News Community Reacts to Apple vs FBI Story

[zoobyshoe]

Non governmental, external, contractors, and a large governmental, or internal, body of DoD civilian staff. I worked for a time in a no-man's land of sorts: a small number of private but non-profit think tanks that consult to the government on technical issues but can't sell the govt any widgets (like military smart phones).

That's interesting enough for me. I'll read your book if you write it.

 

[mheslep]

Yes, I don't think most people realize that a "Top Secret" clearance isn't a license to view all "Top Secret" information: the information is pretty much always compartmentalized on a need to know basis.

The navigator of a ship wouldn't necessarily know how many of what type of missile are onboard and the weapons officer wouldn't necessarily know where the ship is going.

About the only people who have a "need to know" everything are the highest level commanders and the people receiving and distributing the message traffic.

You certainly would know the details of that particular argument better than me, so maybe this is food for thought for others, but I wouldn't necessarily be so quick to judge the generals as being entrenched dinosaurs. This issue of operational security and compartmentalization of information predates this technology as does the push-pull between the grunts and the generals.

An easy example that applies both with digital and paper is maps. Most soldiers don't have maps and yes that can get a soldier killed if he gets separated from his unit and can't get back or get to an extraction point. But if he has a map with an X on the base or extraction point and is captured, that map can get everyone else in his unit killed and make the mission fail. Military units are strictly utilitarian in that way and I don't see the availability of technology as changing that. It is a difficult balance, but I would tend to think the mission risk is higher with too much distribution of information of that type than not enough.

And, potentially, conscripts or "stop loss" or other disgruntled members. Such people can be substantial security risks.

Problem has not been with the generals per se. That new smart (non) phone BTW got a push from the vice chief of staff of the army. It's more the acquisition rules pushed by Congress which is in part motivated in part getting money spent by contractors in districts. A ruggedized commercial mobile like this short circuits the main DoD appropriations process. It cuts our big DoD contractors and their civilian counterparts in the DoD. The DoD has spent billions on custom radio and computer programs for years.

Agree with you on no silver bullet technology. Hundreds of things have been tried to get more info to troops and most of it is scrapped, just like in the commercial world, as it must be.

 

[Borg]

That's a mess even in the civilian world. A woman who worked in my consulting engineering firm got embedded with a client as a project manager. Then they hired her as a direct employee. Then they outsourced her job to a larger facilities services firm (who immediately hired her to do the job). All the while, her job title/description/office/email address/business card/direct boss didn't change, just the company name on her paychecks did. The distinction between "internal" and "external" or "contractor" and "employee" can dissolve.

I've seen that more times than I can count. I know people who have 'retired' from government positions on Friday and returned to the same desk on Monday as a contractor - gue$$ why.

 

[Astronuc]

DOJ Lays Out Its Legal Case For Why Apple Should Help Crack An iPhone
http://www.npr.org/sections/thetwo-...ase-for-why-apple-should-help-crack-an-iphone

• Apple's response to the Justice Department's motion and the earlier court order is due by Feb. 26;

• U.S. attorneys' response will be due by March 10;

• Apple's reply brief will be due by March 15;

• A hearing has been scheduled at 4 p.m. ET on March 22 in federal court in Riverside, Calif.

http://www.reuters.com/article/us-apple-encryption-doj-idUSKCN0VS2FT

Hearing scheduled in Apple encryption case for March 22: U.S. Justice Dept
http://www.reuters.com/article/us-apple-encryption-hearing-idUSKCN0VS2J0

SAN MATEO, Calif. — The ID passcode to the iPhone the FBI wants Apple to hack for information about one of the San Bernardino, Calif., terrorists was changed less than a day after the government gained possession of it, Apple executives said in a phone briefing with reporters Friday afternoon.

Had the passcode not been changed, Apple said, a backup of the information the government is seeking could have been viewed. It is unclear who changed the Apple ID passcode while it was in the government’s possession, the executive said.

http://www.usatoday.com/story/tech/...scode-changed-government-possession/80632962/
I'm wondering - if someone changed the passcode - doesn't that person know the passcode? I think perhaps they are referring to the iTunes password and not passcode to the phone.

