Slashdot Mirror
Congressman: Court Order To Decrypt iPhone Has Far-Reaching Implications (dailydot.com)
Patrick O'Neill writes: Hours after Apple was ordered to help the FBI access the San Bernardino Shooters' iPhone, Rep. Ted Lieu (D-Calif.), a Stanford University computer-science graduate, wondered where the use of the All Writs Act—on which the magistrate judge based her ruling—might lead. "Can courts compel Facebook to provide analytics of who might be a criminal?" Lieu said in an email to the Daily Dot. "Or Google to give a list of names of people who searched for the term ISIS? At what point does this stop?"
Apple, so far, has vowed to fight the order that it decrypt the phone of San Bernadino shooter Syed Rizwan Farook, in no uncertain terms.
Apple, so far, has vowed to fight the order that it decrypt the phone of San Bernadino shooter Syed Rizwan Farook, in no uncertain terms.
And if you read the article, you see that Apple states that this is a backdoor.
Nae king! Nae laird! Nae yurrupiean pressedent! We willna be fooled again!
This is the only good explanation I've seen of what the order is about: https://www.techdirt.com/artic... As long as Apple can install a signed update on the device without decrypting it first, this will be possible. They need to remedy that quickly.
Error 404 - Sig Not Found
'The All Writs Act is a United States federal statute, codified at 28 U.S.C. 1651, which authorizes the United States federal courts to "issue all writs necessary or appropriate in aid of their respective jurisdictions and agreeable to the usages and principles of law.'
"On October 31, 2014, the act was used by the U.S. Attorney's Office in New York to compel an unnamed smartphone manufacturer to bypass the lock screen of a smartphone allegedly involved in a credit card fraud."
Looks like there is a precedent. Mind you Apple has lots of money for lawyers to make sure this doesn't happen.
I am not interested in articles about life extension advancements.
I'm not an iPhone user but I appreciate you standing up for people's privacy. I have a better chance of winning the lottery than dieing at the hands of a terrorist. Why would I want to lose my privacy over those odds.
Gee, and the FBI didn't think of this? You should tell them, I'm sure they'd be pleased to get this information.
The court isn't asking for Apple to decrypt the phone, but for them to provide a special signed firmware that disables certain features meant to protect the encrypted data against brute-forcing.
If the crypto is up to snuff and a strong key was used then brute force will fail anyway, so I don't understand why this is such a big deal to Apple.
You can't force a company to spend money and man hours making something that doesn't exist so that you can use their product they way you want to,
This isn't just about two terrorists.
Once Apple complied and build the tools necessary, the tool can and will be used elsewhere.
And what the LEOs don't understand or willfully ignore, is that if a backdoor exists, pretty much everybody can use it. If Apple creates this modified firmware for the US government, other governments around the world will demand access, too. And sooner or later, this firmware will get in the hand of non-government actors with criminal intend, too.
It's a big deal because complying with *any* request to modify software for use of LEA now will mean that they (and other manufacturers) will have to comply with *all* requests to modify software in the future. In the eyes of the law there is no difference in what technical capability is being implemented, only that some sort of technical capability can be implemented at the direction of LEA. Once open, this door cannot be closed.
There Is No Such Thing as Magic. If there is a known backdoor, it will be found and exploited. This can't be prevented, and honestly (Take not, politicians)...
That means that the content on anyone's phone can be stolen. Not just anyone's phone, but the phone of every politician in the world.
Be careful what you wish for.
Please do not read this sig. Thank you.
And just to pound the point home, both are true:
Once the legal door has been opened (it becomes OK to require companies build back doors)...
Once the technical door has been opened (backdoor to firmware)...
Open either door and there's no closing them. What's truly ironic is there was a huge uproar a year or so about backdoors in network gear coming out of china ... and now the US is literally asking for the same thing to be created for them.
You can get rich if you own a politician, but you have to be rich to buy one in the first place.
This particular phone's owner deserves no mercy. But that's not the point, or at least not the whole point. If Apple can do this to one phone, they can do it to any phone; and if the government can make Apple do it to the phone of a dead murderer who doesn't deserve legal protection, then the government can make Apple do it do it to the phone of a live whistleblower who DOES deserve legal protection. My title comes from an era of free speech rights debates inspired by porn cases; the fact that a particular image is disgusting, like the fact that a particular case involves a murderer, does not justify changing our checks and balances for "just this case", because the precedent will be used to justify many more cases.
No, they claimed that they cannot decrypt their current phones (i.e. ones with TouchID + Secure Enclave running iOS 8 or 9). This model is an iPhone 5c (i.e. three generations old) that lacks the protections of their current phones and thus is susceptible to the sort of attack being proposed by the FBI. Apple has pointed out that complying with this order would jeopardize their business by making it seem as if they're lying about the security of their current phones, since the public won't understand the distinction. Your comment is evidence in support of their concern.
Knowing that a former Secretary of State operated their own email server in a manner that a fairly knowledgeable system administrator would recognize as vulnerable to the known capabilities of state-sponsored attempts to compromise it and extract the contents, it's almost disingenuous for the government to claim security is both essential and working at the highest levels, when they knew or should have known that a Cabinet officer was subverting that security. They just were. Reasonable people and those skilled in the art cannot avoid coming to that conclusion baaed on the publicly known evidence.
Our government isn't very good at protecting our rights, nor at its own operations. Good enough reason to limit our government to essential activities only.
And I pray Apple actually tries to break their own encryption and fails. Security shouldn't be reserved to the few. In a nominally free society we will not have perfect security, but we will have, hopefully, more freedom than not.
Don't overlook the Office of Personnel Management data breach, in which the OPM had such bad security that they effectively released to hackers the entire collection of background check information for all government personnel and contractors who need access to gov't facilities for everyone who filled out the forms from about 2000 to 2015. It wasn't just the form data (name, SSN, lists of associates to use for references, foreign travel history) - it was all the follow up data, too. Including responses from references, clearance interview details. It even included images of fingerprints if you went through the process since the PIV-II cards came into use. All of that information is now basically free on the internet. Forever. It's a phisher's (and foreign extortionist's) wet dream-- a complete set of collated, validated data, including associations and relationships, as well as potential dirt, on everyone who has worked for the US gov't (including many many contractors) for the past 15 years.
The order implies that Apple is capable of delivering a remote update, or that forcing an update locally is possible if you have physical access. It also implies that portions of the security models are enforced by software that is vulnerable to "update", such as the wipe-after-ten-tries (presumably that code will be replaced with a no-op) and the code entry delay in excess of that which is enforced by hardware.
Whether Apple is compelled to do this or not, the natural concern is "well how much of my data is shielded by math, how much by hardware, and how much by software"?
You can't bargain with math, you have a devil of a time working out hardware, and software along is meaningless as a defense.
It appears that your best bet for security is either:
1)- A multi-character password that is easy to enter (and you'll remember it if its your phone password, lol), but reasonably short. This is if you trust that the 80ms hardware delay can't be broken. This precludes the use of 4 and 6 digit PINs, as a 4 digit PIN will usually fall after a few minutes of this treatment, and a 6 digit PIN after around half a day. An 8 digit password consisting of a completely random set of just the visible lowercase letters (aka, no actual english words) at this rate is hundreds of years, and adding stuff that's harder to enter quickly (capitals, numbers, special characters) makes it much more secure, as does lengthening the password slightly. The challenge here is that passwords are usually chosen to be words, greatly reducing the entropy. And again, this assumes that the 80ms hardware delay is not defeatable.
2)- A fully secure crypto passhprase. This is the level of drama you would go through to password protect a drive or something you take very seriously, and as such it would be a lot more than 8 characters. Your passphrase is long, contains several unpredictable parts, and makes use of more than just a statistically predictable subset of words and characters. You can set this on the iphone, of course, but this kind of protection is not trivial to type in. In this case, you are trusting the math only, however, and assuming that the software will be compelled by the government, and the hardware will be owned by a team skilled in this matter.
Going forward, Apple should probably move the "erase after 10 tries" into the secure portion of the phone, such that it has a protected portion that can't be overwritten without access to the PIN. This will also make them immune to this sort of order in the future.
I presume that some congressman pushed the FBI to make this request out in the open just for the purpose of fighting it in court. All in all it's a good thing. Defending civil rights and all that.
But if the FBI ACTUALLY wanted this information they would have simply given Apple a gag order along with it. Or asked the NSA to do that for them. It's even their purpose, fighting terrorism, right? This falls SQUARELY under the domain of shit they've strong-armed and gagged companys into helping them with. The fact that we're even hearing about it has to be some sort of process manipulation.