SoylentNews is people
SoylentNews
from the so-simple-that-a-gov't-employee-could-do-it dept.
Russia Today reports
The US public doesn't need a Digital Security Commission; they need the FBI to stop deceiving everyone and tell the truth that it wants to spy on Americans, John McAfee, developer of the first commercial anti-virus program told RT's Ed Schultz.
[...] "The FBI wants Apple to change their software so that it removes the check for security, so that we don't check for security anymore. Once it has that software, they can use that software on any phone. But they say they only need it for one phone."
[...] "You need a hardware engineer and a [software] engineer. The hardware engineer takes the phone apart and copies the instruction set, which are the iOS and applications, and your memory. And then you run a program called a disassembler, which takes all the ones and zeros and gives you readable instructions. Then the coder sits down and he reads through. What he is looking for is the first access to the keypad, because that is the first thing you do when you input your pad. It'll take half an hour. When you see that, then he reads the instructions for where in memory this secret code is stored. It is that trivial--a half an hour.
...The FBI knows this, Apple knows this."[...] "In either case, if they (the FBI) don't know, that is tragic; if they do know it, then they are deceiving the American public and Apple and everyone else by asking for a universal key."
Video
Do you see any flaws in McAffee's explanation?
Previous: Apple Wants Court To Rule If It Can Be Forced To Unlock iPhones
Seems Like Everyone has an Opinion About Apple vs. the FBI
Update: TPP-Exposing Journalist Ed Schultz Lands on His Feet at RT
John McAfee Announces He Will Run For President of the United States
(Score: 2, Disagree) by Covalent on Sunday March 06 2016, @02:59AM
But it does seem remarkably unlikely that the FBI can't crack this phone. I don't normally go in for conspiracy theories of this kind, but I would not be surprised if this were true.
Honestly, I'd be surprised if the FBI didn't have a system for dismantling a phone and reading the contents of the drives directly. Is such a thing really protected against by Apple? Experts, please feel free to highlight my ignorance. But memory is memory...once the phone has been physically dismantled, then survey the 10-tries-and-you're-out system can be circumvented, no?
You can't rationally argue somebody out of a position they didn't rationally get into.
(Score: 3, Funny) by Covalent on Sunday March 06 2016, @03:00AM
Bah! Survey = surely. It's my damned iPhone! Autocorrect probably hacked by the FBI...
You can't rationally argue somebody out of a position they didn't rationally get into.
(Score: 2) by Non Sequor on Sunday March 06 2016, @03:56AM
It's questionable to me whether the FBI has staff that can desolder and construct an interface for an arbitrary memory chip. I also think that when the FBI starts to think it needs that, it's going to have more hoops to jump through to develop procedures for handling this kind of evidence, compared to the relative ease of handling hard drives.
I think this handwringing is both because they have a short-term problem that they really aren't equipped to deal with this type of evidence, and the long-term problem that they see themselves as losing an arms race with security features. (I'll note that I think they should lose that arms race).
Write your congressman. Tell him he sucks.
(Score: 5, Interesting) by anubi on Sunday March 06 2016, @05:02AM
I do not know if my experience is typical, but when I was working for a government aerospace contractor, it seemed like the most creative and intelligent techie types were the first to go, as the higher paid people who made the decisions of who stays and who goes seemed to feel threatened by them.
Ideally, it seemed they were trying to engineer a business model of a few very highly paid people at the top, with below them lots of completely interchangeable minions.
To do this, they used "compartmentalization", "need-to-know", "charge numbers", and a high rate of turnover to keep any one minion from becoming knowledgeable enough to pose any sort of threat to the job security of the ones hiring him at minimal salary to do a minimal function.
Showing any sort of curiosity or inner drive to do something seemed a surefire way to get to the top of the next week's layoff list. The "motivational" and "inspirational" training they sent the managers to had the opposite effect on me, as they just seemed to be management's way of telling how unimportant and meaningless my life under them was.
It seemed all about how to find people who would work for cucumber while they got the grape. And they did not mind flaunting it. Fancy offices, preferred parking, catered gatherings that only they were invited to, getting to spend half every day on "management training", and other perks. We sure were not important enough to train, especially "on the clock".
