Slashdot Mirror
FBI Telling Congress How It Hacked iPhone (theverge.com)
An anonymous reader quotes a report from The Verge: According to a new report in National Journal, the FBI has already briefed Senator Diane Feinstein (D-CA) on the methods used to break into the iPhone at the center of Apple's recent legal fight. Senator Richard Burr (R-NC) is also scheduled to be briefed on the topic in the days to come. [Feinstein and Burr are both working on a new bill to limit the use of encryption in consumer technology, expected to be made public in the weeks to come.] The disclosures come amid widespread calls for the attack to be made public, particularly from privacy and technology groups. However the FBI's new method works, the ability to unlock an iPhone without knowing its passcode represents a significant break in Apple's security measures, one Apple would surely like to protect against if it hasn't already. Just days after the FBI broke into the terrorist's iPhone, the FBI told law enforcement agencies it would assist them with unlocking phones and other electronic devices. We still do not know how the iPhone was hacked, nor do we know how many iPhones may be able to be unlocked from the hack. The FBI did tell USA Today the hack has not been used in any other case beyond San Bernardino.
The queen of "laws for thee, but not for me."
Guns? Why, those should be illegal! But I'm going to need some armed guards for myself, of course.
Encryption? Consumers can't be allowed to have that! Now how do I configure my secure Senate email account?
What a hypocritical cunt.
so we can't even talk about anything further.
who is going to tell us the honest truth? all we get is the dishonest truth from every 'official' that speaks up about this.
disinformation and even more disinformation. you'd be nuts to take anything on face value, given what's at stake.
--
"It is now safe to switch off your computer."
More alarming than the hack is the following bit in TFS:
The "hack", as I understand, was on an 5C, which is weak by comparison to the 5S and beyond. Non-event.
But the bit I quoted? Really? Limit what encryption consumers can have? I find that more alarming than "old-ass insecure phone got cracked."
I hope this dies a flaming painful death before it goes anywhere.
The "Civilized World" jumped the shark ca. 1973.
Diane Fienstein was born in the wrong country
She fits much more snugly in a fascist state
Muchas Gracias, Señor Edward Snowden !
It's becoming clearer every day that we need phones that run OpenBSD. The OpenBSD developers have showed us time and time again that they're completely dedicated to writing damn secure software. They will even fork, fix and maintain software written by other projects if it doesn't meet their high standards, like we've seen them do with their LibreSSL project.
This is exactly the kind of thing that Mozilla could do to redeem themselves. Instead of wasting so much time and effort on Firefox OS, they could have instead provided the resources necessary to get OpenBSD to run well on Nexus phones. It's clear that Mozilla doesn't have much of a chance when it comes to the web these days, after how they've driven away so many Firefox users with unwanted and unnecessary changes. But Mozilla could reinvent itself as a provider of secure consumer-oriented software.
or are we just believing the FBI said it was?
or wasn't there some law about circumventing security measures on a computer device?
Because Apple helps to fund the FBI, the FBI doesn't help to fund Apple.
I don't understand why the passphrase even matters when they've had complete physical access to the phone all along. The lawsuit was certainly an attempt to coerce apple into providing a backdoor--the FBI knew damn well it didn't ultimately need one.
What info did the FBI get off the phone? I think it's generally considered that time was a crucial element in getting any meaningful info from the phone, and perhaps days or hours after the event, anything in there would be useless.
I'm not sure anyone has yet to convince me that more encryption = more terrorism.
How many cat videos were found on the terrorist's iPhone?
Captain Jean-Luc Picard of the USS Enterprise
Captain Jean-Luc Picard of the USS Enterprise
That this episode of the FBI vs Apple has come to public attention proves that the FBI is grossly incompetent. When the public (and therefor terrorists) no longer believes that phone information is absolutely safe, other means of communication will be used: government loses a powerful tool against its enemies. This is a hideous strategic blunder.
