When I write software, and I do, I almost never start with nothing. I usually start with a template that has the basic things I usually want and then start adding in or snipping out pieces to make the resulting software accomplish something specific to the task at hand. Sometimes I start with a program I've already written with a lot of code and chop large parts out, paste in other parts from other programs and write the bits that didn't exist before. At some point, I think it is fair to call the result new software.
To say "create software that doesn't exist" to me, means that the binary that runs in memory is different than the one that would have run before. By comparison, if you say that the modification of software (firmware is just software for a specific type of use) doesn't create something new, then it wouldn't be something new so long as they used any of the code that existed before. That would rule out pretty much every version of iPhone software as being something new since it is all just a modification of something that existed before. I doubt most people would agree. How you use words to describe something doesn't change what the something is. If you like, please re-read my previous post with this phrase instead: "create something which hasn't ever before existed in exactly this way but is substantially similar to things which did exist before, created for a purpose different than the original purpose of the thing which existed before."
I don't mind a bit of typing to convey my thoughts more clearly, but that sort of thing would make my long winded posts even more unbearable.
You should have to enter the password or PIN in order to preserve the data. In fact, that's how most system recovery options I've encountered for encrypted systems work.
You'd like to reinstall the OS? Sure, no problem, but the data will be lost. You want to keep the data that requires a password? Then you need the password.
They need software signed with Apple's private key loaded onto the phone. Leaving aside the reasons why, consider what they could do instead. They could demand Apple's source code and compiling process and Apple's private key. They could modify and compile the necessary software, sign it with Apple's key and thus access the data on the phone, all only by compelling Apple to provide the information it has.
Would you say that Apple should fight that? Would you say that the court was acting within its legal authority if it did that instead?
I appreciate someone who takes the big picture view and I wish more people were. That said, there are a few points I think are worth adding.
You can be compelled to provide a fingerprint under the current legal system in the US. (I looked for a better legal reference, but this is a summary http://blogs.wsj.com/digits/20...)
Technically what you know might be called a key, but it's clearer to refer to it as a password or passcode because it is a small piece of information used to decrypt a large key. The large key is a randomly generated string of characters that is held in memory by the phone after the passcode is entered. That real key is used to decrypt the information on the device directly, while the password or passcode is used to decrypt the key. That's important because backdoors are usually considered to be ways of sharing the key with someone rather than the password and because the key is not something most software, like phone software, makes visible to the user. When you change your password or passcode, the phone doesn't get re-encrypted which would take a long time, just the key gets re-encrypted.
It is also worth noting that the 5th amendment doesn't protect you from having to provide what you know to the government; it only protects you from self incrimination. You can be forced to testify against your desire in cases where your testimony doesn't incriminate you. This is an important distinction to make since it prevents people from testifying against friends or people who share your viewpoint when you haven't done anything wrong but might sympathize with them. (Citation: Matlock)
If Apple had the key, they could be compelled to share it with the government. If they don't then they can't. What Apple could create is software that the phone would load without needing a password which would make the process of guessing the passcode easier and not result in a loss of the keys due to incorrect guesses. That's why Apple is focusing on not wanting to create hacking software rather than saying they refuse to provide information they already have.
What many in politics want is for Apple to keep a copy of the actual keys for each phone they sell and turn those keys over to law enforcement. Apple doesn't want to keep the keys, let alone be required to build a system that shares them, but if Apple wins this case, you can expect that will be the next demand.
I RTFA this time. It, like so many other other articles, missed the actual legitimate issues of the case. Every time you read an opinion that says Apple should "unlock the phone" or "decrypt the phone" misses the point that Apple must create software which doesn't exist. Whether Apple should do that or not is itself an interesting discussion, but the real issue here is whether government agencies should be able to force software companies to create hacking software, especially when the software company isn't accused of breaking any law in the case.
I don't have any issue with the idea that a government agency should be allowed to create hacking software. I wouldn't object if the NSA had required Apple to sign a software update created by the NSA for the purpose of hacking into the phone. In fact, I think that's what the government should do. However, I'm very troubled by the fact that most people are in favor of Apple being forced to unlock a phone when that's not what is really going on.
Compulsion of speech is an issue that has been supported in food labeling laws and denied in other cases. Creating software is fundamentally different than providing existing information. I believe creation of software is a form of speech, and I think the courts have upheld that viewpoint, so this case is really hinging on whether a judge under "All Writs Act" has the authority to force someone, not even someone accused of a crime, to create something new.
I think it is important in this discussion to understand how the software the government wants Apple to create would work. Apple updates happen automatically for phones which automatically connect to a known wifi access point. Those updates don't just get pulled from Apple though, the phone creates a code which is encrypted with Apple's public key, so that only Apple with it's private key can decrypt. The update is then provided to the phone, with the code provided by the phone re-encrypted so that only the phone can decrypt it, and only then is the update, signed with Apple's key, loaded into the phone.
If the government wanted to, they could require Apple to provide source code to their existing software and the government could modify it and either ask Apple to sign it or require Apple to provide its private key. However, by requiring Apple to create the hacking software, they're introducing an idea that software companies cannot refuse to create software when required by the government. Once someone does something for a government official, often that's taken as a reason that the government can require them to do it again. (See In re Boucher - case citation: No. 2:06-mj-91, 2009 WL 424718)
Apple had asked that the request be sealed, thus kept secret and not able to be used as precedent but the Department of Justice refused and thus made their request both public and able to be used as precedent. If they succeed in forcing Apple to create hacking software they get access to the information on this phone, but more importantly, the hundreds or thousands of phones they'd like to access are much more likely to be accessed by forcing Apple to repeat the process over and over. Apple doesn't want to be in the business of creating hacking software for the government. Much of law enforcement would consider this a victory, but I think the FBI is hoping to lose this case as a general might be willing to lose a battle, in order to win the bigger war. By losing the case, the FBI gains public support that they can use to pressure Congress to create laws forcing software companies to build in backdoors. Such a thing could be done securely, so that it wouldn't open the software to hackers. I have zero faith that Congress or software companies actually would do it in a secure way, but that's not the reason I am against the backdoor. Encryption is math and the math is known and freely available to anyone who searches for it. The ability to create securely encrypted software is something that can't be made to disappear, but it can be made illegal to do in the US. By d
... how is unlocking a phone any different than our existing warrant-based searches?
There is no difference, which is why Apple has already offered to provide evidence, provide experts and information. However, that's not what the DoJ is requiring.
Compulsion of speech. The DoJ is requiring that Apple create software, which they do not have, in order to facilitate a cracking attempt by the DoJ. Creating code is speech, and compulsion of speech is something that has both been upheld and defeated in the courts.
I don't believe it to be a simple black and white issue. To do so is to completely miss many of the nuances involved.
The nuance in this case is that the government itself (DoJ vs NSA) is divided into two factions: One believes that more government control (the DoJ supporting forced creation of software to weaken encryption) can result in a better life for citizens of the US and the other that believes that more government interference in free commerce (the NSA opposing forced weakened security) hurts the citizens of the US in the long run.
This case with Apple pits the group supporting curtailing the freedom of capitalism for the sake of security against the group who believes the strengths of American capitalism outweigh its weaknesses. Apple is just a pawn in the game, and one with deep enough pockets to make the game a fair playing field.
Personally, I feel that freedom is more valuable than security, an opinion I share with the founders of the country I'm proud to call my home. However, that opinion is not prevalent, but I believe it is only because the public is not inclined toward introspection and research. A representative democracy is designed to solve that problem; the representatives are obligated to do the research and deep thinking that the public doesn't. Unfortunately that often is translated into vote seeking for the sake of power, so it's often not a reliable system.
This case was chosen, first by the DoJ but also accepted by the NSA, to test which side represents the US that we live in today. The importance of this case is difficult, if not impossible, to overrstate.
Did you not notice how the story has changed from "we can't do it" to "we shouldn't do it?"
If this were a current iPhone it would have the secure enclave hardware which theoretically does make it "secure from the get-go." Apple was pushed by public opinion backlash as a result of the Snowden revelations and a long line of law enforcement requests to decrypt phones to design something that they literally couldn't decrypt. Modern iPhones are designed so that Apple should not be able to decrypt them. However, this is an iPhone 5c, which doesn't have the enclave hardware, and thus can be coerced into taking a software update signed by Apple which disables the software protections against brute force attacks.
That said there are three other stories.
Story one: What precedent does this set? Government can compel companies to create things they don't want to create for use against the privacy of the individual. Who knows, with secret courts and orders, you may already have a phone that the local corrupt sheriff can spy on.
What if Apple does give in? Government can compel companies to create software updates for phones that were purchased under the agreement they were supposed to be secure even from the manufacturer. Secretly of course. This one is only public because Apple can fight it, but next time it won't be.
What about external encryption options? You know there are options to do things to your phone outside of what Apple plans of course. Would this mean that anyone wanting a secure phone would need to get a phone from overseas? I can see why Apple would want to avoid that. Ideally, if Apple has to cave, they'll build phones that can be secured after purchase.
Whatever governments do in order to spy acts as inoculation against spying in the future. The good news is that whatever happens, it makes more people aware of the problem with governments having too much power to spy on you.
Did you come here for an argument? You must have come here for an argument, else why reply to me (notice the nick?) in that way. Fine.
"Physical access will not give access to encrypted information" sounds like "takes a key that is randomly generated and unguessable" but it's not. Poor encryption doesn't protect data. Flawed encryption doesn't protect data. Physical access to a system where the data is encrypted but the key is stored unencrypted in the physical medium doesn't protect the data. In this case, the key is encrypted and the data is encrypted with the key, but the key isn't encrypted with an unguessable password. It is totally guessable. Therefore the key can be decrypted with a standard brute force guessing process. There's no reasonable argument against that obvious truth.
So, given that the password can be decrypted with physical access, there is nothing but hardware protection to prevent the key from being decrypted by guessing the password. Nothing except the design and manufacturing technique prevent the application of a standard brute force guessing process. So, yes, absolutely, the physical access can be combined with sufficient knowledge of the hardware and disassembly techniques to guarantee the data can be decrypted.
The question isn't whether the key can be retrieved, it can be. The question isn't whether the password can be guessed, it can be. The only question is whether the built in hardware protections are sufficient, in this case, to prevent successful modification.
Did Apple put forth three gazillion dollars worth of effort into making the hardware too difficult to modify? Doubtful. But maybe, just barely maybe, they put enough work into designing and manufacturing the hardware to prevent this court or these experts from being able to do it.
The phone is encrypted so that it takes a key that is randomly generated and unguessable, however the password that encrypts the key is not unguessable. Running a password guessing program against the key would work, except that the hardware limits how many guesses can be tried over a period of time. What you could do is modify the hardware to allow guessing the password without the limits, but modifying the hardware is extremely difficult. I know that many years ago when I worked with machines intended to prevent tampering, they had light sensitive components that would wipe the key if exposed. There are doubtless other similar failsafes built into the hardware to prevent attempts to modify the components. For example, they might have a tiny drop of mercury enclosed in a thin plastic bubble surrounded by a mesh of wires that would cause a short which would wipe the keys if the equipment is crushed or sawed. So if those two things were known, working on the device without light while frozen might allow microscopic layers to be removed until the bubble and wire mesh can revealed. If I were trying to design a keystore, that's the sort of thing I'd do and I'd know it is theoretically possible, but practically impossible to modify the hardware without triggering a key wipe. I'm just theorizing about how Apple might approach the tech, but I'm confident that it's a fair analogy.
Apple can legitimately be compelled to provide documentation and expert consultants with the explanations on what can go wrong with each step with an encryption key recovery technique. It's likely that disassembling the hardware in the right ways and modifying it exactly right with just the right tools could give a modification allowing an attempt to brute force the password to retrieve the key. It is also likely that trying it could permanently destroy the key. If you have the steps and tools and information along with clear descriptions of what is likely to permanently destroy the keys and turn that over to the court, they'll likely screw it up, but Apple is off the hook.
I assume that physical access is sufficient to break into any system humans have the ability to use normally, particularly with a password. That doesn't mean I think it can be done with reasonable tools or normal methods. In fact, I expect it is very, very hard. Honestly though, it's all I really ask of any company I trust.
I have. It wasn't a bad system. I didn't like it as well as Solaris, but it was stable and reliable and pretty well documented. For a long time, they had a good product and supported it pretty well.
Yeah, the company sucked, but all that work, good programming, is now going to waste. What I'd like to see is IBM take ownership and open source all of it, have it relicensed under GPL and MIT licenses. Ultimately, I'd like to see a lot of that code legally incorporated into Linux.
Why? Just to make the people responsible for the fiasco the lawyers and executives of the company SCO weep.
Actually I use this account to pick the stupid fights I can't resist jumping into. Sometimes I know I need to say something offensive or argumentative to get both sides of an issue on the table for discussion. It's often something I don't want associated with my regular account... thus the nick.
Frankly it's fun to present the contrarian opinion. Sometimes its even the right thing to do and karma be damned.
Surely I'm not uncommon in recognizing this as a profit opportunity.
I know people are up in arms over censorship, but really all this will do is strengthen the options for bypassing it. Freedom needs exercise too. Somebody will set up bypass tools and make a bundle of money and at the same time make it that much harder for the next round of censorship attempts.
Interesting indeed. I'm guessing Apple will put "Government X Approved" stickers on those phones they build dual access into and people buying copy-cat stickers and phones from other countries will become big business.
Every person on the planet owns 10 computers.
There are 7 billion people on the planet.
Each of these computers can test 1 billion key combinations per second.
On average, you can crack the key after testing 50% of the possibilities.
Then the earth's population can crack one encryption key in 77,000,000,000,000,000,000,000,000 years
Anyone who thinks AES 256 (what iPhones are encrypted with) can be cracked by any computer doesn't understand the math.
That's not to say there aren't potential successful ways to get the information besides brute forcing. I just get a little chuckle out of every time somebody suggests governments have magic computers. Yes, I'm aware of quantum computing and exactly how far along the tech has come and no, it isn't something that anybody has yet. The magic quantum encryption cracking system is still *at least* a decade away. (It may never happen, and if I were guessing, I'd put it at closer to a couple centuries away, but even assuming impossible breakthroughs have already been made, a decade is unreasonably optimistic.)
"The 11th U.S. Circuit Court of Appeals found a Florida man’s constitutional rights were violated when he was imprisoned for refusing to decrypt data on several devices. This was the first time an appellate court has ruled the 5th Amendment protects forced decryption"
Okay, so I'm not having to support the idea, I'll bite.
Reason: "... it would only be safe until the 1st disgruntled employee at a large commercial firm" Counter: Each phone is encrypted at production with a unique key, so in order for someone to compromise any significant number of phones they would need access to many keys or all keys in order to target some specific phone later. Keys would not be stored whole, but divided into parts with those parts accessible to different groups. When law enforcement requires recall of a specific key, the phone id would be used to get each group to divulge only their own part of that one key.
"Other reasons" Counter: similar simple logical solutions
Keeping an encrypted system from being decrypted by one person is something that has been done pretty much as long as there has been encryption. Setting up encrypted systems that can be decrypted by a second party without the authorization of the first party is also a common thing.
Are you trying to convince ME it's a bad idea?! Of course it's a bad idea! Not just for the reasons you mentioned, but for dozens of others I could think of and probably a hundred others even I don't have the imagination to think of. Are you still trying to argue feasibility or is it philosophy? Do you want me to try to think of ways to improve a bad idea or do you want me to admit it's a bad idea? We can agree on the latter and I'm not interested in the former.
It is possible for phones to be secure and decryptable. The way phones are encrypted now is by a passphrase used to decrypt a real key. When you change the passphrase, you only re-encrypt the real key, not re-encrypt the whole drive.
Encrypting that same real key with a second passphrase (retained by carrier or OS provider) would be trivial, meet the requirements and not rely on obscurity unless the OS or carrier were so stupid as to re-use passphrases rather than assign unique randomly generated keys per phone.
You'd say that giving your trust to the OS, carrier or government to keep their key safe is unreasonable, but they'd disagree.
I wish people would stop making the argument that "it's not possible" when it's simple and possible and obvious. Your argument should be that "it's not right" and "it's unconstitutional" because those arguments don't have a simple, possible and obvious counter argument.
Have you read the constitution and bill of rights? There is a good bit there that has been repealed. There is some that is just flat out ignored because the courts have decided to "interpret" it in ways that were obviously never intended.
I'm still coming to grips with the realization that the constitution is dead.
We elect people who don't follow the law. They appoint judges that don't follow the law. We elect judges and re-elect congressmen who decide the law doesn't mean what it clearly says. They could change it, but that would require getting people to agree and it is far easier to just declare that the law means I can do what I want.
If they pass this; of course it becomes law. It may be a law in conflict with the Constitution that gives the law it's authority, but that doesn't mean it won't be enforced. It doesn't mean people won't have to follow it. It's the law because the government says it is the law and they pay the guys with uniforms and guns. In the case of legal vs illegal, law vs non-law, and government vs impotent idealists; it always comes down to "might makes right."
And we elect the government. I'm not sure which is the greater tragedy.
Schoelkopf [founding director of the Marine Mammal Stranding Center] says his organization euthanized the dolphin and paid the state of New Jersey to perform the necropsy. The results of the necropsy were released to his organization, which expressly asked the state to not publicly reveal its findings. He said because of the controversial nature of dolphin euthanasia, the organization wanted to keep the findings private.
Forty years of mainstream scientific study is a lot to catch up with. Thorium has good science behind it, strong theory and some experimentation, but catching up will take time. Nonetheless, if technology keeps the pace it's currently on, we can expect Thorium based reactors to make a commercial showing in a decade or two. (Based on a non-expert but avid reader's perspective.)
I expect fusion to make a commercial showing eventually as well. For that though, despite all the interest and scientific focus, I expect we're looking at more like a century. I'm optimistic that humanity will make it there, just not optimistic we'll make it in a short period. For humanity's sake, I hope we can plan for that period anyway.
I'm somewhat more optimistic about orbital solar power. The tech isn't beyond current means, even if the investment and politics aren't there yet. I'm really hoping to see some progress on that during my lifetime. Between wind, solar, hydro, geothermal, improved and smaller fission reactors, I expect we'll see much closer to carbon neutrality in my lifetime as well. I hope that I'll live to see the world where my potential grandchildren can focus more on fixing the problems we've left than cutting down on obsolete energy production methods.
In a couple centuries, if we can manage to keep our other problems from eliminating humanity and it's potential, I hope we'll have von Neumann machines building orbital solar collectors and living habitats for other planets. I'd love to believe that we'll be able to get our eggs out of this single basket, however fond of it I may be.
I don't get the animosity towards RH. I haven't paid for their support in years and years, but when I did, it was so I could call somebody when something went wrong and get reliable help quickly.
I only ever had to call a couple times, but the support I got was better than I ever received from most companies.
Oracle? Oracle is on the opposite end of that list. I won't touch Oracle ever again if I can help it. I am aware of the things Oracle brings to the table but it's not worth the pain.
Slashdot Mirror
When I write software, and I do, I almost never start with nothing. I usually start with a template that has the basic things I usually want and then start adding in or snipping out pieces to make the resulting software accomplish something specific to the task at hand. Sometimes I start with a program I've already written with a lot of code and chop large parts out, paste in other parts from other programs and write the bits that didn't exist before. At some point, I think it is fair to call the result new software.
To say "create software that doesn't exist" to me, means that the binary that runs in memory is different than the one that would have run before. By comparison, if you say that the modification of software (firmware is just software for a specific type of use) doesn't create something new, then it wouldn't be something new so long as they used any of the code that existed before. That would rule out pretty much every version of iPhone software as being something new since it is all just a modification of something that existed before. I doubt most people would agree. How you use words to describe something doesn't change what the something is. If you like, please re-read my previous post with this phrase instead: "create something which hasn't ever before existed in exactly this way but is substantially similar to things which did exist before, created for a purpose different than the original purpose of the thing which existed before."
I don't mind a bit of typing to convey my thoughts more clearly, but that sort of thing would make my long winded posts even more unbearable.
You should have to enter the password or PIN in order to preserve the data. In fact, that's how most system recovery options I've encountered for encrypted systems work.
You'd like to reinstall the OS? Sure, no problem, but the data will be lost. You want to keep the data that requires a password? Then you need the password.
They need software signed with Apple's private key loaded onto the phone. Leaving aside the reasons why, consider what they could do instead. They could demand Apple's source code and compiling process and Apple's private key. They could modify and compile the necessary software, sign it with Apple's key and thus access the data on the phone, all only by compelling Apple to provide the information it has.
Would you say that Apple should fight that? Would you say that the court was acting within its legal authority if it did that instead?
I appreciate someone who takes the big picture view and I wish more people were. That said, there are a few points I think are worth adding.
You can be compelled to provide a fingerprint under the current legal system in the US.
(I looked for a better legal reference, but this is a summary http://blogs.wsj.com/digits/20...)
Technically what you know might be called a key, but it's clearer to refer to it as a password or passcode because it is a small piece of information used to decrypt a large key. The large key is a randomly generated string of characters that is held in memory by the phone after the passcode is entered. That real key is used to decrypt the information on the device directly, while the password or passcode is used to decrypt the key. That's important because backdoors are usually considered to be ways of sharing the key with someone rather than the password and because the key is not something most software, like phone software, makes visible to the user. When you change your password or passcode, the phone doesn't get re-encrypted which would take a long time, just the key gets re-encrypted.
It is also worth noting that the 5th amendment doesn't protect you from having to provide what you know to the government; it only protects you from self incrimination. You can be forced to testify against your desire in cases where your testimony doesn't incriminate you. This is an important distinction to make since it prevents people from testifying against friends or people who share your viewpoint when you haven't done anything wrong but might sympathize with them. (Citation: Matlock)
If Apple had the key, they could be compelled to share it with the government. If they don't then they can't. What Apple could create is software that the phone would load without needing a password which would make the process of guessing the passcode easier and not result in a loss of the keys due to incorrect guesses. That's why Apple is focusing on not wanting to create hacking software rather than saying they refuse to provide information they already have.
What many in politics want is for Apple to keep a copy of the actual keys for each phone they sell and turn those keys over to law enforcement. Apple doesn't want to keep the keys, let alone be required to build a system that shares them, but if Apple wins this case, you can expect that will be the next demand.
I RTFA this time. It, like so many other other articles, missed the actual legitimate issues of the case. Every time you read an opinion that says Apple should "unlock the phone" or "decrypt the phone" misses the point that Apple must create software which doesn't exist. Whether Apple should do that or not is itself an interesting discussion, but the real issue here is whether government agencies should be able to force software companies to create hacking software, especially when the software company isn't accused of breaking any law in the case.
I don't have any issue with the idea that a government agency should be allowed to create hacking software. I wouldn't object if the NSA had required Apple to sign a software update created by the NSA for the purpose of hacking into the phone. In fact, I think that's what the government should do. However, I'm very troubled by the fact that most people are in favor of Apple being forced to unlock a phone when that's not what is really going on.
Compulsion of speech is an issue that has been supported in food labeling laws and denied in other cases. Creating software is fundamentally different than providing existing information. I believe creation of software is a form of speech, and I think the courts have upheld that viewpoint, so this case is really hinging on whether a judge under "All Writs Act" has the authority to force someone, not even someone accused of a crime, to create something new.
I think it is important in this discussion to understand how the software the government wants Apple to create would work. Apple updates happen automatically for phones which automatically connect to a known wifi access point. Those updates don't just get pulled from Apple though, the phone creates a code which is encrypted with Apple's public key, so that only Apple with it's private key can decrypt. The update is then provided to the phone, with the code provided by the phone re-encrypted so that only the phone can decrypt it, and only then is the update, signed with Apple's key, loaded into the phone.
If the government wanted to, they could require Apple to provide source code to their existing software and the government could modify it and either ask Apple to sign it or require Apple to provide its private key. However, by requiring Apple to create the hacking software, they're introducing an idea that software companies cannot refuse to create software when required by the government. Once someone does something for a government official, often that's taken as a reason that the government can require them to do it again. (See In re Boucher - case citation: No. 2:06-mj-91, 2009 WL 424718)
Apple had asked that the request be sealed, thus kept secret and not able to be used as precedent but the Department of Justice refused and thus made their request both public and able to be used as precedent. If they succeed in forcing Apple to create hacking software they get access to the information on this phone, but more importantly, the hundreds or thousands of phones they'd like to access are much more likely to be accessed by forcing Apple to repeat the process over and over. Apple doesn't want to be in the business of creating hacking software for the government. Much of law enforcement would consider this a victory, but I think the FBI is hoping to lose this case as a general might be willing to lose a battle, in order to win the bigger war. By losing the case, the FBI gains public support that they can use to pressure Congress to create laws forcing software companies to build in backdoors. Such a thing could be done securely, so that it wouldn't open the software to hackers. I have zero faith that Congress or software companies actually would do it in a secure way, but that's not the reason I am against the backdoor. Encryption is math and the math is known and freely available to anyone who searches for it. The ability to create securely encrypted software is something that can't be made to disappear, but it can be made illegal to do in the US. By d
... how is unlocking a phone any different than our existing warrant-based searches?
There is no difference, which is why Apple has already offered to provide evidence, provide experts and information. However, that's not what the DoJ is requiring.
Compulsion of speech. The DoJ is requiring that Apple create software, which they do not have, in order to facilitate a cracking attempt by the DoJ. Creating code is speech, and compulsion of speech is something that has both been upheld and defeated in the courts.
I don't believe it to be a simple black and white issue. To do so is to completely miss many of the nuances involved.
The nuance in this case is that the government itself (DoJ vs NSA) is divided into two factions: One believes that more government control (the DoJ supporting forced creation of software to weaken encryption) can result in a better life for citizens of the US and the other that believes that more government interference in free commerce (the NSA opposing forced weakened security) hurts the citizens of the US in the long run.
This case with Apple pits the group supporting curtailing the freedom of capitalism for the sake of security against the group who believes the strengths of American capitalism outweigh its weaknesses. Apple is just a pawn in the game, and one with deep enough pockets to make the game a fair playing field.
Personally, I feel that freedom is more valuable than security, an opinion I share with the founders of the country I'm proud to call my home. However, that opinion is not prevalent, but I believe it is only because the public is not inclined toward introspection and research. A representative democracy is designed to solve that problem; the representatives are obligated to do the research and deep thinking that the public doesn't. Unfortunately that often is translated into vote seeking for the sake of power, so it's often not a reliable system.
This case was chosen, first by the DoJ but also accepted by the NSA, to test which side represents the US that we live in today. The importance of this case is difficult, if not impossible, to overrstate.
Did you not notice how the story has changed from "we can't do it" to "we shouldn't do it?"
If this were a current iPhone it would have the secure enclave hardware which theoretically does make it "secure from the get-go." Apple was pushed by public opinion backlash as a result of the Snowden revelations and a long line of law enforcement requests to decrypt phones to design something that they literally couldn't decrypt. Modern iPhones are designed so that Apple should not be able to decrypt them. However, this is an iPhone 5c, which doesn't have the enclave hardware, and thus can be coerced into taking a software update signed by Apple which disables the software protections against brute force attacks.
That said there are three other stories.
Story one: What precedent does this set?
Government can compel companies to create things they don't want to create for use against the privacy of the individual. Who knows, with secret courts and orders, you may already have a phone that the local corrupt sheriff can spy on.
What if Apple does give in?
Government can compel companies to create software updates for phones that were purchased under the agreement they were supposed to be secure even from the manufacturer. Secretly of course. This one is only public because Apple can fight it, but next time it won't be.
What about external encryption options?
You know there are options to do things to your phone outside of what Apple plans of course. Would this mean that anyone wanting a secure phone would need to get a phone from overseas? I can see why Apple would want to avoid that. Ideally, if Apple has to cave, they'll build phones that can be secured after purchase.
Whatever governments do in order to spy acts as inoculation against spying in the future. The good news is that whatever happens, it makes more people aware of the problem with governments having too much power to spy on you.
Did you come here for an argument? You must have come here for an argument, else why reply to me (notice the nick?) in that way. Fine.
"Physical access will not give access to encrypted information" sounds like "takes a key that is randomly generated and unguessable" but it's not. Poor encryption doesn't protect data. Flawed encryption doesn't protect data. Physical access to a system where the data is encrypted but the key is stored unencrypted in the physical medium doesn't protect the data. In this case, the key is encrypted and the data is encrypted with the key, but the key isn't encrypted with an unguessable password. It is totally guessable. Therefore the key can be decrypted with a standard brute force guessing process. There's no reasonable argument against that obvious truth.
So, given that the password can be decrypted with physical access, there is nothing but hardware protection to prevent the key from being decrypted by guessing the password. Nothing except the design and manufacturing technique prevent the application of a standard brute force guessing process. So, yes, absolutely, the physical access can be combined with sufficient knowledge of the hardware and disassembly techniques to guarantee the data can be decrypted.
The question isn't whether the key can be retrieved, it can be. The question isn't whether the password can be guessed, it can be. The only question is whether the built in hardware protections are sufficient, in this case, to prevent successful modification.
Did Apple put forth three gazillion dollars worth of effort into making the hardware too difficult to modify? Doubtful. But maybe, just barely maybe, they put enough work into designing and manufacturing the hardware to prevent this court or these experts from being able to do it.
The phone is encrypted so that it takes a key that is randomly generated and unguessable, however the password that encrypts the key is not unguessable. Running a password guessing program against the key would work, except that the hardware limits how many guesses can be tried over a period of time. What you could do is modify the hardware to allow guessing the password without the limits, but modifying the hardware is extremely difficult. I know that many years ago when I worked with machines intended to prevent tampering, they had light sensitive components that would wipe the key if exposed. There are doubtless other similar failsafes built into the hardware to prevent attempts to modify the components. For example, they might have a tiny drop of mercury enclosed in a thin plastic bubble surrounded by a mesh of wires that would cause a short which would wipe the keys if the equipment is crushed or sawed. So if those two things were known, working on the device without light while frozen might allow microscopic layers to be removed until the bubble and wire mesh can revealed. If I were trying to design a keystore, that's the sort of thing I'd do and I'd know it is theoretically possible, but practically impossible to modify the hardware without triggering a key wipe. I'm just theorizing about how Apple might approach the tech, but I'm confident that it's a fair analogy.
Apple can legitimately be compelled to provide documentation and expert consultants with the explanations on what can go wrong with each step with an encryption key recovery technique. It's likely that disassembling the hardware in the right ways and modifying it exactly right with just the right tools could give a modification allowing an attempt to brute force the password to retrieve the key. It is also likely that trying it could permanently destroy the key. If you have the steps and tools and information along with clear descriptions of what is likely to permanently destroy the keys and turn that over to the court, they'll likely screw it up, but Apple is off the hook.
I assume that physical access is sufficient to break into any system humans have the ability to use normally, particularly with a password. That doesn't mean I think it can be done with reasonable tools or normal methods. In fact, I expect it is very, very hard. Honestly though, it's all I really ask of any company I trust.
Have you ever used SCO?
I have. It wasn't a bad system. I didn't like it as well as Solaris, but it was stable and reliable and pretty well documented. For a long time, they had a good product and supported it pretty well.
Yeah, the company sucked, but all that work, good programming, is now going to waste. What I'd like to see is IBM take ownership and open source all of it, have it relicensed under GPL and MIT licenses. Ultimately, I'd like to see a lot of that code legally incorporated into Linux.
Why? Just to make the people responsible for the fiasco the lawyers and executives of the company SCO weep.
Damn right.
Actually I use this account to pick the stupid fights I can't resist jumping into. Sometimes I know I need to say something offensive or argumentative to get both sides of an issue on the table for discussion. It's often something I don't want associated with my regular account... thus the nick.
Frankly it's fun to present the contrarian opinion. Sometimes its even the right thing to do and karma be damned.
The people voting for her don't care.
The problem with democracy is that you can't keep people from voting badly.
Surely I'm not uncommon in recognizing this as a profit opportunity.
I know people are up in arms over censorship, but really all this will do is strengthen the options for bypassing it. Freedom needs exercise too. Somebody will set up bypass tools and make a bundle of money and at the same time make it that much harder for the next round of censorship attempts.
Interesting indeed. I'm guessing Apple will put "Government X Approved" stickers on those phones they build dual access into and people buying copy-cat stickers and phones from other countries will become big business.
Mechanics of "why not" here: http://blog.cryptographyengine...
Math of "why not" good introduction here: http://www.eetimes.com/documen...
spend a week cracking the data
How do you propose to do that?
If you assume:
Every person on the planet owns 10 computers.
There are 7 billion people on the planet.
Each of these computers can test 1 billion key combinations per second.
On average, you can crack the key after testing 50% of the possibilities.
Then the earth's population can crack one encryption key in 77,000,000,000,000,000,000,000,000 years
http://www.eetimes.com/documen...
Anyone who thinks AES 256 (what iPhones are encrypted with) can be cracked by any computer doesn't understand the math.
That's not to say there aren't potential successful ways to get the information besides brute forcing. I just get a little chuckle out of every time somebody suggests governments have magic computers. Yes, I'm aware of quantum computing and exactly how far along the tech has come and no, it isn't something that anybody has yet. The magic quantum encryption cracking system is still *at least* a decade away. (It may never happen, and if I were guessing, I'd put it at closer to a couple centuries away, but even assuming impossible breakthroughs have already been made, a decade is unreasonably optimistic.)
No. https://www.eff.org/cases/us-v...
"The 11th U.S. Circuit Court of Appeals found a Florida man’s constitutional rights were violated when he was imprisoned for refusing to decrypt data on several devices. This was the first time an appellate court has ruled the 5th Amendment protects forced decryption"
Okay, so I'm not having to support the idea, I'll bite.
Reason: "... it would only be safe until the 1st disgruntled employee at a large commercial firm"
Counter: Each phone is encrypted at production with a unique key, so in order for someone to compromise any significant number of phones they would need access to many keys or all keys in order to target some specific phone later. Keys would not be stored whole, but divided into parts with those parts accessible to different groups. When law enforcement requires recall of a specific key, the phone id would be used to get each group to divulge only their own part of that one key.
"Other reasons"
Counter: similar simple logical solutions
Keeping an encrypted system from being decrypted by one person is something that has been done pretty much as long as there has been encryption. Setting up encrypted systems that can be decrypted by a second party without the authorization of the first party is also a common thing.
Right. And?
Are you trying to convince ME it's a bad idea?! Of course it's a bad idea! Not just for the reasons you mentioned, but for dozens of others I could think of and probably a hundred others even I don't have the imagination to think of. Are you still trying to argue feasibility or is it philosophy? Do you want me to try to think of ways to improve a bad idea or do you want me to admit it's a bad idea? We can agree on the latter and I'm not interested in the former.
It is possible for phones to be secure and decryptable. The way phones are encrypted now is by a passphrase used to decrypt a real key. When you change the passphrase, you only re-encrypt the real key, not re-encrypt the whole drive.
Encrypting that same real key with a second passphrase (retained by carrier or OS provider) would be trivial, meet the requirements and not rely on obscurity unless the OS or carrier were so stupid as to re-use passphrases rather than assign unique randomly generated keys per phone.
You'd say that giving your trust to the OS, carrier or government to keep their key safe is unreasonable, but they'd disagree.
I wish people would stop making the argument that "it's not possible" when it's simple and possible and obvious. Your argument should be that "it's not right" and "it's unconstitutional" because those arguments don't have a simple, possible and obvious counter argument.
When the legislators are so removed from reality, it's just a symptom of public that is exquisitely apathetic.
FTFY
Have you read the constitution and bill of rights? There is a good bit there that has been repealed. There is some that is just flat out ignored because the courts have decided to "interpret" it in ways that were obviously never intended.
I'm still coming to grips with the realization that the constitution is dead.
We elect people who don't follow the law. They appoint judges that don't follow the law. We elect judges and re-elect congressmen who decide the law doesn't mean what it clearly says. They could change it, but that would require getting people to agree and it is far easier to just declare that the law means I can do what I want.
If they pass this; of course it becomes law. It may be a law in conflict with the Constitution that gives the law it's authority, but that doesn't mean it won't be enforced. It doesn't mean people won't have to follow it. It's the law because the government says it is the law and they pay the guys with uniforms and guns. In the case of legal vs illegal, law vs non-law, and government vs impotent idealists; it always comes down to "might makes right."
And we elect the government. I'm not sure which is the greater tragedy.
Schoelkopf [founding director of the Marine Mammal Stranding Center] says his organization euthanized the dolphin and paid the state of New Jersey to perform the necropsy. The results of the necropsy were released to his organization, which expressly asked the state to not publicly reveal its findings. He said because of the controversial nature of dolphin euthanasia, the organization wanted to keep the findings private.
http://motherboard.vice.com/re...
That doesn't excuse the idiots responding for the state, but does clear up the dolphin question.
Forty years of mainstream scientific study is a lot to catch up with. Thorium has good science behind it, strong theory and some experimentation, but catching up will take time. Nonetheless, if technology keeps the pace it's currently on, we can expect Thorium based reactors to make a commercial showing in a decade or two. (Based on a non-expert but avid reader's perspective.)
I expect fusion to make a commercial showing eventually as well. For that though, despite all the interest and scientific focus, I expect we're looking at more like a century. I'm optimistic that humanity will make it there, just not optimistic we'll make it in a short period. For humanity's sake, I hope we can plan for that period anyway.
I'm somewhat more optimistic about orbital solar power. The tech isn't beyond current means, even if the investment and politics aren't there yet. I'm really hoping to see some progress on that during my lifetime. Between wind, solar, hydro, geothermal, improved and smaller fission reactors, I expect we'll see much closer to carbon neutrality in my lifetime as well. I hope that I'll live to see the world where my potential grandchildren can focus more on fixing the problems we've left than cutting down on obsolete energy production methods.
In a couple centuries, if we can manage to keep our other problems from eliminating humanity and it's potential, I hope we'll have von Neumann machines building orbital solar collectors and living habitats for other planets. I'd love to believe that we'll be able to get our eggs out of this single basket, however fond of it I may be.
Or, as usual, do the same thing with CentOS for free.
https://wiki.centos.org/HowTos...
I don't get the animosity towards RH. I haven't paid for their support in years and years, but when I did, it was so I could call somebody when something went wrong and get reliable help quickly.
I only ever had to call a couple times, but the support I got was better than I ever received from most companies.
Oracle? Oracle is on the opposite end of that list. I won't touch Oracle ever again if I can help it. I am aware of the things Oracle brings to the table but it's not worth the pain.