Who would want a curious engineer around when they could shake the hand of the man earning a million dollars a year who hires the men that determine whether that engineer has a job next week?
As for desoldering the chip, the way I do those is do a quick rough solderwick w/ lots of flux to remove what solder will remove that way. Then I dab on plenty of Sn42/Bi58 solder cream then heat the whole shebang up under a infrared source like a high power halogen. This bismuth based solder paste has a much lower melting point than standard solder - it will quickly alloy with the remaining solder and the whole pad area will liquefy, leaving the chip easily removable by suction cup or tweezer.
An entrepreneur markets something like this solder paste under the name "ChipQuik", but I found the Sn42/Bi58 that works just as well much cheaper in China... Google up some solder alloy charts regarding bismuth/tin/lead to get a good idea of what your mix melts at. Once removing your chip, wick off the bismuth solder. Although it has wondrous low temperature melting point, it is quite brittle. In the lab, OK, but I would not want to ship it to a customer that way. Rosin flux cleans up nicely with industrial ethanol.
I have on several occasions used this technique to remove 24Cxxx EEPROMS from boards I am reversing so I can solder the EEPROM back onto a memory board read by an Arduino, which then sends either a binary or Intel HEX file through the serial/USB port back the the PC, that's running the disassembler...
"Prove all things; hold fast that which is good." [KJV: I Thessalonians 5:21]
(Score: 2, Interesting) by Anonymous Coward on Sunday March 06 2016, @06:53AM
Most chips in phones are BGA. Much less fun to desolder, and even less fun to re-ball and then resolder onto a testbed.
I do both hw and sw and I think the sw approach would be easier.
That said, it would be good to do the hw approach and copy the FLASH contents before hacking the IOS.
(Score: 1) by anubi on Sunday March 06 2016, @07:17AM
Quite true... I have yet to successfully do a BGA.
"Prove all things; hold fast that which is good." [KJV: I Thessalonians 5:21]
(Score: 1, Interesting) by Anonymous Coward on Sunday March 06 2016, @06:52PM
BGAs require either a focused hot air system (shaped nozzles, shields, etc.), or a heat plate. Either way, much care is needed regarding other parts which can't take the heat, such as: connectors, buttons, pots, switches, etc, which are made with plastics - you try to shield them, heatsink clip them, or just remove them first.
An art professor friend of mine, who is very technologically savvy, had an Apple laptop fail (I don't know the model.) He learned it was a common problem with his model, that some of the BGAs weren't properly soldered (probably rushed through the IR oven) and the fix he found was to bake the motherboard in his home oven. I'm not sure the temp, maybe 450? Anyway, he removed vulnerable parts, baked it, reassembled it all, and it still works. He's an amazing teacher too.
(Score: 1, Informative) by Anonymous Coward on Sunday March 06 2016, @01:05PM
I have on several occasions used this technique to remove 24Cxxx EEPROMS from boards I am reversing so I can solder the EEPROM back onto a memory board read by an Arduino
I just use clamps: http://www.ebay.com/sch/i.html?_nkw=sop%208%20clamp [ebay.com]
For the eMMCs, stuff like this is used: http://www.teeltech.com/mobile-device-forensic-software/coded-read-emmc-chips-without-soldering/ [teeltech.com]
(Score: 2) by RamiK on Sunday March 06 2016, @01:06PM
Though I personally only tried the SOP8 clamps ;)
compiling...
(Score: 3, Interesting) by Bobs on Sunday March 06 2016, @01:23PM
I do not know if my experience is typical, but when I was working for a government aerospace contractor, it seemed like the most creative and intelligent techie types were the first to go, as the higher paid people who made the decisions of who stays and who goes seemed to feel threatened by them.
This has been my experience as well with less competent managers. Good leaders will figure out how to encourage and use the creative and intelligent, the poor ones will purge them as threats.
(Score: 1) by bitstream on Sunday March 06 2016, @01:45PM
And the market place will hopefully purge the corporations run by less than competent managers ;)
It's however quite sad how much talent that is wasted for idiotic reasons or people.
(Score: 0) by Anonymous Coward on Sunday March 06 2016, @09:36PM
Nah, big org's always degenerate this way. Either work for a smaller org, or learn to play the game.