Contribute to civilization: ari.aynrand.org/donate
The death of everyone that isn't an old white man is their global endgame. They only care about profit, not people.
Yeah, gotta love how the most likely cause of death for a young black person is to be murdered by another black person - in a city that's been under single-party Democrat control for a fucking century...
"Feinstein and Burr are both working on a new bill to limit the use of encryption in consumer technology, expected to be made public in the weeks to come."
Not only is this extremely stupid and utterly unworkable, but fuck these two maggots who think that it's their right to weaken our privacy.
Just cruising through this digital world at 33 1/3 rpm...
Will the government be retroactively censoring all of the public details of encryption algorithms and wiping all of our memories? Diffie, Hellman and Merkle better watch their backs!
But seeing "Trump 2016" chalked onto a sidewalk will make those same weak-willed twits wail in horror?
Awww, such special snowflakes!
I'm older, but at 18 or 20 years old my father and grandfather were jumping out of troopships while being shelled and shot at....but millennials shit their pants if the rice in the school cafeteria isn't "authentic" to the way they make sushi in Japan. I'm not making this up.
Just cruising through this digital world at 33 1/3 rpm...
Feinstein and Burr are both working on a new bill to limit the use of encryption in consumer technology, expected to be made public in the weeks to come.
When math is outlawed, only mathematicians and those who can read their papers will have math.
OK. There are several things wrong with this. The first and most glaring is that if the FBI wunderkin can't bust into an IPHONE with their crime fighters, then surely the NSA could. Its never been made public, but I have little doubt that before the "Official Crack", the NSA offered to bust that puppy wide open. Another glaring omission is that we won't know how much data is left on the phone (possibly only volume settings and recently phoned numbers). Apple/FBI had access to *all* of their cloud data months ago. Now I don't know the innards of the IPhone intimately, but if there is a separate Hynix (or other) memory chip, separate from the main processor, then you can just bypass the whole operating system chip, suck all the data off the memory card however encrypted, then just spread that memory image among about the NSA's "Acres of cores"(tm) and have a crack-o-rama(tm). Old timers can make book on how long it will take to break. (Remember, when brute-force cracking, half the total number of combinations is the average time needed to break any given encryption scheme). And none of that "three guesses or we delete" crap either. Actually you could just lift the write pin on the memory chip (give it a little snip) and go hard against the phone itself, but that wouldn't be nearly as fun. Closest to the time it takes to crack Apple encryption gets taken out for pizza by the rest. Oh? What was that? You asked how many electrical engineers and computer scientists work for the NSA? Well sparky, the answer is: enough to design and fab their own chips and build their own hardware, and likewise make their own operating systems and software (although COTS software is used whenever available, we *are* a taxpayer funded federal agency after all).
No, the Playstation doesn't run FreeBSD, or free anything. It runs a proprietary operating system which includes a lot of code from another proprietary operating system which once borrowed some code from FreeBSD.
Every few years, somebody figures out a way that if you have full access to the hardware, you can open it up and do this and that and boot another OS. I don't know that ANY popular hardware is secure against that.
Going on 20 years working full time in computer security, it's my informed opinion that FreeBSD and OpenBSD are both more secure than any of the more popular operating systems. FreeBSD can be more secure than Linux by giving up some of the flexibility and the cutting-edge features. FreeBSD is one OS, Linux is a bunch of related operating systems, including Android. Windows not only has the focus on new features, but is also just now overcoming some security decisions that made sense when they were made, but turned out to be disastrous for security as the world changed.
OS X is in some ways similar to the BSDs - it's based on a solid multi-user, network OS pedigree, and it's not required to be flexible. With OS X, things work the way Apple chooses. They choose the exact hardware they'll support and the OS does things the way Apple chooses , they don't support a dozen different alternatives for each thing like Linux does and Windows somewhat does. This allows Apple to make that one supported way more secure and reliable.
It's called man in the middle. They remove the memory chip from the iphone. The contents of the chip are read and saved with a chip reader. A device emulates that chip and hooks into the screen and touch screen input. It then brute forces all possible passcodes. It only requires someone with decent desoldering skills with a hot air wand.
That's what it all comes down to.
I love Jesus, except for his foreign policy.
Something similar to this: Black Box device can brute-force iOS 8.1 PINs
I've thought about this for a long time as well. I've only been in the industry a bit over one decade, so admittedly less time than you, but I believe I've come to a different conclusion. When you buy an Apple computer only Apple gets paid. As you mentioned, it's Apple hardware ruining Apple software, which run a core of Apple programs that work well with Apple services, network equipment, and peripherals. They even now, of course, have an Apple store so they can get a 30% cut on anything they still haven't provided. Now assuming that this closed exclusive system is more secure (which I consider to be a dubious claim), is that even worth it? You don't have to have a very powerful imagination to think up some of the problems that could occur giving one company this much control over your computing needs. This FBI case is a great example. The world is in a state right now where those inclined to do so really only have to infiltrate a handful of companies to compromise everyone's data. If anything the world needs it's less consolidation and control, not more. We've spent the last three decades giving up freedom, choice, and healthy competition for convenience, ease of use, and ultimately a false sense of security. It's time for a new approach.
If it ain't broke, don't fix it.
They'll get my math when they pry it out of my cold, dead cerebral cortex.
A large agency, such as the NSA, has the necessary resources to get into the phone that was behind all this noise. This is yet another attempt to use fear and misinformation to persuade Americans to sacrifice liberty in the name of 'security.'
Crypto and homebrew don't belong in the same sentence. Even the experts occasionally get it wrong and they have decades of design and implementation experience behind them. This one is best left to the pros, with audits of their work.
"If there was a gay Afro-Puertorican Linux distribution, I'd give it a try" ~lucm
For a very long time I ran Linux on everything- not just my desktops, laptops, laptops, and servers, but also my routers and everything else. Linux is so flexible that it runs 98% of all supercomputers, and also runs fine with 8 MB of RAM. For many purposes, there is a Linux distribution that's the right tool for the job.
In some cases, FreeBSD or OpenBSD is the right tool for the job. Firewalls are a great example, you want your firewall to be secure and reliable ; you don't care if it supports the latest graphics card well. FreeBSD is secure, reliable and very network-centric. There's a great user-friendly storage server system that happens to be BSD based.
For a corporate desktop, in an environment with Active Directory, ldap, etc, and little tolerance for downtime and "fiddling" wjth your computer to make it work, sometimes you still want a UNIX box rather than Windows. OS X fits that role nicely, in my opinion. Note OS X is a completely different beast than iOS. Nobody that I know uses the damn app store for OS X. It's simply a well built UNIX which will run all of your favorite FOSS software, reliably without fiddling with sysctl and X graphics drivers, while integrating pretty seamlessly into the Windows-centric corporate environment.
I could have said that more concisely as:
--
My last two employers needed me to use Outlook and Photoshop.
My personal workflow uses bash, perl, grep, awk, and make.
All of those required tools work great on my Mac, even after I've dropped it on the concrete.
---
Mac is full-fledged certified UNIX, and it's corporate helpdesk approved. Where else are you going find that combination ?
My MacBook Pro does run Linux, Windows, and FreeBSD virtual machines all the time too, though. I click whichever OS is suited to the moment. Last week, in 18 hours, we found thousands of vulnerabilities in 14 machines running those operating systems plus Cisco, so I know none are bulletproof, but I also know some are much more secure than others. (Out full vulnerability report for 14 targets was over 1600 pages long - for the exposures we found in 18 hours).
She is obviously not a true democrat. In the one state that upholds these values, they need to use their money for a good cause. She is bad news for business. And this is coming from a guy (a Democrat, atheist) from Mississippi, so I kinda know what I'm talking about. I think we're about to lose a LOT of federal funding for research. Morons at the helm...
665: The mark on the forehead of Satan's slightly less evil brother, Stan.
So we only have the FBI's word that they have hacked the iPhone, they may have found the password via other means for all we know. This may be an attempt by the FBI/NSA/CIA to scare people away from using iPhones as a secure communications medium. Also US laws on restricting encryption mean nothing to criminals because they will just buy a stock android phone of ebay and install a secure locked down firmware package that has encryption built in.
Do privacy concerns come before finding the bomb before it detonates?
Yes, they do...
If you don't have principles to stand on, then you stand for nothing and will fall, sooner or later.
As with most theoretical ethics problems, it only seems as if there is a conflict because the proposed scenario is too vague. This is why I find philosophy irritating sometimes, once you define enough details (as you would have in a real world scenario) you'll often find that the "right" thing to do is less ambiguous than it seems.
How do we know there is a nuke that is about to go off at all, if we don't know where it is? How did we locate the person who delivered the bomb in the first place? We were tracking them closely enough to know that they planted the bomb, but not closely enough to know where? How do we know that the location and the disarming codes are on the iPhone at all? What kind of guarantees do we have that if we do get into the iPhone we can stop the bomb going off in time anyway?
If we have a 100%, no bones about it, guarantee that gaining access to this one particular iPhone will prevent a nuke going off somewhere, then by all means, break into this particular iPhone. But you'll never have that kind of guarantee, so people will always argue that we need to be able to get into all the iPhones just in case.
This is always the problem with this kind of reasoning, it leads inexorably to mass surveillance: "We have to watch everybody because somebody, somewhere, at some time will do something dangerous, and this is the only way to stop them." How about: most people are good, so let them be free.
I'd rather die in a nuclear blast in a free country, than live a long life in a police state. The real fight is not to prevent deaths due to terrorism, the real fight is to prevent terrorists from changing who we are. They can only win that fight if we let them.
Only crack the nuts that crack. You don't put the ones that don't crack in the sack.
Now they're felons.
Because Apple helps to fund the FBI, the FBI doesn't help to fund Apple.
I bet they have a shit load of ipads and iphones.
Wanna buy a shirt?
https://www.redbubble.com/people/stealthfinger/shop?asc=u
Apple isn't willing to play ball with the FBI.. so why should the FBI help Apple out here?
Because Apple helps to fund the FBI, the FBI doesn't help to fund Apple.
I bet they have a shit load of ipads and iphones.
Did they pay for them ? :)
I guess most of them are in a locked state
I have discovered a truly marvelous proof of killer sig, which this margin is too narrow to contain.
Pretty sure they can do it:
http://blog.trailofbits.com/20...
New things are always on the horizon
Because we do not trust the FBI or our other federal investigatory agencies to operate transparently. Nor should we: they've a long history of relying on untrustworthy informants, and of pursuing ridiculous charges for criminal activity. Look up the David LaMacchia case for a prime example of stupidly handled criminal charges, and the Kevin Mitnick case for how badly the FBI handles hacker informants. Most of their limited number of successful investigations and prosecutions for computer crime do not actually involve investigation by the FBI, the data is handed to them by the victims or by outraged private citizens as the only agency empowered to investigate crimes that cross state lines. And they normally say "no", because the crimes do not reach the fiscal threshold to justify assigning any manpower to the case.
The result is that the FBI is a passive roadblock to investigation and prosecution of the massive amounts of computer cracking and computer based fraud that flood many networks.
URL please? I somehow managed to miss that news.
Resetting the failed attempts counter is only part of the problem. How could the company run a brute force attack given the limitations of the i-Phone hardware? i.e. The i-Phone doesn't have thousands of fast parallel processors dedicated to handling password requests. Unless the owner was using a guessable password or something vulnerable to a dictionary attack, wouldn't it take years(centuries?) to brute-force it?
they will pass laws saying we can't lock our doors with deadbolts or reinforce them.
Car alarms, who needs them?
bars on windows, psh.
machettes, we live in america not the jungle.
All because those are things terrorists might use along with a long list of other consumer items.
Most people are "cut you off in traffic" assholes, not "plant a nuclear bomb in downtown Manhattan" assholes. Most people are good in that they're not violent criminals, even if they are uncourteous (and Americans are not even close to being the most uncourteous people in the world).
If you want a vision of the future, imagine a youtube comments section scrolling - forever.
The case is not only extreme, it is valueless. When law enforcement knows that much about the situation, they already know what to do. The contents on the iPhone will not help them at all.
That illustrates no conflict at all. The answer is clear; privacy wins in this case. There exist no guarantees at all that the bomb exists, that the iPhone contains anything which will help defuse it, or that the information on the iPhone even is correct.
And if the bomb exists, and law enforcement have been so mind bogglingly incompetent that getting inside the iPhone is the only way to locate it, then the answer is to get less mind bogglingly incompetent law enforcement. Not to destroy the privacy of every iPhone owner in the world.
I'll more directly answer your post. You posed the question of whether concerns that the government can lean on big companies and thereby get access to your computer should override other benefits of using a particular operating system. "Is it really worth it?", you asked.
In my opinion, it IS worth that risk of government finding a way to access my employee email etc, particularly if they have the laptop in custody and a warrant, like the San Bernardino case, when the alternative is that -I- don't have proper access to my work email, calendar, etc. If the FBI seizes my employer's computers, they'll have 16 ways to read the email regardless of which OS I use on my laptop. It's stored on the Exchange server. The source code I write is in our git, cvs, and hg repos, unencrypted and ready for the FBI to seize. So trying to use a non-standard OS on my work laptop wouldn't even INCONVENIENCE the FBI, but it sure would inconvenience me and my co-workers. In this instance, there is nothing to be gained from trying to keep the FBI out of my laptop.
At my last employer, I also had three Macs. All of the information on a those computers was property of my employer, a government agency. Most of it was and is available, free, to the public. Does it make any sense to try to prevent the FBI from reading the course material for security courses that we provide free online? Are they going to use it to cheat on the test? Are we protecting the GPL source code of the online campus we used to deliver the training? They can get that at Moodle.org. If they want to specifically look at the code I wrote, they can look in the Moodle git repository, which is open to the public.
So for those jobs, the right tool for the job doesn't need to be FBI proof.
If I was going to pull a Snowden, obviously the requirements change. I might care about making certain data not readable by the feds. Even for my own personal laptop I prefer Linux.
The munitions list only applies if you want to export something that is on the list (for what it's worth, ALL guns of whatever size are on the munitions list, always have been, always will be: if a gun isn't a munition, what is?)
You're perfectly free to make export controlled items in the United States with no supervision, limitation, etc. (at least from export control standpoint). It's when you send one to some other country, or give/sell/transfer it to someone who is not a U.S. Person (i.e. a foreign national or representative of a foreign national, who doesn't have a green card) that the export control laws come into play.
So here we go, the crypto wars are upon us. Even if legislation is passed restricting use of encryption, there will be services, software and tools that will be
available to circumvent it. Just like gun control, criminals and terrorists will find a way around these supposed restrictions. This will hurt American technology companies who'll be handcuffed by stupid restrictions that won't save any lives nor lead to any foresight into nefarious activities. Of course it will erode your privacy and give the government new ways to fuck with your lives but hey, terrorism right?
It's foolish to think you can put the Genie back in the bottle and it points out how valuable the concept of term limits on members of congress would be. You see the glad-handers and baby kissers, the ones that feign outrage and get re-elected by their gullible constituents; rising to power in congress because of the seniority system. You don't get the best leadership, you get the ones who are best at getting re-elected.
Feinbitch there's a special place in hell for retards like yourself.
Harrison's Postulate - "For every action there is an equal and opposite criticism"
Again you're being unimaginative and just considering your one short term use case. What I am arguing for is ideals. Ideals that consider long term implications for the whole of society. So you don't have much to worry about right now with having all your eggs in one basket. But you might if you were a member of an opposition party in east Berlin. The status quo would be to dismiss extraordinary concerns like that as irrelevant and paranoid, but history that is forgotten is doomed to repeat. This FBI case is a sign of things to come. The NSA revelations before it were a sign of things to come. When you put all your eggs in one basket, and trust that basket to someone else, eventually they will drop it... every time. And things are getting worse, not better. With the popularity of the cloud and the apathetic perpetuation of walled gardens, were making the concerns of the "Microsoft monopoly generation" before us look adorable. The state of personal computing and telecom is really scary. It's the most uncompetitive, unchecked, closed and controlled industry in the whole of free western civilization. And every day it gets worse and worse as we rely more and more on it.
Now we can't expect everyone to consider this before they make their choices. But I think it's fair to expect that technical people act with a bit more long term planning than "use whats best for the job". It is the responsibility of people in the tech industry to not just use whats best today, but whats going to be best tomorrow, and in the next decade, and for our children. Leave short term thinking to the business types. Technicians are supposed to value being proactive over being reactive.
If it ain't broke, don't fix it.
Just days after the FBI broke into the terrorist's iPhone
They broke into San Bernadino County's iPhone. The county may have assigned the phone to Farook, but it was not Farook's phone. Farook's phone(s) were found in a dumpster, destroyed; and they were destroyed because they contained incriminating evidence. It doesn't take too high of an IQ to deduct this, as it's farily obvious; and I'm not calling the FBI a bunch of idiots, I'm saying they're calling all of us a bunch of idiots by presenting such blatant bullshit to us and thinking we'll actually buy it.
Don't be the idiot the FBI thinks you are.
APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
Do privacy concerns come before finding the bomb before it detonates?
The Constitution says yes, absolutely.
If you don't like it, push for an amendment to the Constitution.
If you don't like guns, push for an amendment to the Constitution.
If you don't like the rules, push for an appropriate change to the rules.
Shitting on the rules or applying them only when (and to whom) it is convenient is tyranny.
The trouble is that (almost) all leaders are sociopaths, and naturally assume all people are like themselves.
"[Regarding the 'cloud,'] ownership was what made America different than Russia." -- Woz
No one in America wanted to help the FBI. Now they want to FBI to disclose how they did it?
Have you been living under a rock? Apple gave them all the data from iCloud. The FBI then performed a reset password on iCloud AND lost the data that apple provided. That basically prevented Apple from being able to access the data anymore. So then the FBI was like 'Hey I know we screwed up, but you have to go even further and help us no matter what the cost"
"Live free or die: Death is not the worst of evils." -- General John Stark
"Give me liberty, or give me death!" -- Patrick Henry
"America will never be destroyed from the outside. If we falter and lose our freedoms, it will be because we destroyed ourselves" -- Abraham Lincoln
"If the freedom of speech is taken away then dumb and silent we may be led, like sheep to the slaughter" -- George Washington
I'd rather die in a nuclear blast in a free country, than live a long life in a police state. The real fight is not to prevent deaths due to terrorism, the real fight is to prevent terrorists from changing who we are. They can only win that fight if we let them.
Truer words were never spoken. Spot on, my freedom-loving friend!!!
... there are also worse things than a quick death.
long tortuous pain-filled life, ending in bleeding out like a dog in the dirt, bent and broken.
nuclear fire is not the most horrifying thing i can imagine.
The only way to have complete safety against "terrorists" is to allow the government to have total control over our lives.
The question of how do we have complete safety from our government is left as an exercise for the reader.
"Grab them by the pussy" -- President of the United States of America
I'll just leave this here: CipherSabre.