Apple ordered to create software to help unlock a phone for FBI

[photon]

Quote:

Originally Posted by CorsiHockeyLeague

As I said above I disagree with your second statement (that the government can't be trusted and that leaks are inevitable, particularly for a company like Apple), as I think it's too cynical and the risks are less than you perceive.

I deal with a lot of this stuff every day. I think all you have to do is look at the digital security news and see the constant flow of places that have been hacked, software that's fundamental to our digital infrastructure that's revealed to be compromised (and how few people update their stuff to fix those holes), and how easy it is to use social engineering to get past things to see how vulnerable we are. You equated the ability to secure a phone and the ability to secure a company; I don't think I can use your valuation of the risks of losing control of the tool.

What's the difference between an encrypted conversation between the two of us using a device that can't be unlocked, and a whispered conversation between the two of us in my living room? If one has to become accessible on demand, why doesn't the other?

Just because one happens to be electronic?

[CorsiHockeyLeague]

The conversation between the two of us in your living room IS accessible on demand. The proper measures - e.g. surveillance equipment - can be put in place to ensure that that happens. All that's required is - you guessed it - a court order (in the form of a warrant). That's how the system works and how it should work; the judge acts on a case by case basis as the safety valve to ensure that law enforcement isn't overstepping its bounds.

As stated, the problem I have here is that the judge isn't doing that; to analogize, what he's done is more like ordering a company to invent the technology to be used to listen to our conversation. If the "back door" existed already, it would be well within the court's purview to order that the phone be unlocked.

[photon]

Quote:

Originally Posted by CorsiHockeyLeague

The conversation between the two of us in your living room IS accessible on demand. The proper measures - e.g. surveillance equipment - can be put in place to ensure that that happens. All that's required is - you guessed it - a court order (in the form of a warrant). That's how the system works and how it should work; the judge acts on a case by case basis as the safety valve to ensure that law enforcement isn't overstepping its bounds.

The conversation between us isn't accessible on demand, future communications may be accessible if a warrant is obtained and they do something extraordinary to capture it.

But that's not how it works for electronic communication, it's more like installing surveillance equipment in every public and private space everywhere and recording everything all the time.

[CorsiHockeyLeague]

Okay, so it sounds like the distinction you're drawing is that by looking at someone's phone you get access to a record of something that happened before the warrant was obtained. I don't understand though why that should be different, in principle? What is it about past conversations that should make them in principle immune from surveillance, assuming the proper procedures are followed?

For example, I'm just thinking as I type, but you could certainly get a warrant to look at letters written between two people.

[photon]

It's not that past conversations should be immune, it's that the act of surveillance shouldn't be allowed until there's a good reason to have it.

The letters analogy is an interesting one though, if I leave permanent records of what I'm saying that are accessible then yeah I guess, but when I use encryption it's like I'm burning the letter after I read it; the intent is to keep the contents of the letter private. I should be able to do that if I want in a digital age shouldn't I like I could in the era of paper letters?

[CorsiHockeyLeague]

I don't think those are analogous. Reading an then burning a letter would be like having a text conversation on your phone and then deleting all trace of it from the device.

Anyway, if your issue is that there needs to be a "good reason" to surveil, then it seems to me that the problem is easy enough to resolve in principle by having the same exact safeguards in place as we do for any other surveillance. In other words, don't let law enforcement into the phone without a warrant.

[Resolute 14]

Quote:

Originally Posted by CorsiHockeyLeague

I'm best known for being an atheist? I actually have spent most of my life believing in a higher power, and only in the past few years have shifted into agnosticism.

Sorry... I meant that Sam Ross seems to be best known for being an atheist. The incongruity of someone who rejects faith without fact belief in god while holding faith without fact in the US government was amusing to me.

Quote:

The point about you being in IT, while I don't think it makes a difference to the validity of your arguments, does immediately have me nodding "ah, that makes sense". I think the technology crowd have developed a very particular perspective on this, which some would attribute to expertise and others to bias. I just don't see it as that dangerous a weapon, depending on how the issue is handled. The majority of my personal information is on my desktop and laptop computers, not my phone, and I have relatively minimal security concerns there in spite of the lack of a perfect lock.

Most of our executives live on their phones. Mostly blackberries right now, but some iPhones. Every email, many corporate plans and decisions. Sensitive data. Even if they can use their own laptops, this stuff syncs to their phones.

And I would suggest that you really don't understand just how much of your life actually is on your phone, protected only by that password lock you (hopefully) have set up. Text conversations, phone history. Emails (as I doubt you are logging into your email client separately every time). Social media history and access. Purchasing history. How many places do you have credit card info stored for faster purchase? Most of your photos are probably on your phone. Any EFT set ups. Do you have a banking app? Are you using a "remember my username/password" feature on it?

That's just the surface of it. Our entire lives are contained in those little devices. That warrants the highest possible protection. From everyone. Including, and especially, a government that is increasingly dismissive of the people's rights to privacy.

