This kind of stuff invokes an emotional response in me to go easy on the state getting into my private stuff. That’s really clever, that is.

You’re just a bit of a soft touch, I don’t go easy on the state until they start claiming it’s so they can catch paedophile terrorists.

It’s a tricky one – Apple deliberately didn’t include back-door functionality so it was more secure and the iPhone is actually pretty decent for data protection (to the extent they are being deployed in government departments where security is critical).

The encryption is done via hardware, as well as some of the secure boot environment so it’s likely not as trivial as jail-breaking and bypassing OS-level security features (I suspect the 10 attempts then wipe feature could be disabled in this manner though and if it can then I guarantee the NSA etc. already have this working).

So it might be require a fair bit of work on Apple’s part to come up with a solution that fully meets the FBI’s requirement and doing so (as has been said) creates something that can’t easily be uncreated.

As for the ethics – I doubt anyone objects on privacy grounds to the FBI having access to the data on this one phone but there is a need for decent encryption that doesn’t have government backdoors (and it’s not just terrorists that need this).

What governments would have the backdoor information and how do you secure it?

Shouldn’t people living under oppressive regimes be able to communicate securely to organise themselves without fear of death due to their government having backdoor access to their communication?

Some of the projects I work on involve classified data and we defend systems against nation-state attacks (and it’s not China, Russia and North Korea…), encryption is core to that. The same holds for other projects whereby it’s corporate commercially sensitive data – without encryption it’s not viable to conduct business in the digital world.

So where do you draw the line with encryption?

Tim Cook’s “Customer Letter”

Apple is on very dangerous and weak ground here, trying to defy a court investigating terrorists who carried out mass killings in California

Its one of those it is always a balance between individual freedoms and the states responsibility to crack down on terrorism/crime to make us all feel safer

IMHO apple is deliberately making their phone uncrackable[ its been done for profit not civil liberties] is probably tipping the balance too far one way.

I would want very thorough oversight of how and when they get access to phones/data.

I would want very thorough oversight of how and when they get access to phones/data.

Who exactly would be providing that oversight of Russian criminal groups or the Chinese government? You add a backdoor for the FBI or GCHQ, you add a backdoor for everyone.

No they can’t modern encryption (mix of hardware and software) means it’s impossible to break in practical terms.

Well the NSA aren’t likely to tell us so we can only guess, but they have access to the physical device which I imagine opens up a pretty broad range of attacks.

I’d be surprised if they didn’t have some method they could deploy.

I’d be surprised if they didn’t have some method they could deploy.

Either:

[list]
[*]They don’t have the capability, that’s why they are forcing Appke’s hand.[/*]
[*]They do have the capability but don’t want us to know that.[/*]
[/list]

Rachel

apple want you to consider their phone secure enough to access your bank account, relying on the phone’s verification that it’s actually you using it. i would think it very important to them that they don’t roll over on this.

also, in this case, i fail to see how it helps the FBI’s case? they’ve got victims, they’ve got the shooter, they’ve got a ton of evidence, what do they need his phone for? people who ‘may’ have helped him? because it’s so hard to come by serious weaponry in the US?

Or they have the capability but it is dodgy legal ground and wouldn’t be admissible as evidence so they want a more “legit” method.

They should make an episode of Spooks, NCIS, CSI etc with the real tech available and see what they manage to solve then.

<Tin_foil_hat>
Isn’t it all just a big “Look, the iPhone’s really really secure so please can all master/amature criminals become extra complacent with it when plotting their schemes… Shhh, don’t tell them we can really read every single word.”
</Tin_foil_hat>

It’s very easy to sit in front of our computers in the democratised, free-speaking western world and argue in favour of governments being able to access all data everywhere. Meanwhile in other countries people are executed for saying something the regime doesn’t like. I think someone said it up there ^ somewhere, the precedent set here will be a global one so we need to think of the global repercussions.

If they passed a current throught the persons hand and pressed it against the sensor on the dead body, they would be able to access the data.

Or at least a couple of fingers (they had a choice of ten)

Don’t ask me how i know

PS

But the phone service would shirley hand over the data of which sites and calls the phone has been on as well as numbers called, so why pester Apple.

Meanwhile in other countries people are executed for saying something the regime doesn’t like.

I wouldn’t say the US has a particularly great track record on this either given what happens to various whistle-blowers and “suspected terrorists” being held and tortured without charge. (And regardless of your moral stance on torture, there’s no evidence it actually works).

I’m with Apple (and Google) on this.

I’m in support of the FBI, the request relates to a Crime, I’m happy they access the info.
Surprised Apple are refusing it TBH, almost “withholding information” well, not quite..

TBH, those saying that this undermines free speech etc all over the world.

Does Yale complain about the sale of hammers which have the potential to defeat it’s locks?

It’s not a blanket “we want access to all iPhones”, they’re asking for this specific one to be unlocked, or proof that it’s not possible. Not asking for backdoor to be created, and presumably if they’re asking they already know there is a way.

A bit like in this country, they can ask/force you to unlock a phone by fingerprint, but can’t force you to give up the pin (IIRC, may be an urban myth).

If they passed a current throught the persons hand and pressed it against the sensor on the dead body, they would be able to access the data.

The 5C doesn’t have touch ID does it? Oh and when you first start an iPhone you have to access it with a PIN, Touch ID is for unlocking only.

I find this a really interesting case. It’s one think saying “it’s only this device” but once the procedure has been shown to work what’s to stop a Government or law enforcement agency saying “Now we need this one unlocking. He was a really bad guy, honest”?

Oh and that Register article suggests that later iPhones, 5S and up, would still be difficult to use a brute force attack on as the PIN timeout feature is implemented differently.

Mind you, at the end of the day I don’t have much doubt Apple could do it if they wanted to. Perhaps they will, but not publicly.

A bit like in this country, they can ask/force you to unlock a phone by fingerprint, but can’t force you to give up the pin (IIRC, may be an urban myth).

99% sure it is, there are legal ways to make a person give up a password hence why dummy encrytions are useful.

Chap i work with has been deemed to be “at odds” with his home government.

He’ll be shitting it, his current iphone is the only phone he’s been able to keep going for more than 3 or 4 months before it starts “playing up” and mysteriously leaking information.

Im not coming down on either side of this debate as I’m very conflicted in my opinion at the moment, but I am going to point out factual/technical errors from both sides if and when I see them.

If they passed a current throught the persons hand and pressed it against the sensor on the dead body, they would be able to access the data.

Or at least a couple of fingers (they had a choice of ten)

not applicable in this case, the fingerprint unlock functionality has a timeout, if the phone hasn’t been unlocked in X hours (48 I think?), or has been powered off then it will require the passcode to unlock, a finger (alive or dead) wont get you in.

No they can’t modern encryption (mix of hardware and software) means it’s impossible to break in practical terms.

Not actually relevant in this particular case, it’s a 5c, which doesn’t have a SE, the only thing stopping them from just trying passcodes repeatedly until they get the right one (not many in real terms as it’s not many digits) is the software measures which mean you only get 10 attempts before wipe, their issue isn’t that the phone is encrypted per se, it’s that they can’t brute-force the pin code without causing to wipe itself.

The FBI aren’t requesting that Apple break the encryption, or even asking them to provide decrypted data, they are asking them to remove the 10 attempt limit by providing altered software that they can load onto *this* phone.

It’s not a blanket “we want access to all iPhones”, they’re asking for this specific one to be unlocked

Correct, but as many have said, and extending on my comment above proving/providing a way to do it for *a* phone produces the risk that it’s only a matter of time before that method is kludged into working for *any* phone to allow them to brute-force it without the self wiping countermeasures kicking in.

Not asking for backdoor to be created

They’re not asking for an encryption backdoor no, but they are asking for them to create software that allows them to keep knocking on the front door until they get in, so they’re asking for a backdoor into the phone/through the security measures, just not the actual encryption bit.

Also of note, but not being widely mentioned in most articles relating to this is that the phone in question was the work phone of the deceased, who also had, and destroyed *two* other personal phones prior to the shooting, but not this one. This suggests that he did not consider this phone worth destroying, probably because there was nothing on it of note, however the FBI want to go looking around on there anyway ‘just in case’ there is some data on there that they can use.

It’s not a blanket “we want access to all iPhones”,

IANAL… but, it’s never been done before, so doesn’t it create a legal precedent? Subsequent backdoorings will be a lot easier if they can refer to case law. if they then ask for a more recent version of the iPhone to be unlocked, the legal situation is the same so they’ll have to unlock it.

That’s why they are looking to challenge the decision, and are going public about because it’s a sensitive issue.

but once the procedure has been shown to work what’s to stop a Government or law enforcement agency saying “Now we need this one unlocking. He was a really bad guy, honest”?

Slippery slope argument

It’s very easy to sit in front of our computers in the democratised, free-speaking western world and argue in favour of governments being able to access all data everywhere.

No one has argued they should have “access to all data everywhere” just that it might be useful to allow them to get the info on the “baddies”

Im not coming down on either side of this debate as I’m very conflicted in my opinion at the moment

Agreed most of us can probably think of reasons why this is a good thing and why this is a bad thing. We have to decide this on a case by case basis IMHO rather than just agree to give them no access or complete access

I have to laugh at the “libertarians” here who complain about privacy, Google, Facebook etc scan every single message and everything you do online in order to sell that information to advertisers

What people seem to forget is you’ve signed up to their service to use free of charge. I didn’t sign up to the government having a back door into my private conversations. Plus I trust Google and Apple with my data far more than I trust any government.

Not actually relevant in this particular case, it’s a 5c, which doesn’t have a SE, the only thing stopping them from just trying passcodes repeatedly until they get the right one (not many in real terms as it’s not many digits) is the software measures which mean you only get 10 attempts before wipe, their issue isn’t that the phone is encrypted per se, it’s that they can’t brute-force the pin code without causing to wipe itself.

According the The Register, the PIN timeout feature still applies without SE and that needs disabling too in order to allow a brute-force attack in a reasonable time-frame.
“The mobile operating system introduces delays between PIN entry attempts, ramping up to an hour-long wait after the ninth incorrect passcode. The Feds don’t want to enter thousands upon thousands of possible PINs at a rate of one an hour, and so they want this timing feature disabled”.

Anyway, here’s another thought. Apparently the user disabled iCloud prior to carrying out the attack which means the phone couldn’t be restored from that. Now I would be slightly surprised if Apple didn’t back up their data servers and were not able to restore a deleted iCloud account. If they could do that, and if they had the capability to reset the password (something else I imagine they would deny they can do), presumably they could brick the phone and restore it from iCloud. Or possibly even spoof a new phone to restore from the iCloud account leaving the original “safe”.

Still, looking at the way the feds treat Mulder and Scully, who would help them out eh?

It sounds to me like the FBI just aren’t trying hard enough. All they’re complaining about is the automatic wipe iPhone’s do if the PIN is entered incorrectly 10 times. That prevents brute force, but normally with computer forensics they pull the storage and clone it, then brute force all they like. Okay phones are flash memory but should be possible with the right equipment to clone the memory and then brute force. Each time the wipe is done, just move on to another clone, or run hundreds or thousands of clones. Run it all virtual in a massive cloud farm.

All possible. They just can’t be bothered and want Apple to give them an easy option.

Also I can’t believe they can’t just get Apple’s software hacked to block the wipe code. Or hell, clone the memory and disable any write capability on the clone.

uopuextdcv zerybcrkhw ezmgkcyecg wnecfgpqer mwiwccwtpu hcszndvnmh iyakkhpnzx yfypsyddgf srytldqkpo pfcpjlfqtz lelbxfsoei vhfkdqpzxi hegquadkis pvmruorcpj czxpuxkdkk eercegfnun rzejqxvpms fcxevqukvw zwexfevoab pylguoyaol sdqsmahgrh razfcbatfi vkadptwsht vshjtrqxff jicmwkkbyi osfqonqmpm hgdwtjbrkb oziwewfyrl dmigkxwtms cgbmvoaacg uklzmqxyiz aqjgpqshbo qnvqvujlwl pbfvvvrmcf bepxkglzoc

Anyone who wants to read my post can get my public key by visiting me in person. Wear a yellow carnation.

No one has argued they should have “access to all data everywhere” just that it might be useful to allow them to get the info on the “baddies”

Therein lies the problem and the fact you’ve felt it necessary to use speech marks around baddies is telling. Who decides who the baddies are? Am I a baddie if I live under an oppressive regime and dare to speak out against the government via an iMessage to my friend on my iPhone?

That prevents brute force, but normally with computer forensics they pull the storage and clone it, then brute force all they like. Okay phones are flash memory but should be possible with the right equipment to clone the memory and then brute force. Each time the wipe is done, just move on to another clone, or run hundreds or thousands of clones. Run it all virtual in a massive cloud farm.

Not that simple, issues with where the keys are stored and tied to the phone hardware*, what you suggest is literally the first thing that pops to mind, and has been suggested over and over again, and is so obvious that it should also be obvious that it’s not that easy otherwise they would have already done it!

Also, if it WAS that simple, and considering how cheap such resources are now, if it were that simple then phones would be being decrypted left right and centre by governments, normal law enforcement and you know, corporate competitors, criminals and generally people up to no good.

So again, it’s NOT that simple or it would already be happening all over the place and we’d be complaining about that instead.

* there is a secret key held in the processor**, that cannot be read by the OS directly, meaning you can’t just clone ‘an image’ of the phone, you’d have to create a physical (or virtual replica of the physical) replica of the phone, not just an image of it’s storage and running memory. It can be done, but not as trivially as your intial post suggests.

** difference between 5c (no SE)and 5s+ with SE is that there are hardware (not software) safeguards with SE that make it harder to circumvent or remove the time restrictions between attempts with a brute-force attack.

Chap i work with has been deemed to be “at odds” with his home government.

He’ll be shitting it, his current iphone is the only phone he’s been able to keep going for more than 3 or 4 months before it starts “playing up” and mysteriously leaking information.

Whilst I’m sure this does happen, and that maybe 100% secure phones are needed by some people for morally acceptable reasons. The same could be said for any sensitive document/evidence.

I’d rather my data was practically secure (from anything short of brute force cracking by supercomputer for example) which would stop anything between a wife knowing a husband is having an affair, through hobbyist hacking to industrial espionage. But still allow the police access to the 0.01% of users with the same phones who use them for nefarious uses.

Same with the locked door analogy. My front door is practically secure, but if the police wanted to raid they could get in.

Same with the proposed powers to monitor and record browsing history. Even if GCHQ had the legal power to record everything everyone does, the practical implications of:
1) actually screening all that data (see the terrorism BB thread).
2) prosecuting everyone who’s ever watched something on the grotty side of legal.

You’d need the mother of all supercomputers and a jail big enough to hold almost everyone with an internet connection.

Is this not analogous to safety deposit boxes? You stick stuff in there but if the law enforcement agencies want to see in it they get a court order/warrant and it gets opened? I agree that Apple should be able to provide their customers with a form of secure encryption and people are entitled to their privacy but if you broke the law then it is up for grabs.
If your corporation/organisation then adds a further level of security to protect it then it can.

You’d need the mother of all supercomputers

this is becoming less and less true with people using the immense power of gaming GPUs now.

Once Apple have shown it is possible then I guess potentially every phone of that model with that iOS is potentially hackable.
I would then assume that they would update the software to make this now impossible.

Surely Apple can copy the phone though. If you have an issue and go into a store they take the phone out back and do stuff to it without you there watching. Its been a long time but I don’t remember them coming out and asking for me to enter any codes…

How does Apple operate in countries like Saudi? I remember Blackberry got banned as they encrypted data which was frowned upon by the state… I expect there are a lot of interested parties in this.
The US is a strange place where they don’t think of the outside world very much or perhaps care about it.

I wonder if they stick two fingers up at the FBI if there will be further reaching actions taken in spite. Possibly relating to the billions in offshore accounts or the outsourcing of manufacture to China.

Same with the locked door analogy. My front door is practically secure, but if the police wanted to raid they could get in.

I’m sure burglars could obtain similar equipment to gain access.

It’s a tricky situation for sure.

But the facts remain, the FBI want this phone only.

I’m sure theres a 14yr old in a bedroom in Halifax Nova Scotia able to access most iPhones from the comfort of his bedroom and Laptop, whilst the FBI try and use the full effect of the Law legally to access this iPhone.

I’m still up for the FBI accessing it, seems reasonable and logical to gain access to prove a Crime.

But the facts remain, the FBI want this phone only.

If only.

I’m still up for the FBI accessing it, seems reasonable and logical to gain access to prove a Crime.

Might have missed something, but what crime are they trying to prove here?

I’m sure theres a 14yr old in a bedroom in Halifax Nova Scotia able to access most iPhones from the comfort of his bedroom

I dunno, no expert on phone security. Clearly, you aren’t either. From reading about this, it does seem that it’s a bit tricky to get into a switched off protected phone. Even for your average experienced 14 year old hacker.

this is becoming less and less true with people using the immense power of gaming GPUs now.

Yes but as the ISIS BB thread proves, what are you actually going to do with all the data from 6billion mobile phones?

It’d take you months just to go through the average STW’ers posting history.

I love how most folk on here are expert software/hardware developers and deem how easy it would be to simply clone the phone, restore it from backups, or any other ludicrous ideas.

Apple has hired some of the best minds on the planet to secure their platform. I very seriously doubt it’s as easy as some people think to circumvent it.

Surely Apple can copy the phone though. If you have an issue and go into a store they take the phone out back and do stuff to it without you there watching. Its been a long time but I don’t remember them coming out and asking for me to enter any codes…

Apple CAN’T copy the phone data. That’s why they ask YOU to take a backup to your laptop/cloud account. That data is encrypted and is protected by your passwords. Apple don’t have access to those, they’ll be salted and hashed in a database – and only you know what they are. This isn’t some kind of black magic.

Some technical detail – https://stratechery.com/2016/apple-versus-the-fbi-understanding-iphone-encryption-the-risks-for-apple-and-encryption/

What I was talking about before wasn’t about cracking the encryption, but just the brute force attack, but fair enough an ID part of the key is stored on device (perhaps in the CPU) and yes would make it a lot more difficult to clone and attempt. Though the likes of the NSA I would think have facilities or links in the industry to make a hardware clone of the relevant chip. At least they claim they are that good. Just that it would likely be prohibitively expensive. Though the amount of money they might be about to spend to force Apple to do their bidding could be a similar cost.

Anyway, what is pointed out though in this article is the length of the “PIN”. By the talk of PIN I assumed it would be similar 4 to 6 digit kind of thing but apparently it can go beyond that and if they’ve set something long and complex enough yes it would take millions of years. Even with the monster super computer systems the NSA has, but the FBI aren’t the NSA anyway. Question is whether they are saying they want access to the phone for national security purposes or just in relation to “solving” this crime… which is err, solved. We know who did it.