Slashdot Mirror

← Back to Stories (view on slashdot.org)

FBI May Be Opening A Security Hole To Federal Agencies (computerworld.com)

Posted by BeauHD on from the closing-one-door-opens-another dept.

Lucas123 writes: In its rush to gather information, the FBI blew its chance to retrieve data from the iPhone of one of the San Bernardino terrorists when it ordered his iCloud passcode to be reset shortly after the attacks. Now in its fervor to force Apple to create software that can break its own encryption algorithm, the FBI may be opening a security hole to federal agencies. Over the past four years, the federal government has largely shifted its use of mobile devices from Blackberry to iPhones. One major reason for that is -- you guessed it -- the strong native security. If Apple creates an iPhone skeleton key, it not only threatens the public's privacy, but the security of the federal government as well.

10 of 152 comments (clear)

  1. As if it matters by 93+Escort+Wagon · · Score: 4, Insightful

    Given how thoroughly large government organizations keep getting hacked - such as we've recently seen with the OPM and IRS - it's not as if there's any information on government employees' phones which isn't already in the hands of the Chinese, Russians, and various criminal syndicates.

    --
    #DeleteChrome
  2. So I was watching the X-Files... by ChunderDownunder · · Score: 4, Funny

    I find it hard to take the FBI seriously on iPhones when their own IT department's security is so lax.

    Agent Mulder's work issued computer didn't even have a password protected lockscreen when the machine was idle. Thank goodness it was only Scully/Miller/Einstein - anyone from a double agent to a passer-by such as a cleaner or a vending machine technician could have accessed sensitive, classified information.

  3. Re:"skeleton key" by AHuxley · · Score: 4, Informative

    The House Committee on the Judiciary Hearings, The Encryption Tightrope: Balancing Americans’ Security and Privacy (Streamed live on Mar 1, 2016)
    https://www.youtube.com/watch?...
    Try around the 4:05 point in. 200 phones are in line for the same skeleton key needs. As mentioned, that federally demanded, universal "skeleton key" will be ready as an overlap for State and Federal courts :)

    --
    Domestic spying is now "Benign Information Gathering"
  4. Re: "skeleton key" by zieroh · · Score: 4, Interesting

    Except, of course, the court order specifically allows for Apple to NOT give the binaries to the FBI and the FBI requested it that way to address exactly that issue. But hey, I just read the writ, not the bullshit lies on the Internet.

    Okay, I'll bite.

    What happens the next time the FBI (or any other LEA) has an iPhone that they need information off of? The FBI has divulged that there already exist about a dozen phones that need breaking. They have also admitted -- in public testimony -- that this case would set a precedent.

    So please tell me, specifically: how exactly is this just about a single phone, when the actual head of the actual FBI has admitted that it is categorically NOT about a single phone?

    --
    People who say "sheeple" have about as much sophistication as an AOL user, and in fact are probably actually AOL users.
  5. Re:"skeleton key" by MobileTatsu-NJG · · Score: 4, Insightful

    Apple hasn't written the software they need to do it. It doesn't exist right now. Once they write it, it's written. Precedent is set and a floodgate of requests will begin and there won't be much Apple can do to make them stop.

    --

    "I like to lick butts!" by MobileTatsu-NJG (#32700246) (Score:5, Informative)

  6. Re: "skeleton key" by AHuxley · · Score: 5, Informative

    AC the "revoke" issue wont work to try and keep it for "one" physical. The request is for code that is on a drive that is given to the US gov. The computer code can then be used to open product lines at a state and federal level.
    The code as a method on a computer hard drive is been conscripted for a generation of phones, not one physical phone.
    Again the House Committee on the Judiciary Hearings, The Encryption Tightrope: Balancing Americans’ Security and Privacy (Streamed live on Mar 1, 2016)
    https://www.youtube.com/watch?...
    4:44 and onto 4:45 has the details on the request made.
    Tool was to be put on a hard drive.
    Hard drive with the new tool was to be sent to US gov.
    A gov computer would then perform the task. Portable, reusable.
    More details at (March 2, 2016)
    http://nypost.com/2016/03/02/f...
    "“The request we got from the government in this case is, ‘Take this tool and put it on a hard drive, send it to the FBI,’ and they’d load it onto their computer,”"

    --
    Domestic spying is now "Benign Information Gathering"
  7. Re:Yeah, it was security that motivated them... by LostMyBeaver · · Score: 4, Informative

    I'll address this in a few parts.

    1) BB was a good platform for its time. It's near absolute inflexibility from a development perspective made it a good platform for security since it was hard enough to code, it was pretty hard to hack. Palm Pilot wasn't bad either in its time.
    2) BB10 is not BB. It is based on QNX which (I have extremely extensive experience coding for at a system level in direct coordination with QNX themselves) and is otherwise an entirely new operating system consisting of millions of lines of code produced by hundreds of developers over a short span of a few years.
    3) To suggest that much new and untested code (no it hasn't been) is sheer silliness and doesn't belong in a forum for people who claim to understand technology. It is mathematically impossible to develop that much code that fast with that many people and have a secure platform.

    So, let's talk about this... an iPhone and a Blackberry compared side by side are equally insecure. Sure, the obvious routes probably aren't a problem, but hackers don't use obvious routes... well sometimes the do... depends on what you consider obvious :)

    I have always hated people saying things like "I don't even run antivirus, I'm running a Mac. Unlike a PC, it's secure!". I would respond "Just because no one is openly hacking it currently doesn't mean it's secure".

    BES is secure until the messages hit the phones. Once they reach the phone, all security is absolutely gone. Secure messages require secure keys. Secure keys are 3072 bits or longer (for now according to the NSA... this means they can crack 3072 but they believe others can't). Unless you are manually typing 768 hexadecimal characters into the phone every time you log in to use BES, the key used for decrypting your messages is stored on the phone somewhere.

    The key to decrypt the keys is probably a pin code or possibly up to a 10 character password convenient to type on the BB keyboard without too many shifts, controls, etc...

    If I can locate the store of the key, locate the code to decrypt the key, find the location of 2 or more messages which contain headers (all do), then with the proper computational power, I can obtain the key to decrypt all messages stored by BES on the phone. It's only a matter of CPU. While the number of possible passwords to decrypt the keys increases exponentially with each character in length, the fact a laptop can crack 6 characters in a few second, 8 characters in about 10 minutes, throw 65536 CPUs or a few FPGAs at the problem and it would do 10 characters in about 10 minutes.

    I never have been figuring out why so many idiots think that BES is secure... to decrypt messages, the phone has to be storing the information required to decrypt them. At some level there must be a way to read the messages and the security isn't as strong as the door and the lock securing it. It's as strong as the box next to the door holding a spare key that is guarded by a simple code.

  8. Re:The Age of Anti-American American Agencies. by LostMyBeaver · · Score: 5, Insightful

    The founding fathers were just as big a bunch of dicks as the current lot. Often worse.

    The "justice for all" bullshit was because they were pissed at what British Parliament did to the colonies by taxing them. King George III wasn't able to do much more than watch from the side lines. He was pissed at them too.

    The truth is, more than half possibly 3/4 of the founding fathers probably would have hung Tim Cook and beat him until he cried like a girl and screamed "open it, open it".

    I always wondered if those guys were so great and wise and pure and all that shit... why would they write a constitution which more or less would so easily let the country devolve into some religion where we have now existed for decades without a single amendment to improve the document by modernizing it for the times? Where's the review requirement? We treat the document as an absolute as if it is perfect in every way and to question that is borderline treason. Where is the part of the document which would protect civil liberties regarding electronic data protection? It's not there because the founding fathers didn't absolutely require that the constitution is reviewed and updated.

    It was written by a bunch of pissy little bitches and a poet or two. They were all pissy at England and wrote a document to provide freedom from their oppressors for a million people or so and didn't give a shit whether it lasted 200 years in the future and certainly had no clue it would eventually be used to govern 400 million people from every country, race and religion as equals.

    If you want to be true to yourself, with a few exceptions, these guys were mostly soulmates with Donald Trump. They weren't wise, they weren't great, they didn't shoot lightning bolts from their eyes and they didn't shit daffodils when they sat upon the bowl. They were men who :
      a) Wanted to secure power for themselves and their families
      b) Represented a group of truly fucked up people who believed righteousness was the Salem Witch Trials.
      c) Believed black people were less valuable than dogs since you could love a dog.
      d) Believed that religious freedom meant you should be free to believe in any form of Christianity you want.
      e) The one odd ball or two who felt it was a chance to do something wholesome and good.

    Don't place politicians pedestals. They might make impressive art, but they sure as hell are nothing more than people and very rarely are they more than sales people.

  9. FBI is screwing themselves because... by LostMyBeaver · · Score: 4, Interesting

    As soon as they make it public that they can open any iPhone they can get a court order for, people with something to hide from them will move to using more secure applications which are written by companies or people the FBI can't so easily influence with the American legal system.

    Better yet, they'll move to using programs that are written by people who added security and wouldn't know how to hack them themselves.

    So, basically, all they're doing is educating the criminals to use technologies that are more secure written by companies outside of their jurisdiction.

    If they open this phone, it basically will guarantee they will never be able to get to "terrorist data" ever again.

    How come no one ever bitches about this? I bet you that 99% of all terrorists have moved to using something more secure by now.

  10. Re: "skeleton key" by meerling · · Score: 5, Insightful

    They didn't refuse to cooperate, they refused to engage in the process to develop a tool to defeat their own security system.
    It's kind of the difference between giving a mugger your wallet when he demands it, and bringing him to the bank to cosign for his Small Crime Business Loan then babysit his kids for a few hours while he goes and mugs some other people.