In a somewhat related case that bolsters Apple's defense, a federal magistrate ruled that the DOJ cannot compel Apple to unlock an iPhone in a criminal case.

Apple Wins Ruling in New York iPhone Hacking Order
http://www.nytimes.com/2016/03/01/technology/apple-wins-ruling-in-new-york-iphone-hacking-order.html

A federal magistrate judge on Monday denied the United States government’s request that Apple extract data from an iPhone in a drug case in New York, giving the company’s pro-privacy stance a boost as it battles law enforcement officials over opening up the device in other cases.

I think everyone agrees that law-abiding citizens have a right to privacy, and in particular from unwarranted government intrusion. However, there must be a balance with protecting the general welfare and providing for common defense. There is a reason that the government must secure a warrant to obtain reasonable 'search and seizure'.

I heard a statement yesterday that the DOJ is suing Apple, but other than going to court and filing a motion mentioned above, I've not seen any news article about a lawsuit.

 

[russ_watters]

I think everyone agrees that law-abiding citizens have a right to privacy, and in particular from unwarranted government intrusion.

The way it is being presented in this case and in tech media, I disagree.

 

[zoobyshoe]

I'm wondering - if someone changed the passcode - doesn't that person know the passcode?

Good point, which makes the problem more confusing to me. What I understand is: The FBI asked the County to reset "the password" so they could get into the phone. The County did that, but this action caused the phone not to back up it's current contents onto the cloud. You mention the iTunes password. Is the iTunes password the one that gets you access to the cloud on this phone? They got access to the cloud, but the last automatic backup to the cloud was a month and a half before the incident. The act of resetting the phone caused the un-backed up info to be lost.

You must be right that it wasn't the phone's 'primary' password they reset, because if they had, why couldn't they just open it? It must have been some different password that gets you into the cloud backup of the phone but not into the phone. It seems.

I read elsewhere that they allowed the phone battery to completely discharge after taking possession of it, and this was blamed for them having lost the info on the phone. That is: letting the battery discharge causes the cache of info that would be backed up onto the cloud to automatically clear. Just sayin' that's one version I read. I don't know this phone.

 

[Astronuc]

The way it is being presented in this case and in tech media, I disagree.

How so? The user/owner of the iPhone in question (in NY City) was involved in a crime (drug case). In the San Bernadino case, the user (owner is the County) was allegedly involved in a multiple homicide, but is now deceased. In either case, the users of the iPhones were certainly not law-abiding.

 

[Astronuc]

Is the iTunes password the one that gets you access to the cloud on this phone?

Yes. I use a passcode on my phone to unlock it. If I download an app, I have to use an iTunes account, which uses an id and password. I suspect that is the password that was changed, not the passcode on the phone.

Incidentally, I have a iPhone and Mac (work), and some notes from my iPhone ended up on my Mac (by synching) although I did not initiate the synching. Those are personal notes that I would not put on my work computer, but I have no idea how those notes got on my work computer other than somehow the software did an automatic synch somehow. Folks might keep that in mind when using an iPhone in the vicinity of foreign Macs.

 

[russ_watters]

How so? The user/owner of the iPhone in question (in NY City) was involved in a crime (drug case). In the San Bernadino case, the user (owner is the County) was allegedly involved in a multiple homicide, but is now deceased. In either case, the users of the iPhones were certainly not law-abiding.

The phone doesn't know who is law abiding and who isn't and given that a search warrant is not a conviction (presumption of innocence, even with suspicion of guilt, and not everyone suspected of a crime is convicted), law abiding citizens are served search warrants on a regular basis. Moreover, not everyone served with a search warrant is even suspected of a crime -- all that is needed is that they might hold evidence of the crime.

Law abiding citizens shouldn't be any more entitled to evade search warrants than lawbreakers.

And in the New York case, the police might not even have to wait for the case to go to the USSC: if they know who's phone it is, suspect or not, they could probably just throw the person in jail until they provide the passcode:

A material witness (in American law) is a person with information alleged to be material concerning a criminal proceeding. The authority to detain material witnesses dates to the First Judiciary Act of 1789.

https://en.wikipedia.org/wiki/Material_witness

I wonder how that would go over with the extremely pro privacy crowd?

[edit]
Perhaps not. A quick google:

Brits can—and have—been jailed for refusing to surrender their passwords to authorities. In 2014, a computer science student was jailed for six months after refusing a court order to surrender his password “on the grounds of national security."...

In the United States, however, there are certain protections in place. U.S. courts have ruled that a password and encryption key are classed as “knowledge”—and that the Fifth Amendment’s safeguards against forced incriminating testimony means there are constitutional protections against being forced to surrender them.

http://kernelmag.dailydot.com/issue-sections/features-issue-sections/11071/police-force-password-cellphone/#sthash.TSZgXGqM.dpuf

The 5th Amendment is an odd duck though: you can only use it if you are guilty, but if you aren't guilty and use it how would they know? Well, for one, it wouldn't apply to material witnesses.

 

[vela]

Yes. I use a passcode on my phone to unlock it. If I download an app, I have to use an iTunes account, which uses an id and password. I suspect that is the password that was changed, not the passcode on the phone.

The phone can be configured to back up to an iCloud account. It's the password to that account that the FBI told the county to change.

Incidentally, I have a iPhone and Mac (work), and some notes from my iPhone ended up on my Mac (by synching) although I did not initiate the synching. Those are personal notes that I would not put on my work computer, but I have no idea how those notes got on my work computer other than somehow the software did an automatic synch somehow. Folks might keep that in mind when using an iPhone in the vicinity of foreign Macs.

Are you talking about the Notes application? If so, are you logged into your iCloud account on the Mac? The way notes work with iCloud is similar to the relationship between e-mail and IMAP. The notes are stored on a server, and the phone and Mac essentially act as front ends to access the server. There's no flaky sync process that happens like in the past.

 

[Astronuc]

Are you talking about the Notes application?

Yes.

If so, are you logged into your iCloud account on the Mac?

No. The Mac is provided by the employer, and as far as I know, is not linked to my personal iCloud account. I have no idea how the notes got from my iPhone to the Mac. I have not set up an iTunes account for the Mac, but if I did, it would be a separate identity, i.e., different email account and storage.

 

[vela]

It looks like any Exchange or IMAP account can also host notes. Do you have a work e-mail account set up in your phone? If so, see if you have notes enabled for it on the phone.

 

[Astronuc]

It looks like any Exchange or IMAP account can also host notes. Do you have a work e-mail account set up in your phone? If so, see if you have notes enabled for it on the phone.

Ok, that maybe it then. I didn't realize that. I'll have to check the phone.

 

[nsaspook]

http://bgr.com/2016/03/03/san-berdardino-iphone-hack-godfather-of-encryption-apple-fbi-iphone/


Shamir’s remarks beginning at the 13:50 mark.

I agree with Shamir, Apple can help the FBI so they should help the FBI in this one special case. Apple left a security loophole in for them (mainly for user convenience) to use so the FBI is demanding that they use that loophole for the governments investigation.

 

[russ_watters]

I agree with Shamir, Apple can help the FBI so they should help the FBI in this one special case. Apple left a security loophole in for them (mainly for user convenience) to use so the FBI is demanding that they use that loophole for the governments investigation.

I may have said it already, but that is why I find Apple's choice of where to make the stand odd. It seems like they are creating a potential to lose something they didn't need to risk (the ability to make totally secure phones). The only thing I see that they stand to gain other than avoiding the minor annoyance of assisting in a search every other month, is the ability to NOT make totally secure phones. Ie, retain their current back door.

 

[zoobyshoe]

Ok, that maybe it then. I didn't realize that. I'll have to check the phone.

Here, Astro: This story specifically states they reset the "iCloud password."

Comey also admitted that the FBI made a “mistake” when it asked San Bernardino County technicians to reset the iCloud password for the phone, which forestalled the possibility of trying to back it up again after that occurred. But he said even if that had not occurred, the FBI and Apple might have wound up in the same situation, since some data on the phone may not have been backed up.

Sewell, though, disputed that notion, saying that if the password was not changed, the court fight might have been averted.

“The very information that the FBI is seeking would have been available and we could have pulled it down from the cloud,” he said. “By changing the [iCloud] password ... it was no longer possible

https://www.washingtonpost.com/news...inging-fight-over-encryption-to-capitol-hill/

This is the only place I've found that distinction explicitly made. But, it seems to answer the question.

 

[DiracPool]

Ok, since nobody was compelled by my video of the CIA director stating why it was bad to give the keys to Apple's backdoor to the FBI, how about this showdown between the FBI and John McAfee, founder of one of the most popular anti-virus/security companies in the world, second maybe only to Norton/Symmantec:



Again, as far as I see it, it's more of this fear-mongering BS that these government entities use to try to scare the public into relinquishing their privacy and security. You can hear the FBI guy saying this, "We're talking about American lives here," (2:00 in) as if the risk of a few American lives was worth the risk of opening up every Apple phone across the planet to hackers from sinister state regimes. But that's even a joke, because he has absolutely no credible information that any more American lives are even at risk generally, or that hacking the phone in question would reveal any information to save an American life specifically.

 

[mheslep]

...

Again, as far as I see it, it's more of this fear-mongering BS that these government entities use to try to scare the public into relinquishing their privacy and security. You can hear the FBI guy saying this, "We're talking about American lives here," (2:00 in) as if the risk of a few American lives was worth the risk of opening up every Apple phone across the planet to hackers from sinister state regimes. But that's even a joke, because he has absolutely no credible information that any more American lives are even at risk generally, or that hacking the phone in question would reveal any information to save an American life specifically.

Where's the credible information indicating that every Apple phone on the planet would be opened up. Of course American lives are at risk from terrorists, as the San Bernadino shootings indicate. Of course the FBI has stopped would be criminals by electronic surveillance, of course they've caught others after the fact the same way. Law enforcement never has to guarantee future lives to inspect a phone, nor should they. They need to show reasonable cause, and in the cause of the *killer's phone*, they clearly have such cause.

 

[nsaspook]

There is fear-mongering BS on both sides. Security compromises are a way of life, you plan for it and react in an intelligent manner. How long do you think it will take Apple to release a patch specifically tailored to defeat any 'HackOS' it releases to the FBI for this phone?

 

[DiracPool]

Of course American lives are at risk from terrorists, as the San Bernadino shootings indicate.

So are you saying that exposing 100's of millions of iphones to hacking from terrorists and terrorist-related states is worth the mystery information we may or may not find on this one San Bernadino phone? Because this is what it sounds like you are saying. That doesn't sound like an even tradeoff to me as to what is going to keep American lives safer from would-be terrorists

 

[zoobyshoe]

So are you saying that exposing 100's of millions of iphones to hacking from terrorists and terrorist-related states is worth the mystery information we may or may not find on this one San Bernadino phone?

I don't believe terrorists are interested in the average person's phone. People want security against identity thieves and stalkers and unregulated government snooping.

 

[zoobyshoe]

Ok, since nobody was compelled by my video of the CIA director stating why it was bad to give the keys to Apple's backdoor to the FBI, how about this showdown between the FBI and John McAfee, founder of one of the most popular anti-virus/security companies in the world, second maybe only to Norton/Symmantec:.

I finally watched this and it's more persuasive IMO than the CIA director video.

Here's the recent hack of the FBI by a 15 year old McAfee refers to:
http://www.theguardian.com/uk-news/2016/feb/18/fbi-computer-hacking-boy-15-detained-glasgow-police

 

[vela]

McAfee isn't exactly the most credible source to weigh in on breaking into the iPhone.

http://arstechnica.com/security/201...shoe-because-he-doesnt-know-how-iphones-work/

 

[zoobyshoe]

McAfee isn't exactly the most credible source to weigh in on breaking into the iPhone.

http://arstechnica.com/security/201...shoe-because-he-doesnt-know-how-iphones-work/

But it looks to me like the author of the article has misunderstood what McAffee said when he used the term "secret code." He's referring to the "first access to the keypad," not the device's PIN. McAfee isn't claiming, as far as I can see, that the PIN is stored on the device, only that the "first access to the keypad" is.

