic is there was a huge uproar a year or so about backdoors in network gear coming out of china ... and now the US is literally asking for the same thing to be created for them.
You can get rich if you own a politician, but you have to be rich to buy one in the first place.
This particular phone's owner deserves no mercy. But that's not the point, or at least not the whole point. If Apple can do this to one phone, they can do it to any phone; and if the government can make Apple do it to the phone of a dead murderer who doesn't deserve legal protection, then the government can make Apple do it do it to the phone of a live whistleblower who DOES deserve legal protection. My title comes from an era of free speech rights debates inspired by porn cases; the fact that a particular image is disgusting, like the fact that a particular case involves a murderer, does not justify changing our checks and balances for "just this case", because the precedent will be used to justify many more cases.
No, they claimed that they cannot decrypt their current phones (i.e. ones with TouchID + Secure Enclave running iOS 8 or 9). This model is an iPhone 5c (i.e. three generations old) that lacks the protections of their current phones and thus is susceptible to the sort of attack being proposed by the FBI. Apple has pointed out that complying with this order would jeopardize their business by making it seem as if they're lying about the security of their current phones, since the public won't understand the distinction. Your comment is evidence in support of their concern.
Can't put the shit back in the horse
Sounds like you haven't done much surfing on the net.
Time to offend someone
Well, one Apple-Hater hates a little less.
https://www.youtube.com/c/BrendaEM
The order implies that Apple is capable of delivering a remote update, or that forcing an update locally is possible if you have physical access. It also implies that portions of the security models are enforced by software that is vulnerable to "update", such as the wipe-after-ten-tries (presumably that code will be replaced with a no-op) and the code entry delay in excess of that which is enforced by hardware.
Whether Apple is compelled to do this or not, the natural concern is "well how much of my data is shielded by math, how much by hardware, and how much by software"?
You can't bargain with math, you have a devil of a time working out hardware, and software along is meaningless as a defense.
It appears that your best bet for security is either:
1)- A multi-character password that is easy to enter (and you'll remember it if its your phone password, lol), but reasonably short. This is if you trust that the 80ms hardware delay can't be broken. This precludes the use of 4 and 6 digit PINs, as a 4 digit PIN will usually fall after a few minutes of this treatment, and a 6 digit PIN after around half a day. An 8 digit password consisting of a completely random set of just the visible lowercase letters (aka, no actual english words) at this rate is hundreds of years, and adding stuff that's harder to enter quickly (capitals, numbers, special characters) makes it much more secure, as does lengthening the password slightly. The challenge here is that passwords are usually chosen to be words, greatly reducing the entropy. And again, this assumes that the 80ms hardware delay is not defeatable.
2)- A fully secure crypto passhprase. This is the level of drama you would go through to password protect a drive or something you take very seriously, and as such it would be a lot more than 8 characters. Your passphrase is long, contains several unpredictable parts, and makes use of more than just a statistically predictable subset of words and characters. You can set this on the iphone, of course, but this kind of protection is not trivial to type in. In this case, you are trusting the math only, however, and assuming that the software will be compelled by the government, and the hardware will be owned by a team skilled in this matter.
Going forward, Apple should probably move the "erase after 10 tries" into the secure portion of the phone, such that it has a protected portion that can't be overwritten without access to the PIN. This will also make them immune to this sort of order in the future.
And, the US (and US made products) will irrevocably cease to be trustworthy.
Once the US does this, everyone in the world MUST assume these companies have built this in, that the US government can access it, and that Apple will be forced to roll over for any other government.
I'm not sure people understand just how much of a global clusterfuck of undermining rights and freedoms the US is doing here -- it's time to stop pretending to be champions of freedom and liberty when you have actively decided to do the opposite.
If Apple caves on this, every piss-pot dictator will insist on the same access.
What the FBI is demanding is full Big Brother status.
Lost at C:>. Found at C.
What the court (and the idiot sitting in the big chair) see as "reasonable" may not be reasonable to Apple, or anyone else.
Additionally, such a nebulous term is horribly susceptible to "moving goalposts". Apple decides to cave, gets so far, and doesn't think it reasonable to go any further. But now that they've caved, the government and the idiot in the big chair come back with "Well, you've gotten THIS far, you may as well see it through!"
The appropriate answer to this is "There is no technical way to do this." And when asked or told to devise one on their own dime, they should be told "There is no legitimate business use for this, if it is even possible." and fight it to the bitter end.
Chas - The one, the only.
THANK GOD!!!
But for this specific case only.