(Score: 4, Interesting) by frojack on Sunday March 06 2016, @06:14AM
It's questionable to me whether the FBI has staff that can desolder and construct an interface for an arbitrary memory chip.
Agreed, they probably can't do it. And neither can Joe Random programmer and Bob Random EE working together.
John McAfee seems unlike to be of much help either. The chip was invented long after John was well and truly out of the computing in any real way.
I've done a small amount of dis-assembly, trying recover source code for a program where the source code was lost, and all there was left was an executable. It can be months of work, and you can not easily discern the path through the code that will be taken at execution time. This was true back in 486 days, and its more true today with multi-core processors. And it wasn't with the amount of code in a whole operating system.
I think this is more of Big John's buffoonery and talking out his ass.
No, you are mistaken. I've always had this sig.
(Score: 1) by anubi on Sunday March 06 2016, @06:29AM
It was hard enough in the days of the 8086, I began really taking a long time to do this under '286, especially under protected mode such as Phar-Lap. I do not even try on the later stuff anymore. Out of my league.
I will still reverse and modify microcontroller stuff though. You know - stuff based on 8051 or similar. Often the source code is long gone by the time it gets to me. And someone just wants it to work again.
If not that, I just replace the whole shebang with an Arduino-compatible and any interfaces I may need to conjure up. Its amazing what can be done with "propeller" chips slaved to an Arduino via I2C.
"Prove all things; hold fast that which is good." [KJV: I Thessalonians 5:21]
(Score: 2) by frojack on Monday March 07 2016, @05:45PM
Oh look, he lied
http://www.dailydot.com/politics/john-mcafee-lied-iphone-apple-fbi/ [dailydot.com]
No, you are mistaken. I've always had this sig.
(Score: 2) by Non Sequor on Monday March 07 2016, @06:57PM
I ended up reading his backstory after posting that and exaggerating to get attention and then playing it off as a carefully calculated move after the fact is completely in character for McAfee.
Write your congressman. Tell him he sucks.
(Score: 5, Insightful) by mth on Sunday March 06 2016, @04:15AM
While the approach McAfee outlined most likely won't work (I'd be very surprised if Apple stored the PIN rather than use it as input for a one-way function), I agree that the FBI could probably crack the phone.
If they can dump the flash (via JTAG or perhaps even via the update protocol), they could copy all the data to multiple new iPhones and brute force the PIN. They could even avoid having to do a full re-image of those phones by figuring out where the failed PIN entry counter is stored and resetting the counter when it is one attempt below the wipe limit.
The most benign explanation I can think of is that bureaucracy led to the wrong people being assigned to the project. A more cynical explanation would be that the FBI wants to (ab)use a terrorism case to set a precedent that manufacturers have to break encryption when asked to do so because the FBI is worried that they might not be able to crack future phones. Or perhaps they want a quicker way of cracking phones so they can afford to do it on more cases.
(Score: 1) by baldrick on Sunday March 06 2016, @05:15AM
Yes - I would have expected them to have copied the full data and run it in an emulator by now.
the FBI/CIA/NSA/CNTS must have the ability to do a raw dump of most of the popular smartphones
... I obey the Laws of Physics
(Score: 0) by Anonymous Coward on Sunday March 06 2016, @09:32AM
If you ask me, all of this is about trying to save face. Make things look like you could use the products of a US company without immediately becoming the bitch of the US gov.
(Score: 4, Insightful) by q.kontinuum on Sunday March 06 2016, @10:14AM
If they can dump the flash (via JTAG or perhaps even via the update protocol), they could copy all the data to multiple new iPhones and brute force the PIN.
Unlikely. The encryption/decryption key is most likely stored on a separate TPM chip and can't be reasonably copied. It would be decrypted by entering the right pin and then used to decrypt the flash.
In an insecure system the firmware of the device deletes the flash after N attempts. In a better system, the firmware deletes the encrypted key from the TPM chip. In an even better system, the TPM chip has a checksum of the decrypted key and deletes the key after N attempts within the TPM chip, with this part of the software of that chip being immutable.
Registered IRC nick on chat.soylentnews.org: qkontinuum
(Score: 3, Insightful) by Anonymous Coward on Sunday March 06 2016, @11:00AM
You are correct.
The correct pin code and half of the larger (and more entropic) key to decrypt the drive are stored inside a security chip on the iPhone.
When the correct pin is entered the software is given the other half of the key and then it decrypts the device. McAfee is wrong, it's not called "instruction set". It's called "software", specifically "firmware". Once the phone's firmware image is obtained, you can change it all you want. You can even load in into a virtual machine / emulator on a super computer and try to brute force the drive encryption -- but you only have 1/2 of a large random key. That's what the FBI wants to avoid.
The FBI wants to bruteforce the pin code, since that will be significantly faster. It doesn't help them to brute force the pin code when not running on the device because the part of the key they're trying to unlock is not stored in firmware or software. The changes the FBI wants made to the firmware / software would be to not erase the keys after 10 wrong attempts. What McAfee is suggesting the changes to the firmware are trivial. This is correct. However, the changes made can not be re-uploaded to the phone, as McAfee assumes. The firmware / OS software is signed and any changes will then fail a fingerprint test.
The way the firmware is signed is that a hash of the payload is encrypted with an asymmetric public key, and the output stored right next to the hash. Only Apple (and probably the NSA, or CIA) has the private key that can sign a firmware payload.
The FBI is lying. Once they get their hands on a modified firmware that's signed, they can flash it onto any compatible device and crack the pincode in short order. However, the FBI is not lying in that they will permit the entire unlocking and cracking procedure to happen inside Apple, and the FBI only be given the device data. The FBI is correct that this would only affect one phone. However, it will set a legal precedent via which subsequent requests to judges will have them rubber stamping requests for Apple to perform the phone hack and turn the data over to the FBI.
Apple is protesting because this will force them to do a bunch of work for the FBI, and that's unconstitutional. Apple could avoid all of that work if they just hand over the modified and signed firmware for that phone. Apple's signing system is not as secure as it could be in that they do not generate a new signing key for each device. This would require each update to be signed uniquely for every phone they are installed on. So Apple just has one signing key for many devices and that means a hacked firmware is available to all.
In the future Apple will likely place the unlock counter into the security chip which has the key -- it would be trivial to make a 4 bit adder, and that chip already has a delete key feature...
What's fishy to me is that all the FBI had to do was take the phone into the environment it typically operated under, and it would have initiated a backup to "cloud" storage -- Except the FBI had the iCloud key changed to prevent this. So, they locked themselves out of the device, and they don't want to have to rely on the NSA to unlock the phone for them. Were I the judge I'd tell them, "Tough Titties, Ya Blew it! Get outta 'ere! Go make nice with your agency friends and stop harassing Apple."
(Score: 0, Disagree) by Anonymous Coward on Sunday March 06 2016, @05:24PM
First this....
Then...
I should stop there since you apparently think the digital key is stored in the magical fairy dust apple dusts under the touchscreen.
However this seems naive and highly speculative about the intentions and capabilities of the FBI
This entire discussion is stupid security theater (I have no proof, that is my opinion). The face is that securing your device with a 4 digit pin is token security. There is always a way to get engineer a work-around, as evidenced by the device deleting the keys after 10 attempts. With the correct equipment and reverse engineering you can hack the hardware and then trivially hack the 4 digit pin, as many many comments on this site and elsewhere have pointed out.
(Score: 0) by Anonymous Coward on Monday March 07 2016, @01:17AM
I should stop there since you apparently think the digital key is stored in the magical fairy dust apple dusts under the touchscreen.
The pin code isn't stored there. It's stored in a secure chip off the main CPU. This is covered in their security specification. The only way to get at the pincode without brute forcing it would be to peel off layers of silicon and hope that you don't destroy the keys in that chip in the process. You are legitimately a moron.
(Score: 0) by Anonymous Coward on Monday March 07 2016, @01:21AM
First this....
it's not called "instruction set".
Confirmed retarded. An instruction set is the set of instruction opcodes that a processor accepts. It is not the actual set of software for the device. By your logic "digits" and operations are algorithms. No, algorithms are made of many digits and operations but digits and operations themselves are not Algorithms. Algorithms are to software what digits and symbols are to an instruction set.