Apple challenges 'chilling' demand to decrypt San Bernardino shooter's iPhone

rexlunae · Feb 17, 2016

chrysostom said:
encryption is a selling point for both apple and google
and
that is a biggie

It certainly is. And I am glad that Apple is fighting for it. But at the same time, from the details I've heard, what's at stake here isn't actually strong crypto itself, but a separate and weaker security mechanism.

chrysostom said:
I have been warned many times by gmail that
if
I forget my password
I will have to start a new account

Probably because you haven't created a recovery email address or phone number. And that isn't even for reasons of crypto, exactly.

THall · Feb 17, 2016

If Apple gives it up, the Chinese
and the Russians will have it.

They should not give anything to the
FBI or any Federal agency. That is
their intellectual property, not the
Governments.

Ask Mr. Religion · Feb 17, 2016

Ask Mr. Religion said:
You may very well be correct. I took my assumption of what the FBI was seeking from a discussion I read this morning on slashdot. In the case of just accessing the phone from a user's PIN or whatnot, it would seem the problem is well within reach using known profiling methods of a user's usual proclivities, available password apps, etc., for setting up phone access PINs. Some may even use fingerprints, so if that were the case, compelling the criminal for the fingerprint or using the booking fingerprints, seems doable. That all said, they may have access to the phone, but there is also the fact that some folders therein may have been encrypted by the user.

AMR

This has more information, including the actual FBI request:

https://www.techdirt.com/articles/2...-shooters-iphone-to-create-new-backdoor.shtml

So essentially the FBI wants Apple to create a software image for recovery features unique to the particular phone that includes the feature to disable auto-erasing the phone's personal data files after the ten or so attempts at guessing the phone's PIN fail. This special software image would be loaded into partitioned RAM and receive the FBI's PIN attempts. Once the correct PIN is identified, then the phone can be unlocked and accessed.

Frankly if this scheme is doable then there are real problems with Apple's FIPs compliance program as it implies the HW/SW architecture's proper partitioning for trusted performance is very poor. In effect, if this is doable, the FBI's public complaint essentially provides a blueprint for foreign governments to compromise FIPs certified devices.

AMR

bybee · Feb 17, 2016

Ask Mr. Religion said:
This has more information, including the actual FBI request:

https://www.techdirt.com/articles/2...-shooters-iphone-to-create-new-backdoor.shtml

So essentially the FBI wants Apple to create a software image for recovery features unique to the particular phone that includes the feature to disable auto-erasing the phone's personal data files after the ten or so attempts at guessing the phone's PIN fail. This special software image would be loaded into partitioned RAM and receive the FBI's PIN attempts. Once the correct PIN is identified, then the phone can be unlocked and accessed.

Frankly if this scheme is doable then there are real problems with Apple's FIPs compliance program as it implies the HW/SW architecture's proper partitioning for trusted performance is very poor. In effect, if this is doable, the FBI's public complaint essentially provides a blueprint for foreign governments to compromise FIPs certified devices.

AMR

Very scary!

rexlunae · Feb 18, 2016

Ask Mr. Religion said:
This has more information, including the actual FBI request:

https://www.techdirt.com/articles/2...-shooters-iphone-to-create-new-backdoor.shtml

So essentially the FBI wants Apple to create a software image for recovery features unique to the particular phone that includes the feature to disable auto-erasing the phone's personal data files after the ten or so attempts at guessing the phone's PIN fail. This special software image would be loaded into partitioned RAM and receive the FBI's PIN attempts. Once the correct PIN is identified, then the phone can be unlocked and accessed.

Frankly if this scheme is doable then there are real problems with Apple's FIPs compliance program as it implies the HW/SW architecture's proper partitioning for trusted performance is very poor. In effect, if this is doable, the FBI's public complaint essentially provides a blueprint for foreign governments to compromise FIPs certified devices.

AMR

I'm not sure how you could prevent this sort of attack from someone with physical possession of the device. Fundamentally, you need to store code somewhere that the processor can execute it, while the phone's data is still encrypted, and that code is going to be pretty vulnerable almost wherever you put it. I'm not too familiar with FIPS 140-2 compliance, but my understanding is that even at the highest level, it simply requires a high probability that attempts at unauthorized access will be detected and prevented under defined use cases, which this probably falls outside of.

gcthomas · Feb 18, 2016

Ask Mr. Religion said:
Frankly if this scheme is doable then there are real problems with Apple's FIPs compliance program as it implies the HW/SW architecture's proper partitioning for trusted performance is very poor. In effect, if this is doable, the FBI's public complaint essentially provides a blueprint for foreign governments to compromise FIPs certified devices.

I expect that for this reason Apple will claim to be unable to comply with the court order. Who in the court will be able to prove otherwise?

chrysostom · Feb 18, 2016

gcthomas said:
I expect that for this reason Apple will claim to be unable to comply with the court order. Who in the court will be able to prove otherwise?

I would like to hear a programmer address this issue

specifically the point
that it is possible to hack into one phone without risking the others

Ask Mr. Religion · Feb 18, 2016

Ask Mr. Religion said:
This has more information, including the actual FBI request:

https://www.techdirt.com/articles/2...-shooters-iphone-to-create-new-backdoor.shtml

So essentially the FBI wants Apple to create a software image for recovery features unique to the particular phone that includes the feature to disable auto-erasing the phone's personal data files after the ten or so attempts at guessing the phone's PIN fail. This special software image would be loaded into partitioned RAM and receive the FBI's PIN attempts. Once the correct PIN is identified, then the phone can be unlocked and accessed.

Frankly if this scheme is doable then there are real problems with Apple's FIPs compliance program as it implies the HW/SW architecture's proper partitioning for trusted performance is very poor. In effect, if this is doable, the FBI's public complaint essentially provides a blueprint for foreign governments to compromise FIPs certified devices.

AMR

There is also the issue that the PIN access attempt is designed to limit PIN guesses to 80ms delays between PIN digit entries. Assuming a 6 digit PIN comprising combinations of ten numerical digits and a twenty-six letter alphabet, this would mean 1,402,410,240 possible permutations (guesses) to be made, or more than 3.5 years of manual effort.

AMR

Town Heretic · Feb 18, 2016

chrysostom said:
apple cannot break into their phone

They aren't really being asked to do that.

but they can figure out how if anyone can

Then they should do that in the interests of justice and no one else will be able to OR they should do it in the interests of justice and others will continue to work on doing it and will at some point manage it if it's possible.

lain:

but once they figure out how to get into one they can get into any of them how are you going to protect the info?

Don't give anyone from Apple your iPhone to take to work?

not everyone is an idiot

Well...not everyone, no.

ok doser · Feb 18, 2016

why can't da gubmint just waterboard Syed Farook until he gives them the password?

oh, right - they shot him dead

next time maybe they shouldn't do that

rexlunae · Feb 18, 2016

Town Heretic said:
They aren't really being asked to do that.

They're being asked to defeat one security mechanism. It's not the only, or even the strongest one, but it's apparently effective enough that the FBI decided that the surest way to get what they want was a lawsuit against one of the largest companies in the world.

Town Heretic said:
Then they should do that in the interests of justice and no one else will be able to OR they should do it in the interests of justice and others will continue to work on doing it and will at some point manage it if it's possible. lain:

It's not that simple. Apple is being asked to create a piece of software to defeat one part of the security on every iPhone in existence. Apple and its user base have a clear interest in that software not existing. It's easy to focus on the immediate and ignore the bigger picture, but that does have broad implications far beyond this one phone or this one case, and its worth noting that under the terms of the DMCA, it might ordinarily be illegal to make or distribute such software.

Town Heretic · Feb 18, 2016

rexlunae said:
They're being asked to defeat one security mechanism. It's not the only, or even the strongest one, but it's apparently effective enough that the FBI decided that the surest way to get what they want was a lawsuit against one of the largest companies in the world.

That's my understanding. They need to get past the ten tries or meltdown security bit.

It's not that simple. Apple is being asked to create a piece of software to defeat one part of the security on every iPhone in existence.

No, just the one. It's like this...every business keeps records. And those records are theirs, subject to bylaws. A lot of records are closely held and confidential, would require a court order to obtain. Fashioning a court order for one set of records isn't the same as fashioning one for all. The scope and use of the release are limited. I don't think anyone has mandated that Apple produce and allow the government to keep the key, so to speak.

Apple and its user base have a clear interest in that software not existing.

It might as well not exist if Apple alone has it and will not utilize it short of a court order relating to illegal activity.

rexlunae · Feb 18, 2016

Town Heretic said:
No, just the one. It's like this...every business keeps records. And those records are theirs, subject to bylaws. A lot of records are closely held and confidential, would require a court order to obtain. Fashioning a court order for one set of records isn't the same as fashioning one for all. The scope and use of the release are limited. I don't think anyone has mandated that Apple produce and allow the government to keep the key, so to speak.

Well, the difference between how you make a court order and how you write a piece of software is that the software can't be limited very well. Once you're written it, there's really no good way of preventing it from being used again. Even if you wrote the software with some artificial check to make sure that it's only running on the one intended phone, given five minutes and a hex editor, anyone with a moderate level of technical knowledge could remove that check and have a working attack that can be used against any iPhone. Just the act of writing it could document for anyone who can get their hands on it the inner workings of the phone in a way the undermines the strength of all such mechanisms in all iPhones.

Town Heretic said:
It might as well not exist if Apple alone has it and will not utilize it short of a court order relating to illegal activity.

Safer for zero parties to have the power than one. Large organizations have a hard time holding onto things, especially information, once they're created. And, once the tool is created, it could lower the bar for courts contemplating ordering Apple to help them do similar things. Easier to argue against disclosing something that doesn't exist than something that does.

Essentially, it would convert a technical barrier to a legal one.

chrysostom · Feb 18, 2016

rexlunae said:
Well, the difference between how you make a court order and how you write a piece of software is that the software can't be limited very well. Once you're written it, there's really no good way of preventing it from being used again. Even if you wrote the software with some artificial check to make sure that it's only running on the one intended phone, given five minutes and a hex editor, anyone with a moderate level of technical knowledge could remove that check and have a working attack that can be used against any iPhone. Just the act of writing it could document for anyone who can get their hands on it the inner workings of the phone in a way the undermines the strength of all such mechanisms in all iPhones.

Safer for zero parties to have the power than one. Large organizations have a hard time holding onto things, especially information, once they're created.

you are making more sense than the lawyer

rexlunae · Feb 18, 2016

chrysostom said:
you are making more sense than the lawyer

I really can see the FBI's side of this. But it's a dangerous road to take.

chrysostom · Feb 18, 2016

rexlunae said:
I really can see the FBI's side of this. But it's a dangerous road to take.

did you read the apple letter?

rexlunae · Feb 18, 2016

chrysostom said:
did you read the apple letter?

I haven't. I heard a pretty extended interview with Tim Cook, and these are also issues that I've been interested for 20 years or so.

chrysostom · Feb 18, 2016

rexlunae said:
I haven't. I heard a pretty extended interview with Tim Cook, and these are also issues that I've been interested for 20 years or so.

you should read it

apple letter

the fbi does not know what they are talking about
apple does
and
they should be believed
any reasonable person would believe them

MarcATL · Feb 18, 2016

Most people are siding with the government on this issue. Both rightwingers and leftwingers.

Town Heretic · Feb 18, 2016

rexlunae said:
Well, the difference between how you make a court order and how you write a piece of software is that the software can't be limited very well.

Of course it can, Rex. Like the formula for Coke, only not as widely held. The notion that solving the problem will somehow spread among the ether is one I find peculiar in a discussion of technology.

Once you're written it, there's really no good way of preventing it from being used again.

There is. Let Apple hold it and safeguard it. Just like Coke. It doesn't have to be disseminated, only available in limited and special circumstance, under their control.

Even if you wrote the software with some artificial check to make sure that it's only running on the one intended phone, given five minutes and a hex editor, anyone with a moderate level of technical knowledge could remove that check and have a working attack that can be used against any iPhone. Just the act of writing it could document for anyone who can get their hands on it the inner workings of the phone in a way the undermines the strength of all such mechanisms in all iPhones.

Ultimately, though we differ on the danger, it becomes a matter of priorities. And I think the clear winner on the point is with the FBI and national security.

Safer for zero parties to have the power than one. Large organizations have a hard time holding onto things, especially information, once they're created.

Is Apple noted for losing proprietary information to third parties? But in any event this shouldn't take a Herculean effort to secure, especially given the lack of desire for reproduction by the proprietor.

And, once the tool is created, it could lower the bar for courts contemplating ordering Apple to help them do similar things. Easier to argue against disclosing something that doesn't exist than something that does.

Essentially, it would convert a technical barrier to a legal one.

Arguably the better idea, relative to competing interests.

Apple challenges 'chilling' demand to decrypt San Bernardino shooter's iPhone

New member

New member

&#9758;&#9758;&#9758;&#9758;Presbyterian (PCA) &#9

New member

New member

New member

Well-known member

&#9758;&#9758;&#9758;&#9758;Presbyterian (PCA) &#9

Out of Order

lifeguard at the cement pond

New member

Out of Order

New member

Well-known member

New member

Well-known member

New member

Well-known member

New member

Out of Order

☞☞☞☞Presbyterian (PCA) &#9

☞☞☞☞Presbyterian (PCA) &#9