There is no such thing as a single case back door. Either the software is secure for all or it isn't secure at all. There is no middle ground here.
I don't understand why this can't be in a temporary fashion, specific to this particular iphone, and only for this specific case.
Because once you develop the software you can't un-develop it and it WILL be used again. The government is ordering Apple to develop what amounts to a backdoor. Apple is (very sensibly) fighting against this because it is a terrible idea with far reaching consequences. Once they develop the software then you can be certain as the sun rising tomorrow that the government would order it to be used in the future. Furthermore 2/3 of Apple's sales come from outside the US and if other countries governments/citizens believe Apple to be beholden to the US government it could very easily hurt their sales very badly.
Basically there is no upside for this for anyone except the investigators in this case. That is not sufficient justification for Apple to demolish everyone's privacy.
Apple is in the right and Google and Microsoft should be backing Apple on this one.
And I say this as a long time hater of all things Apple. I own nothing from Apple. Never have. I fucking detest Apple. Look at any post of mine here on /. for almost 20 years and you will see that this is the very first post I have ever made here saying ANYTHING positive about Apple.
But they are so in the right on this one. Our devices are our own personal data archives on a level way beyond our houses or safes. It is an extension of our brains. While we may not have the technology just yet, imagine if a court ordered you to have your personal memories residing in your physical brain extracted. This is the same thing. People put info on their phones with a full expectation of privacy, regardless of if that expectation is realistic. If you think it's acceptable for the government to demand access to your most personal inner sanctum of being (your brain), then a brain extension like a personal phone or computer should also be inviolate.
This is so completely disgustingly wrong of anyone in government to expect such a thing, for any reason. Even for this reason. Extra ludicrosity because this is an after-the-fact demand, no matter what happens this will not bring one person back from the dead.
If you are about freedom in any way, then you should be completely against this horrid precedent ever being set. Your thoughts are your own, always.
I presume that some congressman pushed the FBI to make this request out in the open just for the purpose of fighting it in court. All in all it's a good thing. Defending civil rights and all that.
But if the FBI ACTUALLY wanted this information they would have simply given Apple a gag order along with it. Or asked the NSA to do that for them. It's even their purpose, fighting terrorism, right? This falls SQUARELY under the domain of shit they've strong-armed and gagged companys into helping them with. The fact that we're even hearing about it has to be some sort of process manipulation.
So by your very logic the software is already not secure - if it were, Apple wouldn't be able to retrofit a backdoor.
If the software does not currently exist to backdoor the device then it IS secure - for now. The fact that it might be possible to change that is a separate issue.
It's inherently insecure already and Apple are merely being asked to hack it.
This presumes that Apple can hack the device. It has not been conclusively established that this is possible. But let's presume that it is possible for argument's sake since if Apple can't do it then it isn't worthy of discussion. If Apple is able to hack into the device to retrieve the data then in theory the device is insecure in the same sense that a lock that can be picked is insecure. However the tools to hack the device (allegedly) do not currently exist so as things stand the device IS secure. If it wasn't then the FBI would not have any need to ask Apple to hack the device.
If it's secure then Apple can't introduce a backdoor, as the secure software prevents this.
That's like arguing that a lock is insecure because the technology exists to develop lock picks for it. Security is never absolute particularly when a party has physical access to the device. Apple should in principle have the best idea how to go about picking this particular "lock" just like one would expect the maker of a safe to have the best idea how to circumvent the security features of their own product.
I'm sorry but your assumptions precipitate a paradox.
Hardly. A device can be entirely secure today with full knowledge of how it can be made insecure tomorrow. The point is that asking Apple to facilitate this action would have the knock on effect of making ALL devices immediately insecure today instead of theoretically insecure tomorrow.
The technical door has been closed. This trick won't work on an iPhone 5S or later. There are doubtless other vulnerabilities, but the hardware security improvements on the more recent iPhones are impressive.
Now, my privacy technique is partly to be so boring no FBI agent will look through all my private stuff anyway, but that's not for everyone.
"When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
The law says "reasonable", and asking for perfect code that's actually useful is unreasonable. Moreover, since Apple doesn't have to do it on their own dime, and getting near-perfect code requires NASA levels of expense, even the FBI is likely to get discouraged.
In this case, it's easy to see whether the code works: if the FBI runs through the possible PINs, and can do so in reasonable time without the encryption key getting wiped, the software worked.
In general, the court system doesn't produce stupid or ignorant rulings, and most of those can be dealt with with an appeal. It does produce what I believe to be wrong rulings sometimes, but not from lack of understanding the issues.
"When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes