Jump to content

Apple rejects order to unlock gunman's phone


StringJunky

Recommended Posts

Yeah, would be like hauling away a safe and then trying to open it at home at your leisure.

 

Possibly could be solved via reverse engineering. Keeping track of failed attempts is probably the weakest link in the chain. That should just come down to a lowly counter.

 

Obvious RL moral issues surrounding this, but makes for an interesting mental puzzle.

 

I would think there would be laws in place already that support Apple's position. I don't know for sure though.

Link to comment
Share on other sites

You cannot duplicate the data - to use your analogy some of it is stored in the safe; the phone os is required to access the data but will not do so (the data they want might be hidden amongst 64gigs of music and video which is also encrypted - although I am not sure this option will have been chosen or even available). I have no idea what encryption the ios uses but reverse-engineering should not work and neither should keeping track of failure; one of the great things about modern encryption is that quite a bit of it is binary - but not just in the usual sense. It is an all or nothing affair - if properly implemented you do not get to decrypt bits at a time or get hints that you are on the right track; one bit out on the key is just as bad as anything else.

 

This is why the Feds were reduced to asking for a whole new os to be written - write the new os with a master key already installed, update the phone with the new os, look at the data by using master key. The US Govt agencies have about the best chance of anybody of breaking such encryption - but encyrption does not need to be that sophisticated to be very tough

 

The cynic in me thinks they have probably already broken it - and they make all this fuss to put people at their ease and put pressure on apple so that future os might be more amenable to government snooping . Gotta go - black helicopters circling...

Link to comment
Share on other sites

Looks like the FBI is asking for access to the phone because it screwed up. They were able to reset the iCloud password, but did that before triggering an iCloud backup, which prevents a backup (because the password hasn't been updated on the phone)

 

http://daringfireball.net/2016/02/san_bernardino_password_reset

Link to comment
Share on other sites

Also, since the phone was issued by the county, why didn't they implement management software on it?

 

(edit)

link

 

Plus this

"Pay no attention to the likelihood that any conversations Farook may have had in the weeks preceding this attack would have taken place on the personal phone he destroyed and not the phone his employer issued."

Link to comment
Share on other sites

Also, since the phone was issued by the county, why didn't they implement management software on it?

 

http://www.macworld.com/article/3035747/security/proper-device-management-could-have-prevented-the-whole-fbi-apple-fight.html

 

Plus this

"Pay no attention to the likelihood that any conversations Farook may have had in the weeks preceding this attack would have taken place on the personal phone he destroyed and not the phone his employer issued."

Kept getting a 404 on your link. This one works for me....googled it. Can't see where the difference is in the urls.

 

http://www.macworld.com/article/3035747/security/proper-device-management-could-have-prevented-the-whole-fbi-apple-fight.html

 

That puts a different angle on things. It looks like, to me, that the FBI thought they had the ideal test case with maximum impact that would enable them to pursue more intrusive powers for government agencies but they have, instead, made themselves look increasingly incompetent. The best thing they they can do is stop digging.

Link to comment
Share on other sites

If the phone contents are not extracted by Apple, terrorists will buy those. Gets them impunity. And more sales to Apple.

 

If the phone contents are extracted by the goverment experts, with no Apple help, it will be another hurdle to good citizens, as we have enough imposed by NSA.

 

If the phone contents are impossible to extract, that is the kind of phones crooks will buy. Gets them secure impunity.

 

I think Apple should extract the contents of that phone only, inside their Apple premises and give/let the government decipher whatever is in it outside Apple installations.

Link to comment
Share on other sites

If the phone contents are not extracted by Apple, terrorists will buy those. Gets them impunity. And more sales to Apple.1

 

If the phone contents are extracted by the goverment experts, with no Apple help, it will be another hurdle to good citizens, as we have enough imposed by NSA.2

 

If the phone contents are impossible to extract, that is the kind of phones crooks will buy. Gets them secure impunity.3

 

I think Apple should extract the contents of that phone only, inside their Apple premises and give/let the government decipher whatever is in it outside Apple installations. 4

 

1. Apple sold over 70 million iphones in q1 2016 - I am not sure the terrorist market is going to make a huge difference to that bottom line

 

2. Gotta query the use of the word experts - did you read the link provided by SwansonT? They had potential access and screwed it up by not understanding what they were doing. And if apples encryption is as good as apple says it is then they will not be able to brute force.

 

3. We could do with more crooks who think that using a phone and storing details on it is a good option. There have been whole books written - tragically - about how to run terrorist cells and how to isolate and secure the organisation; pretty sure none of them recommend keeping information on a readable format no matter how seemingly secure

 

4. And the next one? That's just tough? Apple have to draw a line or open their books completely - I am glad they have drawn and line in the sand.

Link to comment
Share on other sites

 

I think Apple should extract the contents of that phone only, inside their Apple premises and give/let the government decipher whatever is in it outside Apple installations.

 

 

That's not what they are being asked to do, though. They are being asked to create (and in any event would be required to create) a tool that could extract the info from any of their phones. The US government has another dozen cases where they want devices unlocked after this one, and what's to keep another country from compelling Apple to turn over the code to them, where there isn't even a charade of pretending a judge might be involved in granting the use of the code. Going to China? Hand over your phone at customs. The UK has made noises about wanting a back door for mobile devices, so I would imagine they would demand it, too.

 

This has implications for corporate espionage as well as personal privacy.

Link to comment
Share on other sites

..... The UK has made noises about wanting a back door for mobile devices, so I would imagine they would demand it, too

Considering how far GCHQ UK and NSA US are up each others arseholes, one can take it for granted if the NSA gets what it wants the UK services will align themselves to that. Those two are more or less one, from where I'm standing. I hope Apple is looking for real scrap.

Edited by StringJunky
Link to comment
Share on other sites

 

 

That's not what they are being asked to do, though. They are being asked to create (and in any event would be required to create) a tool that could extract the info from any of their phones. The US government has another dozen cases where they want devices unlocked after this one, and what's to keep another country from compelling Apple to turn over the code to them, where there isn't even a charade of pretending a judge might be involved in granting the use of the code. Going to China? Hand over your phone at customs. The UK has made noises about wanting a back door for mobile devices, so I would imagine they would demand it, too.

 

This has implications for corporate espionage as well as personal privacy.

 

Why do you think that FBI could protect secret of "Apple codes" worse than Apple itself? If you assume that somebody will bribe high-ranked FBI officials to get the codes what prevents them to bribe some high-ranked Apple employees to do the same?

Link to comment
Share on other sites

 

Why do you think that FBI could protect secret of "Apple codes" worse than Apple itself? If you assume that somebody will bribe high-ranked FBI officials to get the codes what prevents them to bribe some high-ranked Apple employees to do the same?

 

I don't understand your point, but it seems we're in agreement that the best course of action is not to create the backdoor codes in the first place. You can't steal/bribe something that doesn't exist.

Link to comment
Share on other sites

 

Why do you think that FBI could protect secret of "Apple codes" worse than Apple itself? If you assume that somebody will bribe high-ranked FBI officials to get the codes what prevents them to bribe some high-ranked Apple employees to do the same?

 

 

As someone whose personal information was hacked in the OPM database breach, I have to say you are going to have to convince me that the information can be safeguarded. Plus all of the other database hacks that we've seen.

 

I'm not saying Apple is any better or worse than the government in protecting such a code, but that's part of the point: protecting it is moot if the code doesn't exist. Right now it doesn't exist.

 

(edit: xpost with Phi)

Link to comment
Share on other sites

 

 

As someone whose personal information was hacked in the OPM database breach, I have to say you are going to have to convince me that the information can be safeguarded. Plus all of the other database hacks that we've seen.

 

I'm not saying Apple is any better or worse than the government in protecting such a code, but that's part of the point: protecting it is moot if the code doesn't exist. Right now it doesn't exist.

 

(edit: xpost with Phi)

I think Apple have probably got it as secure as possible by not having backdoors and limited passcode tries before lockout/data destruction. I've read that nuclear warheads are protected this way against unauthorised access. If that's the state-of-the-art then that's what is needed to protect government and civilian data. Any system that allows unlimited tries is fundamentally weak and will eventually be bypassed.

Edited by StringJunky
Link to comment
Share on other sites

I think Apple have probably got it as secure as possible by not having backdoors and limited passcode tries before lockout/data destruction. I've read that nuclear warheads are protected this way against unauthorised access. If that's the state-of-the-art then that's what is needed to protect government and civilian data. Any system that allows unlimited tries is fundamentally weak and will eventually be bypassed.

 

 

The delaying of attempts with each wrong try is a standard security countermeasure, especially for systems with one access point

http://www.navfac.navy.mil/navfac_worldwide/specialty_centers/exwc/products_and_services/capital_improvements/dod_lock/SecurityHardware/CombinationLocks/ProductInformation/X09/X09_Guide.html

 

Doesn't work so well for a system that has multiple access points, since failed attempts can be turned into a DoS attack

Link to comment
Share on other sites

It is a pain to reverse engineer something.

 

USA Today did a good article on the FBI's alternative options. They mentioned hacking how it tracks attempts along with directly peering at the chips with an electron microscope. Interesting stuff.

Link to comment
Share on other sites

Why FBI can't create the software themself? Is there some secret codes that Apple soppose to reveal? What is there that Apple programers can write only?

Not sure, myself. Perhaps it's nit the code, but instead the infrastructure required to push it out to the device?

 

To push a new OS, it must be signed as valid by Apple. That's presumably to keep others from doing it maliciously. Right now, you can do this without using the passcode, and you can update the OS, since you might need push a clean version of the OS to fix a problem when you've bricked the phone and can't log in.

 

Any bets on whether Apple changes that, to only being able to upload the same OS as is already on it, without providing the access code?

Link to comment
Share on other sites

Thx. That aligns with my instincts. I think hope Apple stands strong and says no.

;)

 

There's another, not insignificant, pressure against preserving privacy that doesn't affect Apple so much, since it derives the majority of its revenue from device sales. With increasing use of end-to end encryption, it means that harvesting valuable personal data for marketing purposes become more and more inaccessible to commercial companies that rely on that utilising that data for revenue. What do SFN members think of this?

 

If the mods think this is too much of a diversion I'll make a new thread?

 

 

The delaying of attempts with each wrong try is a standard security countermeasure, especially for systems with one access point

http://www.navfac.navy.mil/navfac_worldwide/specialty_centers/exwc/products_and_services/capital_improvements/dod_lock/SecurityHardware/CombinationLocks/ProductInformation/X09/X09_Guide.html

 

Doesn't work so well for a system that has multiple access points, since failed attempts can be turned into a DoS attack

I wouldn't want to use that lock with a hangover. :)

 

You might find this article on deducing password formation interesting.

Edited by StringJunky
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.