from the prosecutors-want-access-to-everything dept.
The New York Times features a joint (and very one sided) opinion piece by prosecutors from Manhattan, Paris, London and Spain, in which they decry the default use by Apple and Google of full disk encryption in their latest smartphone OSes. They talk about the murder scene of a father of six, where an iPhone 6 and a Samsung Galaxy S6 Edge were found.
An Illinois state judge issued a warrant ordering Apple and Google to unlock the phones and share with authorities any data therein that could potentially solve the murder. Apple and Google replied, in essence, that they could not — because they did not know the user's passcode. The homicide remains unsolved. The killer remains at large.
Except, there is no proof that having such a backdoor would conclusively allow them to solve the case and wouldn't require actual police work.
(Score: 3, Insightful) by Anonymous Coward on Wednesday August 12 2015, @04:15AM
I write good thing about authority. I good guy. You appoint me political posting. You pay me good I agree with every thing.
(Score: 1) by Ethanol-fueled on Wednesday August 12 2015, @05:22AM
Too soon, Xia Hong. Hang out in your Orange County beach house and wait a few more presidential elections and try again when the Democrats win.
(Score: 2) by KilroySmith on Wednesday August 12 2015, @04:18AM
Oh, my god.
Have they considered hiring someone who's capable of downloading a password cracker from the internet, looking at the Android code to see how the decryption key is generated from the passcode, and start brute forcing passcodes from the internet databases of most common passwords?
Is it really much more difficult than that?
(Score: 2, Funny) by Anonymous Coward on Wednesday August 12 2015, @04:25AM
They could even outsource the job to Hacking Team
(Score: 0, Troll) by Anonymous Coward on Wednesday August 12 2015, @04:44AM
Hey, maybe America is improving after all. Still evil, but the idiots in charge are so incredibly stupid they they've completely forgotten how to do evil things, like waterboard random suspects until someone confesses to the murder.
(Score: 3, Interesting) by TheLink on Wednesday August 12 2015, @06:27AM
Don't they have an upgraded version of this?
http://www.forbes.com/sites/andygreenberg/2012/03/27/heres-how-law-enforcement-cracks-your-iphones-security-code-video/ [forbes.com]
I'm pretty sure most phone users don't use strong passphrases on their phones and most use something that can be brute-forced in a few minutes, at most a few hours. Think about how long someone is willing to take to unlock their phone and how reliable most touch phone data entry methods are. Good luck entering a 50 character passphrase correctly into your phone in under a minute.
(Score: 4, Informative) by quacking duck on Wednesday August 12 2015, @01:55PM
Any phone OS worth their salt has the option to wipe the phone after a certain number of failed attempts, and if not will still introduce longer lockout delays with every failed passcode attempt. Not long ago a flaw was discovered on iOS where you could get around this by killing power to it before it stored the number of failed attempts, but it's been long enough Apple should have fixed this already.
(Score: 5, Informative) by KilroySmith on Wednesday August 12 2015, @02:36PM
And any phone manufacturer worth their salt can have a technician desolder the FLASH from the phone motherboard, and attach it to a non-phone microcontroller as a peripheral, and run the brute force attacks on that. Two weeks at the outside if you have to have a PCB designed/built. No timeouts, no retry limits.
(Score: 2) by FatPhil on Wednesday August 12 2015, @07:08PM
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 2) by kurenai.tsubasa on Wednesday August 12 2015, @02:17PM
I have been wondering this as well. If whatever's on the cell phone is so absolutely crucial to the investigation, why don't they buy some CPU time from, say, the NSA and spin up a cluster of a few thousand John the Ripper [wikipedia.org] nodes?
Of course, doing that, obtaining the password in a few days or so (assuming it's not “password” or one of the children's names or birthdates), and bringing a murderer to justice wouldn't move forward the narrative that only terrorists need strong encryption!
Strong encryption is magick! Dark magick of the House of Slythryn! Voldem^#24j57T89$23+++NO CARRIER
(Score: 5, Interesting) by Ethanol-fueled on Wednesday August 12 2015, @04:53AM
Why would a killer toss his phone in the crime scene? The answer is that nobody did and only thugs and dope dealers carry more than one phone.
In Chicago. Since when did anybody give a fuck about a murder in Chicago?
So not only are they trying to ban (end-to-end)encryption, but they're trying to ride the coattails of #Blacklivesmatter and so disagreeing with the prosecutors would be racist.
Those desperate prosecutors are really scraping the bottom of the barrel here in trying to bait the Blacks into being anti-encryption. Couldn't they at least make up some bullshit about some high-powered mafia boss or terrorists or somethin'?
(Score: 0) by Anonymous Coward on Wednesday August 12 2015, @04:59AM
I haven't read beyond the summary, but I inferred the encrypted phones belonged to the victim, and knowledge of the passcodes died with him.
(Score: -1, Flamebait) by Anonymous Coward on Wednesday August 12 2015, @05:39AM
>In Chicago
It was a nigger.
(Score: 0) by Anonymous Coward on Wednesday August 12 2015, @05:54AM
Evanston is not in Chicago, it's a suburb, and the article is wrong as well, as Evanston is on the northern border of the city, not 10 miles north of the city. Chicago is bigger than the article says it is and yet smaller than you want it to be. Good work. You're all geographically ignorant.
(Score: 0, Offtopic) by Ethanol-fueled on Wednesday August 12 2015, @06:05AM
Somebody once used "its" instead of "it's" on an online forum somewhere. Nobody believed that motherfucker because he was too stupid to know English.
(Score: 0) by Anonymous Coward on Wednesday August 12 2015, @06:41AM
Tits or it didn't happen.
(Score: 2, Informative) by Ethanol-fueled on Wednesday August 12 2015, @07:05AM
Mexican boobies don't taste like chocolate milk. [google.com]
They taste like nipple.
(Score: 2) by Daiv on Wednesday August 12 2015, @06:20PM
Yeah, well Michigan isn't Detroit, but that doesn't stop people from that mistake either.
Ignore the little flaws, see the message.
(Score: 2) by FatPhil on Wednesday August 12 2015, @11:57PM
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 1, Redundant) by wonkey_monkey on Wednesday August 12 2015, @06:43AM
Why would a killer toss his phone in the crime scene?
Ah, thank you Sherlock Holmes. Obviously the phone couldn't possibly hold any other clues. Oh, and don't bother dusting for fingerprints, the killer won't have left any so any others will be useless.
systemd is Roko's Basilisk
(Score: 0) by Anonymous Coward on Wednesday August 12 2015, @08:33PM
So they need encryption backdoors to dust fingerprints?
(Score: 2, Interesting) by brocksampson on Wednesday August 12 2015, @10:30AM
How do you know when you are making a baseless argument? When you use scary-sounding numbers instead of statistics followed by the implication of a hyperbolic tragedy. They managed to do both in the same paragraph; 74 iPhones!!! That sounds like a big number!!! And THINK OF THE CHILDREN!!! Oh, why won't someone think of the children!
(Score: 0) by Anonymous Coward on Thursday August 13 2015, @03:43PM
Maybe the killer was also a thief and those phones were stolen... thus useless to solving the case.
(Score: 5, Insightful) by Anal Pumpernickel on Wednesday August 12 2015, @05:13AM
Except, there is no proof that having such a backdoor would conclusively allow them to solve the case and wouldn't require actual police work.
That's a lesser reason to object to this. The real problem is that the idea that citizens should (or be forced to) live their lives in such a way as to make the jobs of people in the government easier is an inherently authoritarian notion, and a laughable one in a country that is supposed to be 'the land of the free and the home of the brave'. It should be the other way around: The government should fear The People.
Banning strong encryption would be completely unconstitutional, as it would conflict with not only the first and fourth amendments, but the government simply does not have authority to do so even without taking those into account. A warrant only allows the government to make the attempt to get what they want; it is not mandatory that they succeed. They cannot force everyone to communicate in such a way that the government can always break the encryption just so they can supposedly solve crimes. It is nonsense to say that because they have a warrant, they should be guaranteed success. That is simply not the purpose of the fourth amendment or the constitution, and it violates the principles to which this country is supposed to aspire.
If I had to choose between more crime or more privacy and freedom, I would choose more crime. Freedom can carry many risks, and I would rather take those risks than live like a coward. But I don't believe there is such a dichotomy in most cases.
(Score: 1, Funny) by Anonymous Coward on Wednesday August 12 2015, @05:19AM
The state should murder such people!
(Score: 1, Insightful) by Anonymous Coward on Wednesday August 12 2015, @05:27AM
There are too many people nowadays. Please eliminate all of them.
(Score: 3, Interesting) by Anonymous Coward on Wednesday August 12 2015, @05:38AM
They love to trot out pedophiles and murderers in support of ridiculous policies. But I'm sure they would also use their "lawful warrants" to crack the phones of protesters who practice civil disobedience. Thankfully, some chickens are coming home to roost.
(Score: 2) by mtrycz on Wednesday August 12 2015, @12:16PM
You are several years late, but yes, that's the idea.
In capitalist America, ads view YOU!
(Score: 2) by aristarchus on Wednesday August 12 2015, @05:47AM
If you say something, . . . no, that's not it. If you smell something, yeah, that's it, say something. But since we want law enforcement to have tips given to them because they are no longer capable of basic investigative operations, it should be, "If you say something, see something." So I guess they really need to know if you say something.
(Score: 4, Interesting) by jmorris on Wednesday August 12 2015, @06:26AM
Be careful what you wish for.... you might get it good and hard up the pooper. If they can really make a phone that can't be cracked then it is, pretty much by definition, equally capable of being unrootable and unjailbreakable too.
And does anyone really think Apple doesn't have a way to force an FOTA without user intervention? And if they can, then yes they could craft an update to null out the lock code and have that one handset be given that update when it checks in. Assuming of course that data is enabled, updates via data are enabled, Wifi is enabled and they know an AP it would automatically connect to, etc, etc.
Most phones are anything but secure though, even if they are locked. So some beefing up of security is probably a good thing. I'm still using a Tegra3 based LG Optimus 4X. Utterly insecure. Utterly.
Entryway #1 is where it gets rooted; the stock recovery is 'secured' in that it is RSA signed and and unless you have unlocked the bootloader it is proof from tampering. But you don't need to tamper. The damned thing will take a sideloaded update signed with the Android SDK TEST KEY. Game over. Yea it made getting root easy peasy but ANYBODY can read anything from the phone if they can send it a file signed with a widely published key and have it run as root.
Entryway #2 is less of a bungle but totally unpatchable. They let their blob.bin file escape and if you have looked at a Tegra you know that means game over. NVidia has a ROM in the die itself with a recovery/initial load program and all turning on the AES encyption means is you need that encrypted blob to get back in and you can read all of the partitions off the flash. Yes the bootloader is still encrypted but you can read out all of the other data. While it only recently leaked out to xda-developers raise your hand if you think law enforcement hasn't had that file for years.
People like us prevailed on LG to unlock the bootloader and they added it. But unless you have already rooted you have to do it their way and it involves a wipe so that isn't a new security flaw. So good on them.
(Score: 1, Informative) by Anonymous Coward on Wednesday August 12 2015, @06:31AM
If they can really make a phone that can't be cracked then it is, pretty much by definition, equally capable of being unrootable and unjailbreakable too.
What? The point is to put all the power in the hands of the user. That includes Free Software, or else it can't truly be trusted.
(Score: 2, Insightful) by Anonymous Coward on Wednesday August 12 2015, @07:12AM
If the manufacturer prevents you, who have paid them money for a device, from rooting/jailbreaking it, then you have paid good money for a device you are at most renting. Maybe that's all right, but you need to keep that in mind. The manufacturer ought to provide you with any and all encryption keys required to root the device should you choose to do so, perhaps with the usual caveats about warranties. Rooting should never have to involve the exploitation of a security flaw in the device!
(Score: 5, Insightful) by mendax on Wednesday August 12 2015, @07:05AM
The bullshit spewed by bastards like Cyrus Vance, Jr., et al. makes my blood boil.
Marginal benefits? The ability to protect oneself from the actions of a government that has been shown time and again to willfully, unlawfully, and with no regard for the civil rights or privacy of the People it is supposed to be protecting and serving I find to be of great benefit.
The government wants us to force us to reveal to it the encryption keys we use to protect our data, to trust it to keep it safe from others,and we are supposed to believe that it won't misuse that trust or not screw up and give all the keys to the Chinese or the Russians? The government has amply demonstrated that it cannot be trusted. Mr. Vance, et al. just will never get it. The revelations thanks to the bravery of Edward Snowden and others who have and not yet been revealed indicate that the U.S. government has permanently forfeited any legitimacy with regard to this issue.
It's really quite a simple choice: Life, Death, or Los Angeles.
(Score: 5, Insightful) by maxwell demon on Wednesday August 12 2015, @08:29AM
In other news, if the authorities would have a complete record of where everyone was and what they did at any instant in time, then there would never be a question who did it, at we could just look it up in the database. Does that justify the total surveillance state, with every corner of the world (including the private corners) being covered by cameras and microphones?
If your answer if no, then you have just admitted that being able to solve crimes is not the highest value, and therefore it is not sufficient as argument that a fundamental right needs to be restricted.
The Tao of math: The numbers you can count are not the real numbers.
(Score: 4, Insightful) by doublerot13 on Wednesday August 12 2015, @12:16PM
The only way I can protect you is if you give me complete power of you.
(Score: 3, Informative) by Frost on Wednesday August 12 2015, @04:49PM
Prosecutors are exactly the wrong people to ask about legal policy. Their only priority is to maximize successful convictions. They don't give a damn about society or justice.
(Score: 2) by mendax on Wednesday August 12 2015, @09:34PM
El Reg published a review [theregister.co.uk] of sorts of this op-ed. It's worth reading.
It's really quite a simple choice: Life, Death, or Los Angeles.
(Score: 0) by Anonymous Coward on Thursday August 13 2015, @09:10PM
Instead of a warrant asking Apple to unlock an iPhone, couldn't they ask for a warrant for Apple to authorize a new iPhone for the suspect's Apple ID? (An Apple ID isn't exactly secret---a little traditional police work, possibly with assistance from Apple, could uncover that.) With a password reset from Apple, that would get them everything from that phone that is backed up to Apple's iCloud. (This seems to have been the technique used in that celebrity nude-selfie hack a while back---and they didn't even need a warrant to make it work!)
For Android, if they know the suspect's gmail account associated with that phone, they should be able to do something similar with Google's cooperation.
I realize that a savvy user might have turned off cloud backups, but how many people think to do that? It seems as if this would be a good Plan B for the police to pursue.