FBI Calls Apple 'Jerks' and 'Evil Geniuses' For Making iPhone Cracks Difficult

troublemaker_23 shares a report from iTWire: A forensics expert from the FBI has lashed out at Apple, calling the company's security team a bunch of "jerks" and "evil geniuses" for making it more difficult to circumvent the encryption on its devices. Stephen Flatley told the International Conference on Cyber Security in New York on Wednesday that one example of the way that Apple had made it harder for him and his colleagues to break into the iPhone was by recently making the password guesses slower, with a change in hash iterations from 10,000 to 10,000,000. A report on the Motherboard website said Flatley explained that this change meant that the speed at which one could brute-force passwords went from 45 attempts a second to one every 18 seconds. "Your crack time just went from two days to two months," he was quoted as saying. "At what point is it just trying to one up things and at what point is it to thwart law enforcement? Apple is pretty good at evil genius stuff," Flatley added.

Can they be that stupid?

[Duhavid]

If it is easy to crack for the FBI, it is easy to crack for anyone.
Any "back doors" will be converted to front doors ( or windows ) soon enough.
And the timing of such a statement. Meltdown and Spectre still in the news, then this.

Re:Can they be that stupid?

And a lot of people - including the FBI guy there - seems to think that his agency is a bunch of saints and always has been and always will.

They should go and read some biographies not written by FBI people about J. Edgar Hoover.

Re:Can they be that stupid?

[necro81]

If it is easy to crack for the FBI, it is easy to crack for anyone

To quote CGPGrey: "there's no way to build a digital lock that only angels can open and demons cannot. Anyone saying otherwise is either ignorant of the mathematics or less of an angel than they appear."

FBI are reminding you they are bullies

[ArtemaOne]

Pre-cracked encryption is worthless. Might as well force everyone in the world to use TSA locks for physical security, where there are only 5 keys in the world that open them, providing no security at all.

it's a decision

Apple isn't any "smarter" or "evil-genuis-y" than any of the other guys out there. They just decided to take their customer's privacy seriously. Google, Facebook, etc are just as smart or evil genius-y, they just put their targets elsewhere because having their customers' information more public is their business model.

Re:it's a decision

[famebait]

I can't speak for anyone else, but I have lots of other issues with Apple, both technical and businesswise.

It still remains a fact that their core business model revolves around the sale of their own hardware and software.
The other biggies are either all or largely about monetizing data about their users.
This difference has real consequences.

I don't buy for a second that Apple care more about privacy out of the purity of their hearts. But their business model allows them to deliver on that front should they wish to, and lately their market (the users) gives them reason to wish so.

The others can only really go so far on privacy, no matter what users shout for, bacause their markets (not the users) have very different requirements with regard to personal information.

Who's fault is this?

[Gravis+Zero]

Congress Is About To Vote On Expanding the Warrantless Surveillance of Americans

I think it's hilarious that they don't realize that it's their own insatiable desire to spy on everyone that is the primary driving force behind the spread of encrypted communications. That they don't realize this truth makes it all the more funny.

Re:Who's fault is this?

[pr0fessor]

What these people forget is that average people use these devices to do online banking/shopping/bill pay and that a lost or stolen device that doesn't have good encryption is just another way identity theft and fraud can happen. If protecting the people from fraud and identity theft that costs it's victims over $15 billion a year isn't a priority for these people then they shouldn't be in law enforcement.

It's not law enforcement that makes me want to keep my phone encrypted and password protected it's all the thieves and fraud.

Failure to understand the goal of the encryption

They don't do it to thwart law enforcement. They do it to thwart criminals, terrorists, foreign intelligence agents (aka spies), etc.
If the law enforcement people happen to use the same techniques as those groups, well......

No, they are not

[PeeAitchPee]

This is theater, and the FBI / NSA / sppok community at large obviously understands what you are describing. Statements like this are in part how these orgs "prove" to the gov't the need to pass laws to give them what they want.

Re: No, they are not

Maybe you don't understand. The FBI ARE the bad guys. Make sense now?

I know that story...

[namgge]

I goes: "Oh please Brer Fox, whatever you do, please don't throw me into the briar patch."

FBI, is your security hard to crack? Why?

[geekmux]

I cannot believe we actually hire allegedly educated individuals to work in the FBI who can't fucking grasp the concept that Apple didn't make good security because of the FBI. Apple made good security because of the actual evil in the world, and to protect their customers.

Wonder how the FBI would feel if we turned around and started asking them the same damn thing about their encryption. How dare they make it very difficult to brute-force. Of all the nerve...

Re: One every 18 seconds? What?

No, that's not a default. Everyone with toddlers would be absolutely pissed if it were

Law enforcement

[jbmartin6]

Of course it is to thwart law enforcement. The FBI likes to pretend that it is trustworthy, history says otherwise. And of course, the US government is not the only "law" enforcement involved. Meanwhile we have yet to see a case they could not prosecute because of data on the iPhone, on the contrary we've only seen them trying to crack iPhones as a side note to an already established case just in case there is something relevant on there.

Re:Not black and white

[ledow]

I hate to defend Apple (literally.. I do HATE to defend Apple), but:

"There is no one "right" answer to a question like this save the ones we collectively and imperfectly come to as a society. Absolutist assertions that it is either unbreakable, impenetrable encryption for all, or nothing, are false."
"Apple believes it is protecting freedom. It's wrong."

Well, that absolutist assertion seems like you have an answer in mind.

You're trying to mask it, but a backdoor is a backdoor. If Apple are capable of creating a version of the OS that will update over an existing version on a targeted iPhone and thus render the encryption on their iPhone moot - then there is NOTHING stopping a person at Apple from, say, reading the president's private bedroom photos from his iPhone.

You can say "it won't happen", you can say "nobody would do that", you can say "you just need to pick people carefully", etc. but the fact is that at the end of the day some small group of Apple employees have some method of access to every Apple device on the planet. To suggest that this could never be misused would be false.

As such, to not even have THE CAPABILITY is to render the possibility moot. No, we won't push out targeted firmware to an individual iPhone identified by law enforcement - we'll design systems such that we CAN'T EVEN DO THAT (i.e. one iPhone is no different to any other and can't be identified by such a system). That's how to secure your customers and your business. A kind of legal self-denial if you like. The best way to ensure you can't get drunk is to not have the alcohol in the house at all.

Your other arguments in that article are literal red herrings;

"Apple is welcome to use every legal mechanism possible to fight this court order â" that is their absolute right. But to start and grow their company in the United States, to exist here because of the fundamental environment we create for freedom and innovation, and then to act as if Apple is somehow divorced from the US and owes it nothing, even when ordered by a court to do so, is a puzzling and worrisome position."

So... because Fuck Yeah America! they are required to kowtow and not use a valid legal argument in a US court? I think that's what that article says there. If the US court wished to sanction them, they could and would. You could literally stop Apple operating overnight if the courts so determined that they were that non-compliant. But they presented an argument, which clearly won enough doubt to not push through such orders to being prosecutions for failing to comply. And the rest of the "because they're in the US, they should give us something" stuff is just a distraction based on national pride.

This is about the only thing Apple have ever done that I approve of. It shows that they have at least some semblance of a principle, and - amazingly - it would be much cheaper and easier to comply. They are literally costing themselves money to secure a freedom. That's the one good thing I've ever been able to say about Apple, ever.

And it is securing your freedom too. How? If a guy at Apple can do it, so can a guy at the NSA order him to do it and also to then never speak of it, and that guy at the NSA could easily be working for a foreign state, or to try to discredit the president, or be someone who wants to set you up, etc.

Literally, a dystopian state would love this... hey, just let me tap into everyone's iPad and iPhone, and by the way you cannot ever say a thing. If you haven't seen, powers - once established - are universally misused for a long time until they're brought back under control (if at all). Some councils in the UK are still using "anti-terror" legislation to get personal details on people who put the wrong bins out on the wrong days. I kid you not.

By not allowing the creep to start, publicly, visibly, legally, at great expense and when they could just kowtow, Apple has done more of a service in this small act than can be countered by stopping a terrorist.

Stupid or disingenous?

[sjbe]

If we could somehow create magical impenetrable *physical* fortresses that cannot be opened or accessed by the duly-empowered law enforcement and judicial powers of a democratic society, would we say that's just the way it is?

We would have to. Total strawman you have there but I'll roll with it. To make it tangible the laws of mathematics are not bendable for the convenience of some and not others. Once encryption is broken by one party, it is a trivial exercise to break it for an arbitrary number of other parties or to simply distribute the data being protected. Once you have one key it's cheap and easy to make copies of the key and much more expensive to replace the locks. And once the data is taken there is no point since that would be like locking the door after the thief has already run off with your stuff.

There is no one "right" answer to a question like this save the ones we collectively and imperfectly come to as a society.

Actually there is a right answer here and air quotes are not needed. Your options are either to use encryption properly to keep data secure or to not use it at all and live with the consequences. There literally is no middle ground. Weak encryption or backdoored encryption = no encryption.

Apple believes it is protecting freedom. It's wrong. Here's why:

That article is a complete load of nonsense. The author is either an idiot or has an agenda. His arguments are flawed to their core. The argument is basically that bad guys are lazy and won't be bothered to take advantage of government mandated back doors. That argument is so stupid I barely know were to begin.

Re: FBI now providing free marketing!

[TheFakeTimCook]

*this*
If you have any indication that you may be a person of interest, either by activity or location, then you should *not* be using biometric locking on your phone at all.
Panic lock is for when you don't expect that you are of interest, but suddenly find you may be.
Note that once you're detained SOP for police would preclude you from being able to lock your phone, and in fact attempting to do so could get you shot. (reaching into your pocket == going for a gun).

Apple made the Panic Lock fast and easy enough that MOST people could manage to do it BEFORE being detained.

That being said, I agree: If you EXPECT to be hassled/detained, then by all means, not only use a Passcode, make it a passPHRASE > 4 characters. You can use up to 52 (IIRC) alphanumeric characters for an iOS passphrase. Let them chew on THAT!

Re: Didn't have to bribe anyone to break every DRM

[Waffle+Iron]

Actually, for most phones the encryption keys *are* kept in the phone and obfuscated; they're kept in tamper-resistant hardware storage (which must be rather effective, otherwise the spies wouldn't be complaining).

The info kept in the user's head is just a short PIN that could be cracked in seconds if they were actually used as the key. The security lies in the phone firmware/hardware only allowing a small number of PIN guesses before it wipes out the real keys.