FBI May Be Opening A Security Hole To Federal Agencies

Lucas123 writes: In its rush to gather information, the FBI blew its chance to retrieve data from the iPhone of one of the San Bernardino terrorists when it ordered his iCloud passcode to be reset shortly after the attacks. Now in its fervor to force Apple to create software that can break its own encryption algorithm, the FBI may be opening a security hole to federal agencies. Over the past four years, the federal government has largely shifted its use of mobile devices from Blackberry to iPhones. One major reason for that is -- you guessed it -- the strong native security. If Apple creates an iPhone skeleton key, it not only threatens the public's privacy, but the security of the federal government as well.

Pandora's box

[turkeydance]

how's that Hope thing working out?

Re:Pandora's box

Pretty well. Those that were buying into Hope And Change are still hoping. They got eight years of hope out of it, that's pretty good and hoping feels so much better than changing/doing anyway.

Re:Pandora's box

[Xenx]

I think I'd still take the empty hand over the full one.

Re:Pandora's box

[donaldm]

Since this is an American issue, so far I think the saying "Hoisted with one's own petard" applies here. Unfortunately sometimes American issues become world wide problems.

Re:Pandora's box

[silentcoder]

Did we just see a conservative basically admitting that Romney as president would have been a shitty outcome ?

Well he was a supporter of trickle-down, which was formerly known as Horse-and-Sparrow economics. The metaphor being that "if you feed the horses well the sparrows can get by on the seeds in their droppings". So it kind of comes full circle -the term "horse-and-sparrow" fell out of favor after somebody pointed out the problem with it: the poor are *literally* expected to eat horseshit.

Re:Pandora's box

[MitchDev]

Easy to enact change when the oppostion party says "We aren't going to do our jobs, we are just going to oppose EVERYTHING!"

Re:Pandora's box

[Coren22]

Hard to enact any of that change when one side fails to propose any of their changes beyond "We need immigration reform!"

You blame the republicans for failing to come up with bills for the president to veto, while the president completely fails to propose anything to them to pass or not.

You are also talking about the president that refused to negotiate when negotiation was the only way to get what he wanted.

Re:Pandora's box

[MitchDev]

Ah, you're a far-right republican, I see (just as bad as a far-left democrat)
No reason to bother trying to talk to you

Re:Pandora's box

[Dcnjoe60]

In the US, it takes Congress to pass legislation which is the part that creates change. The person at the top sets the vision, but Congress makes it happen or in this case keeps it from happening. So, regardless of Obama, if your complaint is lack of change, that would be the Congress, which is predominately the Republican Party. There is an election coming up, where you have not only the opportunity to change the person at the top, but those who stymied any change for the last eight years.

Re:Pandora's box

[Coren22]

Nice to see you dismiss other's opinions. No, I am not a republican.

Re:Pandora's box

[eric_harris_76]

The Republicans didn't always control the Congress. What about before then?

Re:Pandora's box

[MitchDev]

Filibustered their asses off, and the still controlled key committees

Re:Pandora's box

[eric_harris_76]

Gosh, how'd they retain control of key committees if they weren't the majority party?

Golly. I bet the Democrats eliminated the ability to filibuster, first chance they got, right?

Re:Pandora's box

[MitchDev]

Yawn, go suck Trump's dick elsewhere child. The adults are talking here.

"skeleton key"

explain how allowing the FBI to brute force individual iPhones in a lab setting constitutes creating a "skeleton key" that poses a risk to iPhones in the wild? I still haven't heard a remotely plausible explanation of how this happens without some seriously high level industrial espionage of the type that could render iPhones vulnerable *anyway* without Apple ever doing a thing to assist law enforcement? -Love, Legal.Troll

Re: "skeleton key"

[O('_')O_Bush]

The issue is confused. The system is designed to prevent brute forcing, which is what the FBI originally wanted to do, but their recent calls have been for legislation to require tech companies to put in a back door to circumvent the encryption and only accessible by the device creators (yea, good luck with that).

Re:"skeleton key"

[Nethemas+the+Great]

The security of the iPhone is hinged upon OS binaries signed by an Apple security certificate. The FBI wants Apple to sign and/or produce binaries with weakened security. Having achieved this, the FBI and all parties in possession of said binaries simply have to swap out the old secure binaries for their version since the phone trusts anything signed by Apple.

Re:"skeleton key"

The skeleton key applies to the court system. If the court forces Apple to open this phone, the FBI will start filing motions to open thousands of other phones. Sort of like FISA I imagine it being a rubber stamp process.

Re:"skeleton key"

[AHuxley]

The House Committee on the Judiciary Hearings, The Encryption Tightrope: Balancing Americans’ Security and Privacy (Streamed live on Mar 1, 2016)
https://www.youtube.com/watch?...
Try around the 4:05 point in. 200 phones are in line for the same skeleton key needs. As mentioned, that federally demanded, universal "skeleton key" will be ready as an overlap for State and Federal courts :)

Re: "skeleton key"

[Cramer]

Nope. Companies are creating things LEO's cannot defeat. (and in the case of iPhones, something even Apple cannot defeat. Unless they start recording the UIDs of every device.)

Re: "skeleton key"

[zieroh]

Except, of course, the court order specifically allows for Apple to NOT give the binaries to the FBI and the FBI requested it that way to address exactly that issue. But hey, I just read the writ, not the bullshit lies on the Internet.

Okay, I'll bite.

What happens the next time the FBI (or any other LEA) has an iPhone that they need information off of? The FBI has divulged that there already exist about a dozen phones that need breaking. They have also admitted -- in public testimony -- that this case would set a precedent.

So please tell me, specifically: how exactly is this just about a single phone, when the actual head of the actual FBI has admitted that it is categorically NOT about a single phone?

Re:"skeleton key"

[MobileTatsu-NJG]

Apple hasn't written the software they need to do it. It doesn't exist right now. Once they write it, it's written. Precedent is set and a floodgate of requests will begin and there won't be much Apple can do to make them stop.

Re: "skeleton key"

[AHuxley]

AC the "revoke" issue wont work to try and keep it for "one" physical. The request is for code that is on a drive that is given to the US gov. The computer code can then be used to open product lines at a state and federal level.
The code as a method on a computer hard drive is been conscripted for a generation of phones, not one physical phone.
Again the House Committee on the Judiciary Hearings, The Encryption Tightrope: Balancing Americans’ Security and Privacy (Streamed live on Mar 1, 2016)
https://www.youtube.com/watch?...
4:44 and onto 4:45 has the details on the request made.
Tool was to be put on a hard drive.
Hard drive with the new tool was to be sent to US gov.
A gov computer would then perform the task. Portable, reusable.
More details at (March 2, 2016)
http://nypost.com/2016/03/02/f...
"“The request we got from the government in this case is, ‘Take this tool and put it on a hard drive, send it to the FBI,’ and they’d load it onto their computer,”"

Re:"skeleton key"

[aaarrrgggh]

Doesn't matter; with the legal precedent set and complied with Apple cannot refuse in the future. It is three branches of government conspiring together to force Apple (and everyone else) to be able to break their devices.

Re:"skeleton key"

[davester666]

Well, you can bet the FBI will do everything they can to copy the OS off the iPhone to try to use it on similar model phones. And the NSA just might happen to walk by and see what's up with the FBI's new toy. And then they will 'happen' to have one of each different model iPhone needing to be unlocked.

The NSA MIGHT be competent enough to be able to control it's use if they got it, the FBI is lucky if they can prevent the general population from poking around in their databases.

Re: "skeleton key"

[meerling]

They didn't refuse to cooperate, they refused to engage in the process to develop a tool to defeat their own security system.
It's kind of the difference between giving a mugger your wallet when he demands it, and bringing him to the bank to cosign for his Small Crime Business Loan then babysit his kids for a few hours while he goes and mugs some other people.

Re: "skeleton key"

[meerling]

So, does anyone remember how when the bullshit stuff they kneejerk passed over 911 basically let the cops get away with a lot of bullshit, but they swore up and down that it would never be abused or used for anything other than terrorist related stuff, and that it could be even if they wanted to?
So anyhow the feds have been going around to the local cops for several years now teaching them how to use that 'anti-terrorist' stuff to apply to virtually anyone and get away with a ton of shit they aren't supposed to be doing in the first place.
What makes you think this will be any different.
Besides, this isn't a one time thing in Apples control if Apple gives in.
It will kill trust in Apples security, that'll hurt the company.
Since it will have been done once, it suddenly becomes easier to duplicate by someone else, even if they don't eventually get their hands on that 'restricted code' because no matter how careful people claim to be with digital files, they always seem to leak.
Don't forget as well that this will create a precedent, and then the government will just demand that the security cracker be used pretty much anytime the cops/feds/whatever can't figure it out, or would rather go have a second donut instead of doing the work.
No matter how you slice it, developing a way to bypass the security of that dead mans phone so they can root around and maybe find clues of some other criminal activity or person that may never have existed is a really bad idea, unless you jerk off to 1984 on an hourly basis.

Re: "skeleton key"

[silentcoder]

If what they were doing was not *exactly* in agreement with the will of the people (you know - those guys whose consent you're supposed to have for governing them) - then it would be a piss-poor marketing strategy, akin to an ad saying "Buy an apple, we rape children for cheap labour to make them". Of course they do, in fact, do that - but they would never put it in an ad - it's a bad marketing strategy to tell the public something they don't want to hear.

Clearly then the public DOES want to hear: "We refuse to make it easy for the government to read your texts".

And since the government is supposed to work FOR the taxpayers and voters, they may want to start listening to what the boss is telling them.

Re: "skeleton key"

[silentcoder]

I keep reading that analogy, but it makes no sense... there's no car in there anywhere !

Re:"skeleton key"

[silentcoder]

You, and the FBI, are assuming that apple is even capable of writing such software.

I'm not so convinced. Bruce Schneier has frequently said: "Anybody can create a security system he himself cannot break", his point is in favour of open security and encryption standards of course - the point of a security system is that somebody else shouldn't be able to break it, being unable yourself is no evidence of that. But it also has some legitimacy as a more direct claim.
Apple was responding to the market pressures that came post-Snowden in particular, and the best response was to make that thing as secure as their best engineers could figure out how to do - which, by definition, is a system MORE secure than their best engineers can figure out how to BREAK.

The odds are, in fact, quite strongly against apple actually having the skills to do what they are being asked - though I doubt they would readily say that in public, computer security engineers would understand it but the public may well fail to understand it. The last thing you want to do is make a public statement that sounds to customers like you're declaring yourself incompetent.
It would ,to experts, however mean the opposite - it would mean they had been sincere when trying to build the most secure system they could. The most secure system anybody can build is a system more secure than they themselves can break.

Re: "skeleton key"

[buck-yar]

Most people aren't tin foil hat people that through paranoia think the govt is spying on them.

And most are OK with govt monitoring communications for terrorist/criminal activity. Maybe you missed the NSA poll? https://www.washingtonpost.com...

Re: "skeleton key"

[silentcoder]

I've always been hugely in favour of jailing CEOs. If the company commits a crime for which *I* would go to jail, then their fucking CEO should be sharing a cell with me.

How ironic that the first time it may actually happen - it's because of refusing to do something which shouldn't be a crime and is actually GOOD for the public... where was this zealous law enforcement against the fraudulent banksters in 2008 ? Where was this for all the companies that dumped toxic shit in people's drinking water ? Where's this "jail the CEO" desire for the executives at VW ?

Hell apple has done a lot of shit I think Cook OUGHT to be in jail for - their use of child-labor in unsafe sweatshops is near the top of that list. But the first glimpse that Cook may actually serve time it's a possible contempt charge for a rare occasion of a corporation actually doing the RIGHT thing (for utterly selfish reasons of course).

Re: "skeleton key"

Most people aren't tin foil hat people that through paranoia think the govt is spying on them.

And most are OK with govt monitoring communications for terrorist/criminal activity. Maybe you missed the NSA poll? https://www.washingtonpost.com...

That is an interesting article. The poll says that 2/3 of Democrats are in favour of the government having the ability to invade privacy, compared to 1/2 of Republicans, with a Democrat in office. With a Republican in office, it was 1/3 of Democrats and 3/4 of Republicans. It is also all about invasion of privacy specifically to thwart terrorism, one of the least likely things to kill you. How would people respond to government monitoring of your drinking, smoking, eating or driving habits?

The only conclusion I came to from reading it are that people are idiots.

Re: "skeleton key"

[kilfarsnar]

That's only because companies are resolutely refusing to cooperate with lawful investigations. Law enforcement really has no other choice but to request legislation that prevents companies from saying either (1) "we refuse to cooperate with you", or (2) we have rendered ourselves unable to cooperate with you

Yes, they can request legislation. But that's not what they are doing. They are looking for a court to force Apple to comply, no legislation involved.

Re: "skeleton key"

[kilfarsnar]

yes that was included under (2) "we have rendered ourselves unable to cooperate with you". Since that is what Apple is doing, that is what the law enforcement agencies have asked to be defeated via legislation.

No, this is incorrect. Law enforcement agencies are asking a court to force Apple to create new software. They are not asking for new legislation.

If it is, Apple doesn't get to decide not to cooperate. It has to build its new phones how the law says. They can avoid the threat of such legislation by not refusing to grant access to the phone of a terrorist mass murderer as a matter of marketing strategy.

Where is the law that says a company must produce whatever software tools the government requires?

Re: "skeleton key"

[kilfarsnar]

Most people aren't tin foil hat people that through paranoia think the govt is spying on them.

However, the government is spying on them, regardless of their level of paranoia about it.

And most are OK with govt monitoring communications for terrorist/criminal activity. Maybe you missed the NSA poll? https://www.washingtonpost.com...

That's because they lack imagination. They probably think they have noting to hide and therefore nothing to fear. Anyone posting here should understand that reasoning to be fallacious.

Re:"skeleton key"

[Khyber]

"I'm not so convinced. Bruce Schneier has frequently said: "Anybody can create a security system he himself cannot break""

Which goes against the convention any ACTUAL engineer knows by heart: Man can make it, man can break it, there are no exceptions.

Re: "skeleton key"

[silentcoder]

And how many international standars hashing algorithms have you written ? This is like some guy who just built a barbeque pit calling the designer of the Golden Gate bridge "not an actual civil engineer"

Re: "skeleton key"

[painandgreed]

I keep reading that analogy, but it makes no sense... there's no car in there anywhere !

Apple Cars has built a car that is sold via retailers. One person who bought such a car committed a crime then died. (Really, it was his company car, but anyway...). The cops think there are things in the trunk that might be evidence that somebody helped him commit the crime but the trunk is locked by a programmed code set by the owner of the car. A feature of the iCar, is that the trunk can only be opened with the code while the engine is running and if the trunk is broken into or the wrong code is entered into the trunk keypad too many times, the gas tank explodes, destroying everything in the trunk. The cops could try and remove the gas tank and then break in, but the chances are they'l set fire to the gas tank and trunk in doing so. So, what the FBI wants, is for Apple Cars to build a new engine that has its own internal gasoline supply so it can run as well as a special pump to empty the gas tank under the trunk. Apple Cars does not have such an engine, so to provide one, they would have to have professional automotive engineers design a new engine, make sure there were no bugs, build it in their engine factories, test it on other iCars, and then have their own mechanics do the engine swap, so all the FBI has to do is use their automated key pad button pushing machine till the trunk opens (and blame Apple Cars if anything goes wrong).

Re: "skeleton key"

[Khyber]

The same has been said for almost every encryption method since the beginning of time.

Almost every one has been broken.

One only needs to look at history to learn from it. Actual field experience is not required.

Re:"skeleton key"

[Hotawa+Hawk-eye]

One possibility that requires just a little sloppiness on the part of the FBI and a little sneakiness on the part of the attacker: The next time the FBI wants to access a phone like this, the owner of the phone implanted a sort of trojan horse that recorded the information about the vulnerability the FBI used to access the phone and either phones home immediately (is the FBI diligent about keeping the phone in a Faraday cage?) or waits until the phone has network access and then phones home.

Re: "skeleton key"

[Hotawa+Hawk-eye]

Do you expect the mugger to walk all the way to the bank???

Re: "skeleton key"

[Hotawa+Hawk-eye]

Then Apple will release a press release saying that due to the judge's decision (and they will include the name of the judge in the statement) they cannot, in good conscience, sell their products in the US any longer if they will be forced to compromise the security of those devices. If they really want to twist the knife, they will inform the relevant government agencies in California (including both US senators) that they're moving (or even just considering moving) their headquarters out of California and out of the United States.

The public starts screaming for the judge's head.

The senators and the governor start screaming at the judge about the loss of jobs and revenue if Apple does pull out of the state.

Canada and Mexico start salivating at the thought of Apple moving there (I think Mexico's closer but more dangerous.)

Re: "skeleton key"

[silentcoder]

You utterly misunderstood the quote. It is not suggesting that anybody can create an unbreakable cypher. In fact it means the exact opposite of what you are arguing against. It means being unable to break your own cypher doesnt mean its even a little hard to break. You need lots of people trying to hreak it in order to get a decent one .

Re: "skeleton key"

[Agripa]

What happens the next time the FBI (or any other LEA) has an iPhone that they need information off of? The FBI has divulged that there already exist about a dozen phones that need breaking. They have also admitted -- in public testimony -- that this case would set a precedent.

So please tell me, specifically: how exactly is this just about a single phone, when the actual head of the actual FBI has admitted that it is categorically NOT about a single phone?

Does anything in the court order prevent Apple from destroying the binaries and source after providing the contents of the iPhone to the FBI? If so when the next request comes in, the court can order them to produce the software again and Apple can start over with development. The way I understand it, the court order also requires the FBI to reimburse Apple for the effort so that could get expensive for law enforcement quickly.

As if it matters

[93+Escort+Wagon]

Given how thoroughly large government organizations keep getting hacked - such as we've recently seen with the OPM and IRS - it's not as if there's any information on government employees' phones which isn't already in the hands of the Chinese, Russians, and various criminal syndicates.

Re:As if it matters

[Thanshin]

it's not as if there's any information on government employees' phones which isn't already in the hands of the Chinese, Russians, and various criminal syndicates.

It has to be frustrating, from a Chinese hacker point of view. You do your job, hack the super important secret agency chief's phone... And everything you get is a dupe because the guy in the next cubicle already hacked the thing last week.

Hopefully, Slashdot has prepared him for years to deal with the frustration of reading the same "new data" over and over.

No Skeleton Key

[seawall]

Apple rather slickly has each update of each recent iOS be specific to a phone. ONE physical phone. Probably to prevent the skeleton key scenario.

  Each "copy" (not really an appropriate word here) of the update is unique (I don't know the details) which makes it hard to just use the same binary to on every phone. Each "copy" only works on one phone.

Re:No Skeleton Key

The skeleton key is the update code just before Apple makes it phone-specific.

So I was watching the X-Files...

[ChunderDownunder]

I find it hard to take the FBI seriously on iPhones when their own IT department's security is so lax.

Agent Mulder's work issued computer didn't even have a password protected lockscreen when the machine was idle. Thank goodness it was only Scully/Miller/Einstein - anyone from a double agent to a passer-by such as a cleaner or a vending machine technician could have accessed sensitive, classified information.

Re:So I was watching the X-Files...

[silentcoder]

I think Mulder's computer security relied on nobody knowing there was a computer in that room... I'm pretty sure each department of janitorial staff thought the door to Mulder's office was actually a supply closet used by one of the other janitorial departments.

Re:So I was watching the X-Files...

[silentcoder]

Actually... to be serious... did any OS even *have* password protected lock-screens c.a. 1993 ? I don't recall any - and certainly none that had it by default.

Re: So I was watching the X-Files...

[silentcoder]

Ok. Never used that.

Re:So I was watching the X-Files...

[tlhIngan]

Actually... to be serious... did any OS even *have* password protected lock-screens c.a. 1993 ? I don't recall any - and certainly none that had it by default.

I'm certain at least TWO did. Unix (and Unix-like) and Windows NT. Unix with their X terminals often had a lock function implemented a part of xdmcp or something, and NT3.5 was already a multiuser OS. Granted though, NT 3.5 looked a lot like Windows 3.1, so there may have been apprehension since you expect it to crash...

There is already a back door.

[TsuruchiBrian]

If it is possible for Apple to "create a backdoor" after the fact, then that itself is a back door. The FBI wants apple to release a version of it's OS that can disable certain security features and push that update out to the terrorist's phone without any confirmation from the (now deceased) user. Apple seems to confirm that this is indeed possible and has said that it would be dangerous to even create this version of it's OS because it might fall into the wrong hands and be abused. I would argue that it is already in the wrong hands, because it is in the hands of Apple, and even if Apple fights the FBI, they may be forced by a court to cooperate.

What Apple *should* do (and should have already done), is to create a security system that they would not have the ability to help the FBI hack into. They have already indicated they are working on this.

The IOS security is already broken. The only thing keeping the FBI from cracking it, is their own incompetence, and Apple's limited will to challenge the government. I doubt many people at Apple are willing to go to jail over this (nor should they be).

My advice to Apple, is to help the FBI hack into this phone, and come out with a real security system that is actually secure.

Re:There is already a back door.

[Nethemas+the+Great]

They'd lose face with their global customers.

Re:There is already a back door.

[TsuruchiBrian]

They could do it in the opposite order (come out with a good security system, and then give the FBI the skeleton key that only works on phones that haven't yet been updated to the new system). I would be much happier with Apple if they did this than if they didn't.

Re:There is already a back door.

[tkrotchko]

"What Apple *should* do (and should have already done), is to create a security system that they would not have the ability to help the FBI hack into. They have already indicated they are working on this."

Precisely. I can think of at least two ways to do this that would make the "skeleton key" scenario moot. One of those ways would make brute forcing impossible, but would require significantly greater processor power and memory.

Re:There is already a back door.

[TsuruchiBrian]

I think a simple solution would be to require the device to be unlocked and require user confirmation to perform an OS update.

Re:There is already a back door.

[BitterOak]

My advice to Apple, is to help the FBI hack into this phone, and come out with a real security system that is actually secure.

The problem with this is once Apple successfully helps the FBI crack this phone, it will set a pattern of sorts, establishing a certain type of relationship between Apple and Law Enforcement. If Apple later threatens to create an OS which can't be hacked in this way, it would give the FBI the ammunition they need to go to Congress and ask for legislation to ensure that Apple can continue to provide this help to them in the future. The FBI can just say "Apple has helped us in the past, and now they're deliberately taking steps to make it impossible for them to keep providing the help they've been giving us all along. Protect the status quo and pass this legislation now." If Apple or anyone else complains, the FBI can respond by saying, "But Apple has been helping us crack phones all along and the sky didn't fall on our heads. All we want is the ability to keep doing what we've been doing." It might be hard to argue with that.

Re:There is already a back door.

[TsuruchiBrian]

On the contrary, I think Apple would be able to say "We are literally helping as much as we can" (whihc is not very much since the system is very secure). As opposed to "We are purposefully not helping because if we did, the FBI would actually get what they want and a lot more".

Not to mention the fact that lots of people in the government actually use these phones, and having them be secure (even from Apple), as probably a good thing. It means that the data belonging to government agencies is safe, even in the event that Apple is hacked.

Re:There is already a back door.

[Dog-Cow]

Have you thought that through. At all?

Re:There is already a back door.

[Plumpaquatsch]

On the contrary, I think Apple would be able to say "We are literally helping as much as we can" (whihc is not very much since the system is very secure). As opposed to "We are purposefully not helping because if we did, the FBI would actually get what they want and a lot more".

But they are already helping the FBI as much as they can and have to, and if the FBI hadn't destroyed an easy way to acquire evidence by forcing the San Bernardino County to reset the iCloud password for the phone, they'd already have the information.

Re:There is already a back door.

[TsuruchiBrian]

Yes, have you?

Re:There is already a back door.

[TsuruchiBrian]

They are not helping the FBI as much as they can, because they are not creating the backdoor that the FBI wants. I want Apple to be able to help the FBI as much as they can. And if they remove the back door, Apple can try to help the FBI crack passwords as much as they can, and it won't compromise the security of other users.

Re:There is already a back door.

[Plumpaquatsch]

They are also not giving the FBI a blow job, and they do seem to need one. Wanna force Apple to do that too?

Re:There is already a back door.

[TsuruchiBrian]

I never suggested Apple be forced to do anything.

Yeah, it was security that motivated them...

[MikeRT]

As opposed to the fact that most of the federal employees who got an iPhone just wanted one a lot more than a BlackBerry 10 phone. Which is a shame, really, because my Z10 is the best phone I've ever owned including my previous two iPhones. BlackBerry has the only MDM with an ATO from the DoD. If security were the primary motivation, they'd have standardized on BB10 phones with BlackBerry BES.

Re:Yeah, it was security that motivated them...

[LostMyBeaver]

I'll address this in a few parts.

1) BB was a good platform for its time. It's near absolute inflexibility from a development perspective made it a good platform for security since it was hard enough to code, it was pretty hard to hack. Palm Pilot wasn't bad either in its time.
2) BB10 is not BB. It is based on QNX which (I have extremely extensive experience coding for at a system level in direct coordination with QNX themselves) and is otherwise an entirely new operating system consisting of millions of lines of code produced by hundreds of developers over a short span of a few years.
3) To suggest that much new and untested code (no it hasn't been) is sheer silliness and doesn't belong in a forum for people who claim to understand technology. It is mathematically impossible to develop that much code that fast with that many people and have a secure platform.

So, let's talk about this... an iPhone and a Blackberry compared side by side are equally insecure. Sure, the obvious routes probably aren't a problem, but hackers don't use obvious routes... well sometimes the do... depends on what you consider obvious :)

I have always hated people saying things like "I don't even run antivirus, I'm running a Mac. Unlike a PC, it's secure!". I would respond "Just because no one is openly hacking it currently doesn't mean it's secure".

BES is secure until the messages hit the phones. Once they reach the phone, all security is absolutely gone. Secure messages require secure keys. Secure keys are 3072 bits or longer (for now according to the NSA... this means they can crack 3072 but they believe others can't). Unless you are manually typing 768 hexadecimal characters into the phone every time you log in to use BES, the key used for decrypting your messages is stored on the phone somewhere.

The key to decrypt the keys is probably a pin code or possibly up to a 10 character password convenient to type on the BB keyboard without too many shifts, controls, etc...

If I can locate the store of the key, locate the code to decrypt the key, find the location of 2 or more messages which contain headers (all do), then with the proper computational power, I can obtain the key to decrypt all messages stored by BES on the phone. It's only a matter of CPU. While the number of possible passwords to decrypt the keys increases exponentially with each character in length, the fact a laptop can crack 6 characters in a few second, 8 characters in about 10 minutes, throw 65536 CPUs or a few FPGAs at the problem and it would do 10 characters in about 10 minutes.

I never have been figuring out why so many idiots think that BES is secure... to decrypt messages, the phone has to be storing the information required to decrypt them. At some level there must be a way to read the messages and the security isn't as strong as the door and the lock securing it. It's as strong as the box next to the door holding a spare key that is guarded by a simple code.

Re:Yeah, it was security that motivated them...

[ControlsGeek]

From Wikipedia "The product was originally developed in the early 1980s by Canadian company Quantum Software Systems, later renamed QNX Software Systems and ultimately acquired by BlackBerry in 2010.[1] QNX was one of the first commercially successful microkernel operating systems[citation needed] and is used in a variety of devices including cars[2] and mobile phones."
So ... not developed in a short span of a few years.

BB10 has FIPS 140-2 certification

"The company said its BlackBerry 10 platform has received the FIPS 140-2 certification that would allow government agencies to deploy the devices, along with the new enterprise management platform on which they run, as soon as the new smartphones are launched.

Waterloo, Ontario-based RIM said this is the first time BlackBerry products have been FIPS certified ahead of launch".

http://business.financialpost....

Re:Yeah, it was security that motivated them...

" Unless you are manually typing 768 hexadecimal characters into the phone every time you log in to use BES, the key used for decrypting your messages is stored on the phone somewhere."
      The encryption software module generates the keys you never have to type them in. The keys are changed every 24 hours so if you do manage to crack the encryption key you are only able to decrypt messages sent during that 24 hour period.

Ah,

[no-body]

here is the famous shoot in the foot again :-))

Nice to see...

Re:Ah,

[silentcoder]

Actually, this is more in the grand tradition of the circular firing squad.

Living in a fatasy wold

[Black+Parrot]

where we have strong security that nobody but the good guys can break.

Your government communications and data stores are secure, approved business communications and data stores are secure, but everything else can be decrypted on demand.

Wonder when non-IT businesses are going to realize they have a dog in this fight.

Not My Job

[PPH]

Protecting the U.S. government communications and information systems against penetration is part of the NSA's charter.

Wait, what?! You guys were breaking encryption as well? Who was supposed to be protecting this stuff?

Damned propaganda mill.

[pecosdave]

"Missed their chance" - yeah right. The mainstream news is spreading this bullshit bad enough - do we really want Slashdot treating us like a bunch of naval-gazing know-nothings?

NSA-mandated requirements defeat FBI, essentially

[bsDaemon]

I wrote something similar on this topic a few weeks ago for a blog post at work, though I went into more technical detail than TFA did:

http://blog.acumensecurity.net...

The Age of Anti-American American Agencies.

[BrendaEM]

Our founding fathers would be pissed.

Re:The Age of Anti-American American Agencies.

[LostMyBeaver]

The founding fathers were just as big a bunch of dicks as the current lot. Often worse.

The "justice for all" bullshit was because they were pissed at what British Parliament did to the colonies by taxing them. King George III wasn't able to do much more than watch from the side lines. He was pissed at them too.

The truth is, more than half possibly 3/4 of the founding fathers probably would have hung Tim Cook and beat him until he cried like a girl and screamed "open it, open it".

I always wondered if those guys were so great and wise and pure and all that shit... why would they write a constitution which more or less would so easily let the country devolve into some religion where we have now existed for decades without a single amendment to improve the document by modernizing it for the times? Where's the review requirement? We treat the document as an absolute as if it is perfect in every way and to question that is borderline treason. Where is the part of the document which would protect civil liberties regarding electronic data protection? It's not there because the founding fathers didn't absolutely require that the constitution is reviewed and updated.

It was written by a bunch of pissy little bitches and a poet or two. They were all pissy at England and wrote a document to provide freedom from their oppressors for a million people or so and didn't give a shit whether it lasted 200 years in the future and certainly had no clue it would eventually be used to govern 400 million people from every country, race and religion as equals.

If you want to be true to yourself, with a few exceptions, these guys were mostly soulmates with Donald Trump. They weren't wise, they weren't great, they didn't shoot lightning bolts from their eyes and they didn't shit daffodils when they sat upon the bowl. They were men who :
  a) Wanted to secure power for themselves and their families
  b) Represented a group of truly fucked up people who believed righteousness was the Salem Witch Trials.
  c) Believed black people were less valuable than dogs since you could love a dog.
  d) Believed that religious freedom meant you should be free to believe in any form of Christianity you want.
  e) The one odd ball or two who felt it was a chance to do something wholesome and good.

Don't place politicians pedestals. They might make impressive art, but they sure as hell are nothing more than people and very rarely are they more than sales people.

Re:The Age of Anti-American American Agencies.

[silentcoder]

Well, they *did* intend for it to be reviewed and updated continously. James Madison suggested it be reviewed by a major national congress based on referendums every 10 years.

Their big mistake was not mandating that in the words - so now it's used like holy writ and it's authors like prophets, exactly what they knew better than to want !

Re:The Age of Anti-American American Agencies.

"We treat the document as an absolute"

Well, duh. If you don't do that then it might as well not exist at all. If you treat it like it's just some flimsy list of "suggestions" then it becomes trivially easy to take away everybody's rights and you end up with a fucking totalitarian militarized nation.

Re:The Age of Anti-American American Agencies.

[Plumpaquatsch]

...and yet the nation they created became the most successful the world has ever seen.

Which wouldn't have happened without Adolf Hitler. So unless you count him as one of the founding fathers ...

Re:The Age of Anti-American American Agencies.

[Cro+Magnon]

Hitler made a wreck of Europe, but we were already a very successful country.

Re:The Age of Anti-American American Agencies.

[jittles]

why would they write a constitution which more or less would so easily let the country devolve into some religion where we have now existed for decades without a single amendment to improve the document by modernizing it for the times? ... Where is the part of the document which would protect civil liberties regarding electronic data protection? It's not there because the founding fathers didn't absolutely require that the constitution is reviewed and updated.

I believe that the part you're looking for is the 4th Amendment. That the current government does not honor the clause has nothing to do with the document itself, but the politicians and the voters who fail to hold them accountable for violating the constitution.

They were men who : c) Believed black people were less valuable than dogs since you could love a dog.

Not all of them. The reason slaves were treated as 3/5 of a person is the fact that the Northerners did not want the South to have undue influence from counting the population of people who could not vote and would, under the compromises they came to, would never be able to vote until a later amendment of the constitution. We would have never had the Mason/Dixon line or the eventual Emancipation Proclamation had the South had its way.

d) Believed that religious freedom meant you should be free to believe in any form of Christianity you want.

I don't recall the constitution mentioning Christianity. I think its the population that cares more than the government.

Re:The Age of Anti-American American Agencies.

[Plumpaquatsch]

Hitler made a wreck of Europe, but we were already a very successful country.

"A very successful country." is hardly the same as "the most successful the world has ever seen", Hitler destroyed several very successful countries and made the best scientists and artists flee to the US. The only country who has more to thank Hitler for is Israel.

not so strong

[ooloorie]

One major reason for that is -- you guessed it -- the strong native security

If Apple can reset the pin count on their phones with a software update, the "native security" isn't so strong. And what that really means is that the FBI's data is owned by Apple, hardly a good situation.

Re:Maybe I'm crazy but

[LostMyBeaver]

I don't remember if they have the feature, but don't they try to inform you when you've used a password before? If so, they probably keep the hash and wouldn't even need to use backups.

What encryption algorithm? WTF?

"Now in its fervor to force Apple to create software that can break its own encryption algorithm"

It's doing no such thing. Could people please stop writing about this until they have the first clue about the actual issues involved here?

They're not asking Apple to 'break its own encryption algorithm'. They're asking it to provide a customized operating system that disables the automatic lockout and delay while entering PIN numbers.

Just one question remaining for Apple

- Given an order to produce software, and that such a capability will demonstrably then exist.
- Given a duty to maximize shareholder value.
- Given a duty to comply with national laws.

The only satisfactory solution appears to be to create the software for the first government that asks, and then to sell it to the Chinese, Germans, British, India, Brazil and anyone else.

So the question is -- just how much should Apple charge the Chinese government for the back door, so they can at least establish a fair market value for subverting crypto? RSA took only 10M, and that was clearly undervalued. Should the back door be priced by per device, per nation, per policy agency? Unlocks per year? Are they cheaper in the bulk decryption package?

CAPTCHA: latrines

Re:From the Department of Obvious

[dsmatthews9379]

As delusional as thinking the iPhone is currently secure from "state actors" (including foreign ones) if they physically get hold of it? Because that would be very delusional.

Mobile Device Management

[kenwd0elq]

I suppose it's asking too much of the Feds to have properly implemented Apple's mobile device management protocols, so that when the next Ed Snowden takes his government-issued iPhone to Moscow with him, the Feds can read his itinerary from it?

FBI is screwing themselves because...

[LostMyBeaver]

As soon as they make it public that they can open any iPhone they can get a court order for, people with something to hide from them will move to using more secure applications which are written by companies or people the FBI can't so easily influence with the American legal system.

Better yet, they'll move to using programs that are written by people who added security and wouldn't know how to hack them themselves.

So, basically, all they're doing is educating the criminals to use technologies that are more secure written by companies outside of their jurisdiction.

If they open this phone, it basically will guarantee they will never be able to get to "terrorist data" ever again.

How come no one ever bitches about this? I bet you that 99% of all terrorists have moved to using something more secure by now.

support Apple

[jack133]

Like Cook said, public safety is important,so is citizen private information !

BB vs iOS?

[therealkevinkretz]

"One major reason for that is -- you guessed it -- the strong native security."

Blackberries are more secure in many ways than iPhones. They certainly have more remotely manageable security, and can be more locked down, feature-wise.

Re:From the Department of Obvious

[Plumpaquatsch]

As delusional as thinking the iPhone is currently secure from "state actors" (including foreign ones) if they physically get hold of it? Because that would be very delusional.

Well, at least a script kiddie with a Rubber Ducky can't get in.

Ugh

[jon3k]

In its rush to gather information, the FBI blew its chance to retrieve data from the iPhone of one of the San Bernardino terrorists when it ordered his iCloud passcode to be reset shortly after the attacks.

This is very misleading. It would have only given them access to the data on the phone stored in iCloud.

Re:Ugh

[Plumpaquatsch]

In its rush to gather information, the FBI blew its chance to retrieve data from the iPhone of one of the San Bernardino terrorists when it ordered his iCloud passcode to be reset shortly after the attacks.

This is very misleading. It would have only given them access to the data on the phone stored in iCloud.

This is very misleading,They won't find any useful information on his work phone anyway, because he would have it destroyed it anyway if there were, like he did with his actual phone.

iTunes app store after FBI/Apple settle

[rcharbon]

Hint: don't get the cheap/free apps: http://www.y42k.com/2016/02/29/when-apple-settles-with-the-fbi/