Regardless, McAfee may be being disingenuous in that getting "first access to the keypad" actually doesn't get you much at all. I don't know. The fact he's running for president also raises questions about how much this is a publicity ploy.

In any event, his claims are testable. You could give him a locked phone of the same model and see if he could deliver it to the FBI ready for their brute force attack on it.

 

[Psinter]

I gave my opinion, I'm still waiting for OP's opinion on the matter. I'm all ears

 

[joema]

Where's the credible information indicating that every Apple phone on the planet would be opened up...

There are several answers to that. One from TheVerge:

http://www.theverge.com/2016/2/19/11064054/apple-fbi-lockscreen-encryption-passcode-backdoor

"while the precise software proposed by the FBI can’t be used to unlock other phones, it can still be useful to thieves. If the code fell into the wrong hands, it could potentially be reverse-engineered into a generic version, removing the code that ties the attack to a specific phone. That reverse-engineered version would still need Apple’s signature before it could be installed — something thieves are not likely to have — but that signature system would be the only thing protecting a stolen iPhone and the information inside it."

What Apple said is every iPhone -- even new ones with Secure Enclave -- would be vulnerable to FBI-mandated operating system. It is now well documented the government wants to use this on many iPhones. It's not a case of designing this once, using it once, then destroying it. The use would proliferate, which means risk of interception and nefarious deployment of that hack by various actors.

To try and prevent this, it appear Apple would have to construct a Secure Compartmentalized Information Facility (SCIF), which are about $50 million: http://money.cnn.com/2016/02/26/technology/apple-iphone-fbi-hack-cost/ However if the method is widely deployed as the government plans, it would possibly require multiple geographically-dispersed SCIFs.

Wouldn't the hack even if intercepted still require Apple's authentication signature to use? Another comment from the above Verge article: 'Forensics expert Robert Lee says he’s worried the volume of requests could lead agents to seek a signed, generic version of the software, which would bypass all lock screen protections if it fell into the wrong hands. "The FBI’s going to come back again and again, and finally they’re going to ask for a version of this that’s generic," says Lee. "And it’s that generic version that’s really dangerous."'

There was a good description of the actual "hacking" method in ArsTechnica: http://arstechnica.com/security/201...a-golden-key-backdoor-its-called-auto-update/

"When Apple says the FBI is trying to "force us to build a backdoor into our products," what they are really saying is that the FBI is trying to force them to use a backdoor which already exists in their products. (The fact that the FBI is also asking them to write new software is not as relevant, because they could pay somebody else to do that. The thing that Apple can provide which nobody else can is the signature.)"

The only technical element which makes this possible is the iPhone's ability to accept a new software update without a password, given Apple's signature. Since the government has now forced this issue, Apple may feel impelled to revise that protocol so no software updates are possible without a user-entered password, which would itself protected by Secure Enclave hardware encryption. That would eliminate any possibility of accessing iPhone content, except by using "chip decapping" and focused ion beam methods.

Chip decapping is commonly done for reverse engineering and competitive analysis:

https://www.chipworks.com/competitive-technical-intelligence/overview/custom-analysis

Electron microscope examination of Apple A6 CPU by Chipworks: http://appleinsider.com/articles/12/09/25/teardown-of-apples-a6-processor-finds-1gb-ram-2-cpu-3-gpu-cores

 

[nsaspook]

McAfee isn't exactly the most credible source to weigh in on breaking into the iPhone.

http://arstechnica.com/security/201...shoe-because-he-doesnt-know-how-iphones-work/

http://www.dailydot.com/politics/john-mcafee-lied-iphone-apple-fbi/

 

[zoobyshoe]

http://www.dailydot.com/politics/john-mcafee-lied-iphone-apple-fbi/

So, that's cleared up. Glad you found that.

 

[Hornbein]

I once heard John McAfee say that cyberwar would be worse than nuclear war. I resolved then and there never again to pay any attention to any further utterance of John McAfee.

 

[russ_watters]

If Tony Stark spent 20 years too long in Key West: