Judge Orders Apple to Unlock iPhone Belonging to San Bernardino Shooter
Apple has been ordered to assist in the unlocking of an iPhone belonging to one of the San Bernardino shooters. This may require updating the firmware to bypass restrictions on PIN unlock attempts:
Apple must assist the FBI in unlocking the passcode-protected encrypted iPhone belonging to one of the San Bernardino shooters in California. US magistrate Sheri Pym says Cupertino must supply software that prevents the phone from automatically annihilating its user data when too many password attempts have been made.
The smartphone belonged to Syed Farook, who with his wife Tashfeen Malik shot and killed 14 coworkers on December 2. The couple died in a gun battle with police soon after. Cops have been unable to access Syed's iPhone 5C because they do not know the correct PIN, and will now gain the assistance of Apple, as ordered by Judge Pym [PDF] on Tuesday.
iOS 8 and above encrypts data on devices, requiring a four to six-digit PIN to unlock. After the first few wrong guesses, iOS waits a few minutes between accepting further PIN entry attempts, escalating to an hour's delay after the ninth failed login.
[...] Judge Pym wants Apple to come up with some magic software – perhaps a signed firmware update or something else loaded during boot-up – that will allow the FBI to safely brute-force the PIN entry without the device self-destructing. This code must only work on Farook's phone, identified by its serial numbers, and no other handset. The code must only be run on government or Apple property, and must not slow down the brute-forcing process.
Apple has five days to appeal or demonstrate that it cannot comply with the order. It is crucial to note that the central district court of California has not instructed Apple to crack its encryption – instead it wants Apple to provide a tool to effectively bypass the unlocking mechanism. "It's technically possible for Apple to hack a device's PIN, wipe, and other functions. Question is can they be legally forced to hack," said iOS security expert Jonathan Ździarski.
Apple Ordered to Aid FBI in Unlocking Shooter's iPhone
According to this Reuters article, "A U.S. judge on Tuesday ordered Apple Inc to help the FBI break into a phone recovered from one of the San Bernardino shooters, an order that heightens a long-running dispute between tech companies and law enforcement over the limits of encryption.
Apple must provide "reasonable technical assistance" to investigators seeking to unlock the data on an iPhone 5C that had been owned by Syed Rizwan Farook, Judge Sheri Pym of U.S. District Court in Los Angeles said in a ruling."
"...Forensics expert Jonathan Zdziarski said Tuesday Apple might have to write custom code to comply with the order, presenting a novel question to the court about whether the government could order a private company to hack its own device.
Zdziarski said that because the San Bernardino shooting was being investigated as a terrorism case, investigators would be able to work with the NSA and CIA on cracking the phone. Those U.S. intelligence agencies likely could break the iPhone's encryption without Apple's involvement, he said."
Update: EFF to file an amicus brief in support of Apple's position.
Update 2: mendax writes: The New York Times has some "breaking news" which says that Apple will not comply with the judge's order. It's a good way to get in trouble with the judge but it's the right decision on Apple's part.
Previously: FBI Unable to Decrypt California Terrorists' Cell Phone
Related Stories
The LA Times reports despite having a cell phone that was owned by one of the two San Bernardino terrorist attackers, the FBI has been unable to decrypt the device. The head of the FBI James B. Comey told the Senate Intelligence Committee that after more than two months FBI technicians were unable to read the data. The brand and OS of the device has not been released.
Apple Denies FBI Request to Unlock Shooter's iPhone:
Apple once again is drawing the line at breaking into a password-protected iPhone for a criminal investigation, refusing a request by the Federal Bureau of Investigation (FBI) to help unlock the iPhones of a shooter responsible for an attack in Florida.
The company late Monday said it won't help the FBI crack two iPhones belonging to Mohammed Saeed Alshamrani, a Saudi-born Air Force cadet and suspect in a shooting that killed three people in December at the Naval Air Station in Pensacola, Fla.
The decision is reminiscent of a scenario that happened during the investigation of a 2015 California shooting, and could pit federal law enforcement against Apple in court once again to argue over data privacy in the case of criminal investigations.
While Apple said it's helping in the FBI's investigation of the Pensacola shooting—refuting criticism to the contrary—the company said it won't help the FBI unlock two phones the agency said belonged to Alshamrani.
"We reject the characterization that Apple has not provided substantive assistance in the Pensacola investigation," the company said in a statement emailed to Threatpost. "Our responses to their many requests since the attack have been timely, thorough and are ongoing."
[...] The FBI sent a letter to Apple's general counsel last week asking the company to help the agency crack the iPhones, as their attempts until that point to guess the "relevant passcodes" had been unsuccessful, according to the letter, which was obtained by NBC News.
Previously on SoylentNews: Apple Ordered by Judge to Help Decrypt San Bernadino Shooter's phone
Former NSA Director Claims Many Top Gov't Officials Side With Apple
Choice quotes from an interview with Gen. Michael Hayden (archive.is) on Wednesday:
"The issue here is end-to-end, unbreakable encryption—should American firms be allowed to create such a thing?" he told the Wall Street Journal editor John Bussey. "You've got [FBI director] Jim Comey on one side saying, I am really going to suffer if I can't read Tony Soprano's email. Or, if I've got to ask Tony for the PIN number before I get to read Tony's emails. Jim Comey makes that complaint, and I get it. That is right. There is an unarguable downside to unbreakable encryption."
"I think Jim Comey is wrong...Jim's logic is based on the belief that he remains the main body. That you should accommodate your movements to him, which is the main body. And I'm telling you, with regard to the cyber domain, he's not. You are."
And by the way? If I were in Jim Comey's job, I'd have Jim Comey's point of view. I understand. But I've never been in Jim Comey's job...my view on encryption is the same as [former Secretary of Homeland Security] Mike Chertoff's, it's the same as [former Deputy Secretary of Defense] Bill Lynn's, and it's the same as [former NSA director] Mike McConnell, who is one of my predecessors."
It's interesting for this opinion to be coming from this source.
[Continues.]
James Comey has been asked by President Trump to stay on as Director of the Federal Bureau of Investigation. Comey is three years into a ten-year term.
News at NYT (which broke the story), USA Today, Washington Post, CNN, and The Hill.
Here's the bulk of our extensive past coverage of FBI Director Comey's career (oldest first):
2014:
FBI Director Concerned about Encryption on Smartphones
F.B.I. Director Calls "Dark" Devices a Hindrance to Crime Solving
To FBI Director Comey: You Reap What You Sow!
2015:
F.B.I. Has No Doubt that North Korea Attacked Sony, says Director
FBI Chief Links Video Scrutiny of Police to Rise in Violent Crime
2016:
Apple Ordered by Judge to Help Decrypt San Bernadino Shooter's phone
FBI Unable to Decrypt California Terrorists' Cell Phone
FBI vs. Apple Encryption Fight Continues
New York Judge Sides with Apple Rather than FBI in Dispute over a Locked iPhone
Apple Lawyer and FBI Director Appear Before Congress
FBI Error Locked San Bernardino Attacker's iPhone
FBI's iPhone Hack Only Works on 5C and Older
Washington Post: The FBI Paid "Gray Hat(s)", Not Cellebrite, for iPhone Unlock
FBI Director Blames 'Viral Video Effect' for Spike in Violent Crime
FBI Recommends No Prosecution for Clinton
FBI Chief Calls for National Talk Over Encryption vs. Safety
Former FBI General Counsel Jim Baker, who was known for prosecuting the legal case against Apple to get them to unlock the San Bernardino shooter's iPhone, has published an extraordinary essay on Lawfare where he surprisingly argues rather for strong encryption without government back doors.
From Schneier on Security:
In the face of congressional inaction, and in light of the magnitude of the threat, it is time for governmental authorities -- including law enforcement -- to embrace encryption because it is one of the few mechanisms that the United States and its allies can use to more effectively protect themselves from existential cybersecurity threats, particularly from China. This is true even though encryption will impose costs on society, especially victims of other types of crime.
[...] I am unaware of a technical solution that will effectively and simultaneously reconcile all of the societal interests at stake in the encryption debate, such as public safety, cybersecurity and privacy as well as simultaneously fostering innovation and the economic competitiveness of American companies in a global marketplace.
[...] All public safety officials should think of protecting the cybersecurity of the United States as an essential part of their core mission to protect the American people and uphold the Constitution. And they should be doing so even if there will be real and painful costs associated with such a cybersecurity-forward orientation. The stakes are too high and our current cybersecurity situation too grave to adopt a different approach.
Baker joins the growing list of former US law enforcement and national security senior officials who have come out in favor of strong encryption over backdoors, such as former NSA directors Gen. Michael Hayden and V. Adm. Mike McConnell, former DHS secretary Michael Chertoff, Counter-Terrorism adviser Richard Clarke, former Secretary of Defense Ash Carter, and former deputy Secretary of Defense William Lynn.
(Score: 3, Interesting) by inertnet on Wednesday February 17 2016, @12:03PM
I was wondering if it would be possible to simply copy the memory chips and just work on copies of the original data. Does anybody know if this is possible with iPhones?
(Score: 2) by wisnoskij on Wednesday February 17 2016, @12:41PM
This. Looking into it, apparently they do not make it easy. It looks like it is an integrated chip to me (https://d3nevzfk7ii3be.cloudfront.net/igi/APJRFAcfVnCupMpb.medium), the big chip labelled SKhynix. But their must still be millions of people with either the skill to unsolder that chip and transfer it to a more usable board.
(Score: 4, Insightful) by BasilBrush on Wednesday February 17 2016, @01:18PM
And it would be as useless as transferring an encrypted disk to a different computer. You still need the key, and that is stored in the secure area of the CPU.
Hurrah! Quoting works now!
(Score: 0) by Anonymous Coward on Wednesday February 17 2016, @01:35PM
All the FBI is asking for is that Apple remove features in the software the frustrate brute-forcing like mandatory delays after X failed attempts and wiping the data after Y failed attempts, they are not expecting Apple to actually decrypt the data.
(Score: 2) by Geezer on Wednesday February 17 2016, @01:44PM
To what purpose, given the encrypted data? Oh, wait, FBI has already broken Apple encryption?
(Score: 1, Insightful) by Anonymous Coward on Wednesday February 17 2016, @02:06PM
They don't need to - if there's no restriction on the number attempts they just start guessing at the PIN - Given a 4 digit pin at 5 seconds per attempt and you can try every possible unlock combination in just under 14 hours; (10000*5)/(60*60) = 13.889.
Even for 6 digits it's up 1388 hours or about 58 days worst case. All very crackable if the phone continues to let you retry.
(Score: 0) by Anonymous Coward on Wednesday February 17 2016, @02:16PM
And if you can copy the data straight off the chips that means you can paralleize the cracking across thousands of systems. Even farm it out to the cloud and spend $100K to get it done in a day.
(Score: 3, Informative) by gnuman on Wednesday February 17 2016, @03:45PM
Even farm it out to the cloud and spend $100K to get it done in a day.
Is this idiocracy? What $100k? It costs nothing and could be done in less than a second to crack all passwords protected by a 6-digit code. The ONLY protection for iPhone is the self-wipe feature and inability to access the encrypted key. If you bypass it, then you can access the data.
If you can bypass memory protection and just copy the entire block out with an app (including key), then the entire protection is completely useless and can be cracked as if it wasn't there at all. And not just in special circumstances, but routinely and on mass scale.
(Score: 0) by Anonymous Coward on Wednesday February 17 2016, @04:01PM
> Is this idiocracy?
Apparently it is since you don't understand that an iphone can be protected by a passcode longer than a 6-digit PIN. [imore.com]
Oh wait, you were trying to insult me and not yourself! Well, I guess you fucked that up too.
(Score: 2) by gnuman on Wednesday February 17 2016, @04:56PM
Oh, I'm sorry. But maybe you should realize that typical 12-character passwords are just as weak as 4 or 6 digit PINs, unless you put a limit on retries. So unless someone writes 20-character passphrases that are not in some rainbow table, if allowed to just dump these things out out of the device. This is the Achilles Heel of all password protected crypto, be it LUKS or TrueCrypt.
Now, I will repeat myself. It is completely asinine to put a limit of
Even farm it out to the cloud and spend $100K to get it done in a day.
That statement is idiocracy. You have no clue what is the complexity of the problem, yet you somehow pull this number out of your ass. And as I said, it costs *nothing* to lookup a rainbow table to even to brute force all typical passwords. As to how much it would cost to brute force this particular password given unlimited retries?? No one knows except the person that knows the password. It could be negligible or it could be completely unattainable. Saying "spend $100 and get it done in a day" is just completely ignorant.
(Score: 0) by Anonymous Coward on Wednesday February 17 2016, @05:38PM
> Now, I will repeat myself. It is completely asinine to put a limit of
Never said it was a "limit" it was an example.
But I shouldn't be surprised that you've never heard of the principle of charity and instead decided to pick the worst possible interpretation so you could belittle another person.
(Score: 2) by frojack on Wednesday February 17 2016, @08:34PM
Exactly.
Since whatever you guess the pin might be has to be tried EACH time on the device, the real protection is the limit and the rate.
How long it takes to try each pin on some remote computer doesn't matter.
However, if you could clone the phone's entire internal storage you could replicate that to the cloud and just try to brute force the encryption itself. You will know when you have hit THE key (as opposed to some possible key) because there will be recognizable data structures that appear on ALL iphones. When you know significant portions of what is expected, determining when you have the actual key is not that hard, and trying them all becomes a solvable task. They ought to be done in 4 or 9 years.
No, you are mistaken. I've always had this sig.
(Score: 2) by gnuman on Thursday February 18 2016, @06:19AM
However, if you could clone the phone's entire internal storage you could replicate that to the cloud and just try to brute force the encryption itself
Well, no, actually you can't. Unless there is some unknown hidden attack on symmetric crypto, you can't just brute force your way through keys like this.
http://stackoverflow.com/questions/18847580/aes128-vs-aes256-using-bruteforce/28516055 [stackoverflow.com]
You can check 1e15 (1,000,000,000,000,000) combinations reasonably quickly. So 56-bit DES or 64-bit is completely insecure and have been for decades. I don't know what Apple is using, but it is at least 128-bit crypto, probably 256-bit. This means that if you can brute force a 56-bit key in one millisecond, it would take you longer than the age of the universe to crack 128-bit key, never mind 256-bit key.
The bottom line is this - crypto is either secure or insecure. Any backdoor makes crypto insecure. If Apple added a super-secret-hash-hash key so they could unlock the phone, that key would be completely compromised sooner rather than later along with ALL the devices. Such a key would be immediately attacked and extracted from the phone by uncovering the chip and extracting the key, bit by bit from the flash, or by compromising Apple or government servers. There is nothing that can't be unlocked like that, given sufficient time and resources. This also means that this entire fiasco with the phone has nothing to do with the phone itself - Apple can't unlock it even if they wanted to and FBI doesn't want to spend resources (that it can't afford anyway) to find nothing on that phone. What this is about is future of security - it's the next installment of the crypto wars.
https://en.wikipedia.org/wiki/Crypto_Wars [wikipedia.org]
(Score: 2) by frojack on Thursday February 18 2016, @09:10AM
This means that if you can brute force a 56-bit key in one millisecond, it would take you longer than the age of the universe to crack 128-bit key, never mind 256-bit key.
Did you miss that bit about the cloud, and the other references about using the power of a zillion machines metioned up-thread?
By the way, if you think encryption can't be brute forced in this day and age, you need to go back and re-read what Snowden has written.
No, you are mistaken. I've always had this sig.
(Score: 2) by BasilBrush on Thursday February 18 2016, @12:44AM
The fact that the FBI are having to use dubious legal means to compel Apple to bypass the self-wipe indicates that there is no known way of doing it in the wild with current iPhones. Whether by forensics or any other method.
Hurrah! Quoting works now!
(Score: 0) by Anonymous Coward on Thursday February 18 2016, @07:36AM
Not sure it's still current but software wa announced in 2014:
http://www.cultofmac.com/280450/heres-easy-hack-past-apples-activation-lock-missing-iphone/ [cultofmac.com]
There's also something called the IP Box that tries PINs via USB, and in case of a failed attempt cuts the power to the phone so the failure can't be logged:
http://gizmodo.com/this-cheap-hack-shows-no-iphone-pin-is-really-safe-1692020457 [gizmodo.com]
(Score: 3, Interesting) by Geotti on Wednesday February 17 2016, @12:05PM
So, –assuming that the iPhone has been synced with a computer before– wouldn't it be possible to make a backup of the phone and then restore it and get rid of the passcode? (It's should be easy enough to get the iTunes ID, so the phone thinks it's syncing with the computer it is paired with.)
I'm not sure if iOS 8 and 9 require you to enter the passcode when you do a backup, but apparently [1,2] it has worked before.
Otherwise, how are they going to replace iOS short of directly tampering with the memory? *grabs popcorn*
[1] " rel="url2html-25239">http://www.igeeksblog.com/i-forgot-my-iphone-passcode/
[2] http://www.netchimp.co.uk/webdesign/iphone-ipad-ipod-touch-tips/unlock-iphone-forgot-passcode-synced-itunes/#neversync [netchimp.co.uk]
(Score: 5, Informative) by khchung on Wednesday February 17 2016, @12:12PM
This same story is on the green site already, and someone had already posted a very detailed explanation with link to Apple's document.
http://yro.slashdot.org/comments.pl?sid=8756397&cid=51524693 [slashdot.org]
In short: "You must have all 3 pieces present: The specific secure enclave [a piece of security hardware on the phone], the specific processor of the iphone, and the flash memory that you are trying to decrypt."
And regarding restoring from backup:
http://yro.slashdot.org/comments.pl?sid=8756397&cid=51525365 [slashdot.org]
In short, can't be done.
(Score: 0) by Anonymous Coward on Wednesday February 17 2016, @01:24PM
Of course it can be done and there probably is an infinite supply of solutions too. The question is not if, it's how do we want to go about it.
(Score: 2, Touché) by Anonymous Coward on Wednesday February 17 2016, @01:54PM
Lawyers are not allowed on SN
(Score: 5, Funny) by Thexalon on Wednesday February 17 2016, @02:27PM
Yes there are, as clearly stated in section 47.A.5, subclause 17, on page 23 of your user agreement, which I'm sure you're familiar with. And if you don't believe me, I refer you to the defense response in Arkell v Pressdram, 1971.
"Think of how stupid the average person is. Then realize half of 'em are stupider than that." - George Carlin
(Score: 3, Touché) by Runaway1956 on Wednesday February 17 2016, @03:04PM
Nonsense. Where did you think Soylent Brown came from? We lure the lawyers in, grind 'em up, and serve them up fresh. Don't scare the lawyers off, or you may be going hungry.
“Take me to the Brig. I want to see the “real Marines”. – Major General Chesty Puller, USMC
(Score: 2) by Bogsnoticus on Thursday February 18 2016, @03:58AM
I always thought that lawyers were made from Soylent Brown, which is created approximately 24 hours after eating any other form of Soylent.
Genius by birth. Evil by choice.
(Score: 1, Interesting) by Anonymous Coward on Wednesday February 17 2016, @02:25PM
Those are good links. But I disagree that it would cost millions to shave off the top of the secure enclave and read it with an electron microscope. That is a well known technique that has been used for well over a decade. Its the kind of thing that can be substantially automated so if you've done it once you are probably all set to do it again (and surely the NSA has done it and has all the necessary tools).
(Score: 1, Insightful) by Anonymous Coward on Wednesday February 17 2016, @07:24PM
if you've done it once you are probably all set to do it again (and surely the NSA has done it and has all the necessary tools).
AHA! And now you must ask yourself: Why doesn't the NSA just do it then? See? Apple probably could do it, but this ruling makes the public corps lapdogs beholden to the state. The NSA should do it, if it truly were a matter of "national security" they would have done so already. This is a political slug match. By the by, wasn't it interesting how all those reporters were allowed all over the crime scene just days after the incident to destroy any possible evidence? We're arguing technical capabilities in a propagandized lawsuit brought about by a false flag. It will never make sense if you attack the problem from a flawed position.
(Score: 1, Insightful) by Anonymous Coward on Wednesday February 17 2016, @12:12PM
If the encryption were truly secure, even Apple would not be able to do anything. This is one of the pitfalls with proprietary software: You can't ever trust it, not even a little bit.
(Score: 1) by anubi on Wednesday February 17 2016, @12:29PM
One thing fer sure... Apple's gonna go up several notches in the "trust" score if they can't honor this court order.
"Prove all things; hold fast that which is good." [KJV: I Thessalonians 5:21]
(Score: 2, Insightful) by Anonymous Coward on Wednesday February 17 2016, @01:07PM
Or they could just pretend they can't honor it and reap the benefit of the trust of gullible fools at the risk of a few million dollars' worth of lawyers. Probably an acceptable cost of doing business, and then they can both spy on you AND make you think they can't spy on you at the same time.
(Score: 1, Interesting) by Anonymous Coward on Wednesday February 17 2016, @01:28PM
Exactly. How do we know about this whole business in the first place? Because the gov and apple told us so.
Both are desperate for us to believe in them. Zero cred.
(Score: 1, Insightful) by Anonymous Coward on Wednesday February 17 2016, @04:42PM
From a technical standpoint there's no question they can do it. The FBI is requesting a special version of iOS that doesn't brick the phone after X number brute force PIN attempts. Apple's doing the right thing, but I guess when you hate Apple you'll find something to bitch about.
(Score: 1) by ewk on Wednesday February 17 2016, @12:32PM
"Apple has five days to appeal or demonstrate that it cannot comply with the order."
So... let's wait a few days, shall we?
I would expect the FBI would blow their horn quite loudly if the Apple actually will be able to help them out here.
I don't always react, but when I do, I do it on SoylentNews
(Score: 0) by Anonymous Coward on Wednesday February 17 2016, @01:57PM
I would expect the FBI would blow their horn quite loudly if the Apple actually will be able to help them out here.
I don't think so. In the name of national security, successfully breaking this would be kept very secret indeed. But the FBI would come out and tout their own horn about how they didn't need the decryption/apple support because "hey, we found these other things through other means, err... yes, other ways. Forget we ever asked about support with decrypting"...
(Score: 4, Informative) by wisnoskij on Wednesday February 17 2016, @12:32PM
No, it is a 4-6 digit pin, well within the brute force range. All they need is for software to not slow down the brute forcing..
(Score: 1) by ewk on Wednesday February 17 2016, @12:36PM
AFAIK there is no brute force... you have three attempts to find the correct PIN and once the third attempt fails the Iphone is reset/bricked/watever you want to call it.
I don't always react, but when I do, I do it on SoylentNews
(Score: 2) by BasilBrush on Wednesday February 17 2016, @01:21PM
With all iOS versions since 8.0.
However what TFS is clearly saying is that they court require Apple to provide a bespoke version of iOS that doesn't have those restrictions on PIN attempts.
Hurrah! Quoting works now!
(Score: 4, Informative) by mtrycz on Wednesday February 17 2016, @12:49PM
After 10 attempts the memory is wiped clean.
The FBI wants Apple to load a customized OS to let them bruteforce the passcode without the memory wiping. Besides the slowdown.
In capitalist America, ads view YOU!
(Score: 0) by Anonymous Coward on Wednesday February 17 2016, @01:59PM
You make "wiped clean" sound so ... final. Sure, it's 'erased' but it's not gone!
(Score: 2) by Runaway1956 on Wednesday February 17 2016, @03:09PM
Maybe, maybe not. A simple "delete" or "erase" doesn't really kill any data. But, /dev/random overwriting whatever was there makes it pretty useless. How many "wipes" are performed, by default?
Almost any knucklehead running Linux can make data unrecoverable in short order. If he doesn't know how, Google is just a few keystrokes away.
“Take me to the Brig. I want to see the “real Marines”. – Major General Chesty Puller, USMC
(Score: 3, Insightful) by WillR on Wednesday February 17 2016, @03:30PM
*barring implausible advances in mathematics or computing hardware
(Score: 3, Interesting) by gnuman on Wednesday February 17 2016, @05:10PM
Apple made their processor to hold the key. The key is inside the processor. That processor probably has some unique id too, so you can't just dump flash content (at least not easily). The wipe means that the key is destroyed in hardware and no longer readable to the processor, never mind the attacker.
https://support.apple.com/en-us/HT202064 [apple.com]
http://www.apple.com/business/docs/iOS_Security_Guide.pdf [apple.com]
Oh, and here is a good read how criminals have used backdoors,
https://www.schneier.com/blog/archives/2014/10/iphone_encrypti_1.html [schneier.com]
Backdoor access built for the good guys is routinely used by the bad guys. In 2005, some unknown group surreptitiously used the lawful-intercept capabilities built into the Greek cell phone system. The same thing happened in Italy in 2006.
In 2010, Chinese hackers subverted an intercept system Google had put into Gmail to comply with US government surveillance requests. Back doors in our cell phone system are currently being exploited by the FBI and unknown others.
(Score: 0) by Anonymous Coward on Wednesday February 17 2016, @03:24PM
Are you sure it is 4-6 digits? I'm using 8 and using the first 6 won't unlock it.
(Score: 3, Insightful) by theluggage on Wednesday February 17 2016, @01:40PM
If the encryption were truly secure, even Apple would not be able to do anything.
...including selling phones to regular consumers, who didn't want to enter a 32 character strong password every time they turned on their phone. A PIN is a deliberate compromise between usability and security. The fact that the FBI have unlimited physical access to the phone and still can't crack it without help from the manufacturer suggests that there are no flies on Apple's implementation of a PIN.
This is one of the pitfalls with proprietary software
Not in this case: the vulnerability is caused by deliberate features, namely the choice to use a PIN and (presumably) the ability to do a firmware update without needing the PIN (and I'm only assuming that's possible because it is the hack that is being suggested). Open source won't do anything to prevent that.
(Score: 2) by Immerman on Wednesday February 17 2016, @04:49PM
In fact open source might make it easier to compromise, making it far easier to write your own "no limits" version of the OS. Then the only defense would be "tivoization" so that the device would only run a properly signed OS so that cooperation with the manufacturer is still required (or at least a copy of their signing key).
Of course, if the device doesn't require a signed OS then any halfway competent attacker should be able to edit the binary directly to remove the limitations. So presumably iPhones require signed binaries and the FBI hasn't yet acquired the keys. [Dons tinfoil hat] Or at least that's what the FBI wants the public to think.
Hmm, I suppose a signing requirement would also be needed for limiting the compromised software to a single device - hard-code the serial number check and even though it's easy to modify for another phone, the modified version will no longer be signed.
(Score: 0) by Anonymous Coward on Thursday February 18 2016, @03:47PM
In fact open source
Not merely open source, but free software. As for this, it's entirely possible to have free software that implemented similar security measures that is fully in control of the user. There is no reason the manufacturer would have to be involved.
It is silly to think that hiding how the software works will somehow protect you from competent attackers.
(Score: 3, Informative) by Immerman on Thursday February 18 2016, @09:40PM
Is not Free software a strict subset of open source? I.e. all Free Software is open source, but not all open source software is Free.
And no, it's not entirely silly - if you have access to the source code their are a number of tools of various degrees of sophistication that you can use to analyze it for likely security problems. Probably a fair bet that competent attackers will do so using the most sophisticated tools available (especially if we're talking NSA-class attackers). Probably also a fair bet that most OS projects won't run such high-end analytics themselves, nor immediately fix all the problems if they do.
Open source can do a great job of eliminating a lot of the "low hanging fruit" for attackers. But as we've sen time and again it doesn't necessarily catch the more subtle problems. Meanwhile it helps to expose those subtle problems that would likely be difficult to find through black-box analysis to well-funded attackers.
Net result - your average security-conscious open source program is probably more secure against average attackers than a proprietary equivalent. But once you eliminate the low hanging fruit on both, then having the source gives you a leg up on finding more esoteric attacks. Not to mention it may make it more likely that an attacker will intentionally "poison the well" by contributing an obfuscated weakness. With proprietary software that can only be done with inside help - not that that's any sort of guarantee it doesn't happen, but it requires conspiracy rather than just the false appearance of good faith.
(Score: 4, Insightful) by Non Sequor on Wednesday February 17 2016, @06:42PM
This isn't really a free/proprietary thing. It sounds like it has a configuration where the OS can't be modified to bypass the security measures without the PIN and if the memory is transferred to another circuit board, it still can't be accessed without extracting information from the original hardware. It sounds like if they do this it will require physically monitoring or modifying the hardware.
The court could just as easily order a developer who posted circuit boards and software for a phone online as free software to cooperate with security bypass engineering on behalf of law enforcement. The free software movement is not an innoculant against this effect.
Write your congressman. Tell him he sucks.
(Score: 2, Informative) by Anonymous Coward on Wednesday February 17 2016, @01:02PM
https://www.washingtonpost.com/world/national-security/us-wants-apple-to-help-unlock-iphone-used-by-san-bernardino-shooter/2016/02/16/69b903ee-d4d9-11e5-9823-02b905009f99_story.html [washingtonpost.com]
The order does not ask Apple to break the phone’s encryption, but rather to disable the feature that wipes the data on the phone after 10 incorrect tries at entering a password. That way, the government can try to crack the password using “brute force” — attempting tens of millions of combinations without risking the deletion of the data.
but then
https://www.techdirt.com/articles/20160216/17393733617/no-judge-did-not-just-order-apple-to-break-encryption-san-bernardino-shooters-iphone-to-create-new-backdoor.shtml [techdirt.com]
https://assets.documentcloud.org/documents/2714005/SB-Shooter-Order-Compelling-Apple-Asst-iPhone.pdf [documentcloud.org]
Apple's reasonable technical assistance shall accomplish the following three important functions: (1) it will bypass or disable the auto-erase function whether or not it has been enabled; (2) it will enable the FBI to submit passcodes to the SUBJECT DEVICE for testing electronically via the physical device port, Bluetooth, Wi-Fi, or other protocol available on the SUBJECT DEVICE and (3) it will ensure that when the FBI submits passcodes to the SUBJECT DEVICE, software running on the device will not purposefully introduce any additional delay between passcode attempts beyond what is incurred by Apple hardware.
Apple's reasonable technical assistance may include, but is not limited to: providing the FBI with a signed iPhone Software file, recovery bundle, or other Software Image File ("SIF") that can be loaded onto the SUBJECT DEVICE. The SIF will load and run from Random Access Memory and will not modify the iOS on the actual phone, the user data partition or system partition on the device's flash memory. The SIF will be coded by Apple with a unique identifier of the phone so that the SIF would only load and execute on the SUBJECT DEVICE. The SIF will be loaded via Device Firmware Upgrade ("DFU") mode, recovery mode, or other applicable mode available to the FBI. Once active on the SUBJECT DEVICE, the SIF will accomplish the three functions specified in paragraph 2. The SIF will be loaded on the SUBJECT DEVICE at either a government facility, or alternatively, at an Apple facility; if the latter, Apple shall provide the government with remote access to the SUBJECT DEVICE through a computer allowing the government to conduct passcode recovery analysis.
If Apple determines that it can achieve the three functions stated above in paragraph 2, as well as the functionality set forth in paragraph 3, using an alternate technological means from that recommended by the government, and the government concurs, Apple may comply with this Order in that way.
(Score: 0) by Anonymous Coward on Wednesday February 17 2016, @01:11PM
> it will ensure that when the FBI submits passcodes to the SUBJECT DEVICE, software running on the device will not purposefully introduce any additional delay between passcode attempts beyond what is incurred by Apple hardware.
cryptsetup's --iter-time does a good job then.
(if you don't know, this flag accepts a parameter in milliseconds which adds additional hash cycles to decrypt a volume e.g. --iter-time 2000 will take the password, hash it, then hash the resulting hash over and over for 2 seconds to come up with the true decryption key. Depending on the speed of the processor, this will result in a number of rehashes in the 10,000+ range. The purpose being to deliberately slow down a brute force attack by making the attacker have to hash a password guess 10,000+ times instead of once.)
Damn I love gnu.
(Score: 2) by ticho on Wednesday February 17 2016, @02:44PM
Just a nitpick, but cryptsetup is not a GNU program.
(Score: 3, Insightful) by theluggage on Wednesday February 17 2016, @01:54PM
The order does not ask Apple to break the phone’s encryption,
No, it just asks Apple to take actions that will result in the phone's encryption being broken. By that logic, the shooters didn't kill people, they just took actions that resulted in people being hit by bullets.
(Score: 3, Insightful) by maxwell demon on Wednesday February 17 2016, @03:18PM
To keep in your weapons analogy: The FBI doesn't ask Apple to shoot, it only asks apple to open the weapon lockers so the FBI can take the gun out and shoot.
The Tao of math: The numbers you can count are not the real numbers.
(Score: 4, Insightful) by WillR on Wednesday February 17 2016, @03:39PM
(And Apple is resisting because if they do it "just this once", they're going to immediately be buried under court orders to build a million bespoke guns to shoot the locks off of every locked iPhone a cop has ever taken from a penny-ante weed dealer.)
(Score: 1, Insightful) by Anonymous Coward on Wednesday February 17 2016, @05:45PM
As well as do the same for the government of every country where they do business like Saudi, Iran, Russia and China. Even if you are a true blue patriot who thinks the US government is completely ethical, chances are you don't think the same of other governments.
(Score: 0) by Anonymous Coward on Wednesday February 17 2016, @09:31PM
Honest question:
Why can't they do it this once, and then say NO to future requests especially non-US government requests.
I read this is voluntary assistance right? Setting legal precedence for nothing more that voluntary action. They can still say yes or no in future, or am I missing something?
thx
(Score: 2) by theluggage on Wednesday February 17 2016, @11:13PM
Why can't they do it this once, and then say NO to future requests especially non-US government requests.
Because once they do it once, it weakens all their arguments as to why it should never be done.
(Score: 1) by WillR on Thursday February 18 2016, @01:54PM
(Well, maybe. If an individual did it they would certainly be locked up, but Apple has a lot of money...)
(Score: 0) by Anonymous Coward on Thursday February 18 2016, @03:08PM
thx
(Score: 1) by CHK6 on Wednesday February 17 2016, @01:17PM
When the news of this started bubbling up, I was disappointed in the FBI having to hold their collective hat in hand reaching out for help on such a trivial matter. Regardless of your stance on the agency, I was always under the impression that they had top-shelf crackers and decryption skills to make any nation in the world weak in the knees. Now it turns out they cannot unlock a phone and have resorted to brute forcing the combination. I would also think the close buddy of the FBI, the CIA, would offer a hand on prying open the clam shell. I have to be honest, I'm a bit disappointed and let down. No disrespect to the agency, just they aren't what I thought them having the capabilities in doing.
(Score: 5, Insightful) by Anonymous Coward on Wednesday February 17 2016, @01:42PM
You are neglecting the political context. The FBI is lobbying congress to force phone manufacturers build in back doors. This case is perfect for them to point at and say "see! this is why we need backdoors!" because (a) it made the headlines for weeks so politicians are primed on the topic (b) there are no defendants left to prosecute so no rush there and (c) there is no imminent threat so the FBI can afford to dick around with this in the courts in order to score as many political points as possible.
(Score: 3, Insightful) by Geezer on Wednesday February 17 2016, @01:51PM
and c) set a nifty precedent so "SUBJECT DEVICE" becomes "ANYTHING WE DAMN WELL PLEASE DEVICE".
(Score: 2) by Thexalon on Wednesday February 17 2016, @05:34PM
How do you know there are no defendants left to prosecute? Both shooters are dead, no question, but I'd expect the FBI to be following all available leads and seeking out available evidence to make sure that there weren't co-conspirators still at large.
"Think of how stupid the average person is. Then realize half of 'em are stupider than that." - George Carlin
(Score: 0) by Anonymous Coward on Wednesday February 17 2016, @05:41PM
> How do you know there are no defendants left to prosecute?
There are none in custody. If they aren't in custody there is no rush to charge them. If they are threats then the FBI is already watching everything they do.
(Score: 5, Insightful) by takyon on Wednesday February 17 2016, @02:01PM
NSA are the ones that know what they are doing. They employ lots of mathematicians. And just compare the stances of the two:
FBI Director James "The Crypto Contender" Comey: https://soylentnews.org/search.pl?tid=&query=comey+encryption&author=&sort=1&op=stories [soylentnews.org]
NSA:
Feb. 24, 2015: NSA Director Mike Rogers Defends Backdoors, Citing Sony Attacks [soylentnews.org]
Apr. 13, 2015: NSA Wants "Front Door" to Your Data Via Split Keys [soylentnews.org]
Jan. 21, 2016: NSA Chief Stakes Out Pro-Encryption Position, in Contrast to FBI [theintercept.com]
Feb. 02, 2016: Report Says FBI Wildly Overstates Encryption Peril [soylentnews.org] (current and former Intel officials say encryption doesn't matter, because they can hack your IoT devices, TVs, cars, etc.)
Feb. 05, 2016: NSA Says it "Must Act Now" Against the Quantum Computing Threat [soylentnews.org]
Rather than join Comey's anti-encryption fantasy tour, they are busy subverting or bypassing encryption. If Apple could actually rewrite the software on that suspect's phone for the purpose of bypassing PIN restrictions, it would be easy to imagine them already possessing the capability and not revealing it in this case of a high-profile terrorist with lots of media attention, but likely no valuable intelligence on the device.
The NSA will clearly be among the first to build a practical quantum computer for RSA decryption, and Snowden documents reveal they are throwing at least a little money in that direction. There have been a lot of developments in the past 1-2 years that have made quantum computing closer to being practical, and there are startups beginning to do the work of making it practical in "stealth mode".
We've seen how in the past they have weakened encryption standards deliberately rather than whining to lawmakers and the public like FBI's Scummy. Now that they have been called out on that and the nature of their offense/defense mission, they will probably avoid promoting weak crypto and instead focus on attacking all crypto in private. Besides quantum computing, there could be a revolution in classical computing in the near future, taking us to zettascale+ and necessitating longer keys.
So you are looking at the wrong agency. FBI had a neat trick in using malware to subvert Tor, but their bag of tricks is partially funded by the NSA.
[SIG] 10/28/2017: Soylent Upgrade v14 [soylentnews.org]
(Score: 0) by Anonymous Coward on Wednesday February 17 2016, @02:29PM
They employ lots of mathematicians.
Which just demonstrates yet again that intelligent people don't have to be moral or principled. The community at large should discourage directly aiding treacherous organizations.
(Score: 3, Insightful) by Anonymous Coward on Wednesday February 17 2016, @02:42PM
It also demonstrates why people who think that college should be a glorified technical school are so far off base. When your work affects society at large you have a moral obligation to learn about those effects.
(Score: 3, Interesting) by tangomargarine on Wednesday February 17 2016, @03:33PM
I like to think this is the reason the TLAs have been having a hard time hiring programmers.
"Is that really true?" "I just spent the last hour telling you to think for yourself! Didn't you hear anything I said?"
(Score: 0) by Anonymous Coward on Friday February 19 2016, @06:45AM
http://www.npr.org/2015/03/31/395829446/after-snowden-the-nsa-faces-recruitment-challenge [npr.org]
http://www.theguardian.com/us-news/2015/may/01/nsa-recruitment-college-campuses-student-privacy [theguardian.com]
(Score: 2) by opinionated_science on Wednesday February 17 2016, @04:30PM
"So you are looking at the wrong agency...."
Maybe, but we are still paying taxes for this abuse....
(Score: 5, Insightful) by Anonymous Coward on Wednesday February 17 2016, @01:46PM
it can't be undone. If Apple codes this patch for the government it will serve as precedent and render all iPhones vulnerable.
So Apple iPhone encryption is just about over as a concept. Just want to be sure that everyone internalizes that.
(Score: 3, Insightful) by takyon on Wednesday February 17 2016, @02:07PM
They could design the next iteration of phones to resist attempts to update firmware while in lockdown mode (seems similar to some of those Intel security features I've heard whining about), but the precedent set by the courts would make that kind of useless. How far do they want to take this in the court system, and will FBI appeal every step of the way? None of us think there's valuable intelligence on the phone, not after several months anyway, so the real value here is in getting the courts to agree with the FBI's position while getting the public to side against Apple due to scaaary terrorists. I updated the story to add EFF's amicus brief promise, but Apple could choose to cave any day now.
Upmoderating your comment.
[SIG] 10/28/2017: Soylent Upgrade v14 [soylentnews.org]
(Score: 5, Informative) by pTamok on Wednesday February 17 2016, @02:37PM
The iPhone does this.
The main flash is encrypted with a key stored in the secure chip. 'Secure Erase' simply deletes this key, which means the contents of the main flash are not touched, but continue to look like random bytes. If you desolder the main flash memory to read out the contents, you can: but they will look like random bytes.
So, how do you get at the key in the secure chip? The secure chip runs it's own micro-OS, loaded from on-chip flash. So it's simple: just re-flash the secure chip with a new micro-OS. But, unfortunately, it won't allow itself to be re-flashed without you entering the PIN. If you enter an incorrect PIN too often, the secure chip enforces a time out, so you can't just run through the entire PIN number-space in a short time.
If you try to tamper with the secure chip, it erases the encryption key. It is designed with effective anti-tamper mechanisms.
The FBI are probing the design, looking for loopholes. So we get to see if Apple's designers have done a good job. As far as I know, Apple's team have explicitly thought about what happens if the the main iOS is compromised or replaced, so it is not just a case of re-flash with a new , signed, iOS and bypass all the pesky restrictions.
Getting at the key held in the secure chip without triggering the anti-tamper mechanisms that erase it is, no doubt, possible, but very, very difficult.
Note: this is a vastly over-simplified view of how iPhone data security works. If there are flaws in the model described by me, it is no doubt because I have oversimplified, and I recommend looking at the actual technical details available elsewhere. I have deliberately not talked about how the key is used in RAM when the phone is on, because I don;t know enough of the details. I believe there are some protections against a malicious process simply reading the key.
(Score: 5, Informative) by pTamok on Wednesday February 17 2016, @03:14PM
Just to update my above posting.
Apparently, the phone in question is an iPhone 5c.
This does not have the secure chip aka 'Secure Enclave', so the time-delays between PIN checks are implemented in software, not secure hardware. This means is is likely possible that a customised revision of iOS could (if possible to install), for this model of iPhone, allow investigators to cycle through the PIN number space as fast as the processor will allow.
See: http://blog.trailofbits.com/2016/02/17/apple-can-comply-with-the-fbi-court-order/ [trailofbits.com]
However, if the phone's user had opted to use a full, long, alphanumeric 'PIN' rather than a 4,5 or six digit number, then increasing the speed of PIN attempts may not help very much.
(Score: 2, Informative) by pTamok on Wednesday February 17 2016, @03:25PM
is here:
https://www.apple.com/business/docs/iOS_Security_Guide.pdf [apple.com]
(Score: 0) by Anonymous Coward on Wednesday February 17 2016, @11:56PM
Apple should just mess up (on accident of course). Oops phone wiped. My bad.
(Score: 1, Flamebait) by SpockLogic on Wednesday February 17 2016, @02:15PM
"Those who would give up essential liberty to purchase a little temporary safety, deserve neither liberty nor safety."
The right wing authoritarian low information voters are beying like a pack of hounds for Apple to capitulate. They are too dumb to realize or care about the consequences of their actions. I hope Apple resists.
Overreacting is one thing, sticking your head up your ass hoping the problem goes away is another - edIII
(Score: 5, Insightful) by Anal Pumpernickel on Wednesday February 17 2016, @02:32PM
It's not just "right wing" authoritarians, but authoritarians on all sides.
(Score: 0) by Anonymous Coward on Thursday February 18 2016, @12:06AM
Folks using just that 1-dimensional description of the possibilities are going to have a limited view of the world and will conflate things.
...and Democrats (whom many mistakenly call "Left") are NOT anti-Capitalism, putting them on the (economic) Right according to PoliticalCompass' 2-dimensional grid. [politicalcompass.org]
Note also that, as you allude to, Democrats--with rare exception--are also on the anti-civil liberties side of that divide (and are in favor of a police state).
There is 1 outlier shown on their graph for the current race. [politicalcompass.org]
(Green Party candidates aren't shown yet.)
I have also looked at their interactive chart for senators and the most "Progressive" states I could find (Rhode Island and Minnesota) were still in the upper right quadrant.
-- OriginalOwner_ [soylentnews.org]
(Score: 2) by Runaway1956 on Wednesday February 17 2016, @03:22PM
Ditto what Anal PUmpernickel said. If you doubt that there are left wing authoritarians, then you've just not been paying attention. Who is it that wants to pass a new law, every time a new crime is dreamed up, every time someone beats a jury, every time another "minority" is "offended". Authoritarians from the left want to control your every word, every action, every thought.
“Take me to the Brig. I want to see the “real Marines”. – Major General Chesty Puller, USMC
(Score: 1) by purple_cobra on Wednesday February 17 2016, @06:34PM
I agree that there's little point blaming along partisan lines; if some entity wishes to control you, you should be immediately distrustful, whether it's by creating laws to "prevent" you being a dick or creating laws preventing you from using your dick (or other genitalia you have present; see the whole de-funding of Planned Parenthood (IIRC) saga, etc).
The whole partisan pissing contest is whipped-up by tabloid press/TV, solely to stop people engaging their eyes, ears and brains to identify who they're more alike: their neighbour who maybe votes a different way or the puffed-up bombast yelling on the screen in front of them, made rich by keeping you poor.
(Score: 1, Informative) by Anonymous Coward on Wednesday February 17 2016, @08:42PM
Authoritarians want to control your every word, every action, every thought.
There. FTFY. cf. here [wikipedia.org], here [wikipedia.org], . here [cnn.com], here [wikipedia.org] and here [time.com]
See what I mean? Those authoritarians are everywhere!
(Score: 0) by Anonymous Coward on Wednesday February 17 2016, @11:04PM
(Score: 4, Informative) by mendax on Wednesday February 17 2016, @02:22PM
The New York Times has some "breaking news" [nytimes.com] which says that Apple will not comply with the judge's order. It's a good way to get in trouble with the judge but it's the right decision on Apple's part.
It's really quite a simple choice: Life, Death, or Los Angeles.
(Score: 2) by takyon on Wednesday February 17 2016, @02:37PM
Added to summary.
[SIG] 10/28/2017: Soylent Upgrade v14 [soylentnews.org]
(Score: 2) by captain normal on Wednesday February 17 2016, @03:37PM
Tim Cook and Apple just went up a bit in my estimation. Also he makes a very good argument: if the government wins then China and other oppressive regimes would demand the same ability to break encryption on Apples products.
The Musk/Trump interview appears to have been hacked, but not a DDOS hack...more like A Distributed Denial of Reality.
(Score: 1) by pTamok on Wednesday February 17 2016, @03:48PM
They will still demand the ability.
It is better to rely on mathematics and the laws of physics to assure security than on the legal systems of multiple countries.
If, say, the Chinese authorities 'pinkie promise' that they'll never touch your data, or you can build in the best hardware encryption and anti-tamper that can be designed in, which would you choose?
(Score: 0) by Anonymous Coward on Wednesday February 17 2016, @04:05PM
> It is better to rely on mathematics and the laws of physics to assure security than on the legal systems of multiple countries.
There ought to be an axiom along those lines - The laws of physics always trump the laws of man.
(Score: 2, Insightful) by Alfred on Wednesday February 17 2016, @02:49PM
So it is possible that they have already cracked the phone via some established method and are acting on the leads already. Then why make a public stink about this supposed difficulty? To build the image that iPhones are really secure so more people of interest will get iPhones which are readily cracked by that established method the government already has.
It wouldn't be the first time a lie has been made to drive people to a disadvantaged position.
(Score: 2) by tizan on Wednesday February 17 2016, @04:52PM
You watch too many Hollywood or X-files type of shows.
My answer: "Hanlon Razor"
Sorry i doubt the FBI has such institutional intelligence (or malice).
Their agents are known as "Fry Bread Inspectors" for some good reasons in the Southwest......ok may be there are a few intelligent ones somewhere...but the majority are not IQ 170 with culture or who are well versed about the history of the world etc as you see in movies !
It took them nearly 2 months to deal with stupid nutcases at the Malheur Refuge. Yes I am not surprised it is taking them months to get into the phone of somebody.
(Score: 2) by Alfred on Wednesday February 17 2016, @05:57PM
Consider the high profile cases the FBI has, the ones that will bring scrutiny on the FBI. No bureaucrat wants scrutiny. Assume that for the thousands of agents they have that they have 2 or 3 real smart ones. Wouldn't you want at least one of those smart ones to be available for high profile cases like this? (wondering what the other 2 are always working on all the time is another question) Even a bad manager pulls in guys to help to avoid being scrutinized.
Maybe I am overestimating the collaboration between them and the NSA who would already have it open.
We could also say to not attribute to stupidity what can be attributed to greed. Apple will surely sell more phones by this advertising of their security whether or not they are secure or in bed with the NSA.
(Score: 0) by Anonymous Coward on Wednesday February 17 2016, @06:09PM
> It took them nearly 2 months to deal with stupid nutcases at the Malheur Refuge.
That is not an indictment of the FBI. Not every problem has an immediate solution. The pulled it off with only one death, of a guy who sure seemed to have a deathwish given his videos. It sure was a better result than Ruby Ridge and Waco.
(Score: 2) by tizan on Wednesday February 17 2016, @11:08PM
But FBI from hollywood would have night vision, dart guns etc etc...they would have gone after one member after another in the night.
With some smart good looking person manipulating the whole thing...
then release them make the others think they are snitches etc...they would have disbanded in days !
(Score: 3, Insightful) by NotSanguine on Wednesday February 17 2016, @09:14PM
So it is possible that they have already cracked the phone via some established method and are acting on the leads already. Then why make a public stink about this supposed difficulty? To build the image that iPhones are really secure so more people of interest will get iPhones which are readily cracked by that established method the government already has.
Alternatively, given what prosecutors/FBI are demanding [wired.com]:
it's entirely likely that the FBI/NSA are unable to crack the encryption and, as such, are seeking this code from Apple. It seems to me that the highlighted section is a smoke screen and the NSA would, in short order, be busy disassembling the code and modifying it to accept the UID of any phone whose data it wishes to decrypt.
The focus on the single device gives them political cover, while forcing Apple to give them the means to defeat IOS 8+ security.
I have no evidence for this, but if I were the NSA/FBI that's what I would do.
No, no, you're not thinking; you're just being logical. --Niels Bohr
(Score: 3, Insightful) by fnj on Wednesday February 17 2016, @04:06PM
Apple also ordered to make for the Judge's pleasure a pony, out of sweet dreams and nothing else.
(Score: -1, Redundant) by Anonymous Coward on Wednesday February 17 2016, @09:18PM
Apple also ordered to pleasure the Judge and her pony.
There. FTFY.
(Score: 0) by Anonymous Coward on Friday February 19 2016, @07:24AM
(Score: 1, Interesting) by Anonymous Coward on Thursday February 18 2016, @12:29AM
In late 2013, Apple used to have a statement in their transparency report that stated they had "never received an order under Section 215 of the USA Patriot Act." In 2014, that statement vanished [gigaom.com], suggesting that it was no longer true.
Judge Pym and the FBI made a dumb mistake by making a public call for short-circuiting one of the most fundamental protections of any input-based login scheme. Dumb, because Apple has enough money to pay the lawyers and any billion-dollar fines that may ensue, and they'll be able to play a gambit against their competitors who have to stay quiet, either because they don't want guilt by association, or they've already been complicit in providing backdoors to US (and/or other) government agencies for their products.
But does this mean that future requests will only be made through secret courts, under gag orders? Do we suddenly start seeing warrant canaries dropping left and right? The precedents of key disclosure law [wikipedia.org] are already scary enough, where one could be imprisoned indefinitely for refusing to disclose
Our society is being held captive by belligerent troglodytes who are completely unaware of the societal implications of the technology they are charged with regulating. It hasn't been this bad since the 19th century Industrial Revolution years, and it will take decades of fixing, if it can be fixed at all. (And most of the "fixing" will be in the form of time passing, causing those currently in congress to retire or expire, probably to be replaced by unapologetic Tea-partiers or Clayton-Christensen-acolyte-bubble-dwellers.)
(Score: 2) by timbim on Friday February 19 2016, @01:20AM
you got a way with words bro