[CorsiHockeyLeague]

I actually have much more security on my phone than most people because I'm a lawyer, and client information has to be kept confidential. However, there is a "back door" into my iPhone - if I forget my password, our IT people have the ability to re-set it, presumably by virtue of some aftermarket software they've put on there.

That being said, my point was that anything that's on my phone is also somewhere else. Social media history, many conversations that may not be text message based but are functionally identical, social media history and access, purchasing history and credit card information are all also stored on my laptop. Obviously, my laptop does not have this impenetrable level of security, it just has some imperfect security features. Yet, I do not think I am at catastrophic risk of my life being destroyed by virtue of this information being less than 100% secured.

[Resolute 14]

Well, yeah. Mobile Data Management systems exist to allow the device owner (the company) the power to control the device. And while that does create obvious trade-offs between security and usability, that is at least the private decision of a private company. In this specific case, the owner of the phone utterly failed to retain proper management over its environment. That is a fault of the shooter's employer, not Apple.

[Rathji]

Quote:

Originally Posted by CorsiHockeyLeague

I actually have much more security on my phone than most people because I'm a lawyer, and client information has to be kept confidential. However, there is a "back door" into my iPhone - if I forget my password, our IT people have the ability to re-set it, presumably by virtue of some aftermarket software they've put on there.

That being said, my point was that anything that's on my phone is also somewhere else. Social media history, many conversations that may not be text message based but are functionally identical, social media history and access, purchasing history and credit card information are all also stored on my laptop. Obviously, my laptop does not have this impenetrable level of security, it just has some imperfect security features. Yet, I do not think I am at catastrophic risk of my life being destroyed by virtue of this information being less than 100% secured.

When it connects to those services, your email, your Facebook account etc, it uses encryption to ensure that the connection is secure. It's the same concept, on a different level. Do you log into your work remotely? If you do, chances are the same protection is in place.

Do you have any problems with this, 'unbreakable' security on the connection to Facebook? or Gmail? Or your place of employment?

[Resolute 14]

Apple files motion to vacate the magistrate judge's order:

http://arstechnica.com/tech-policy/2...olated-iphone/

They rely on First and Fifth Amendment defences, but primarily challenge the applicability of the All Writs Act. Among other things, they point out that the government is claiming this is a "one-off" instance and that Apple would be free to destroy the software after use, except that the government already has dozens of other phones it wants Apple to hack for them.

[CorsiHockeyLeague]

Rathji, I don't think I understand what you're saying. My point is that most of my "crucial" information is stored on only semi-secure platforms. Even my work's platform is beatable, because there is a "back door", and my work is highly concerned with security. My personal laptop certainly doesn't have total security. I don't require it.

Quote:

Originally Posted by Resolute 14

They rely on First and Fifth Amendment defences, but primarily challenge the applicability of the All Writs Act. Among other things, they point out that the government is claiming this is a "one-off" instance and that Apple would be free to destroy the software after use, except that the government already has dozens of other phones it wants Apple to hack for them.

That seems like the right path to take legally. I mean, in absurd-world the government's right; if they need to get an order like this every time they want to break into a phone, it's at least analogous to seeking a warrant. But do you really believe a tech company will stop what it's doing and re-invent a security breaching software every time it's needed to address a court order, then destroy it again each time? That's a bit much.

[Rathji]

Quote:

Originally Posted by CorsiHockeyLeague

Rathji, I don't think I understand what you're saying. My point is that most of my "crucial" information is stored on only semi-secure platforms. Even my work's platform is beatable, because there is a "back door", and my work is highly concerned with security. My personal laptop certainly doesn't have total security. I don't require it.

While the data is in transit, as in flowing through the tubes of the internet, ANYONE who controls networking gear along the way can read it if they want to, unless it is encrypted.

Saying your laptop/phone/whatever has a backdoor is not the same thing as installing a backdoor in or a workaround for the encryption (which is what is case really is about). Your company has control and/or ownership over the equipment, your data and the accounts you use to access it. They also likely control any encryption keys used in the transfer of this data between your device and their servers. They can use the access to your account/laptop/whatever to gain access to your laptop, and any encryption the system they control uses.

This does not mean that they can read the network traffic between your browser session and Google's mail servers (unless they are spoofing the Google cert to monitor your activities or similar) because they don't control that certificate. Same goes for things like Lastpass, which decrypts the blob of data by using your master password. They don't control the password, or the encryption keys that are used. These things are encrypted with technology that is (roughly) equivalent to the technology that encrypts data on the iPhone disk.

You say you don't use this 'total security' for your personal stuff, but I promise you that you do in many forms. It is automatic on Facebook, any Google service including searches. If you use LastPass, it is practically the same thing that is going on inside that iPhone.

Would you really be okay with legal precedent that says you don't have the rights to privacy in any of these communications? Would that position change if you became aware that the NSA downloads and stores practically every bit of data (encrypted or not) that transmits over the backbone providers in the United States?

[puckhog]

I'm trying to learn more about this, so I have a question, perhaps someone on here can answer.

If Apple were to create this software, and it were to fall into the wrong hands, by far my biggest concern would be my financial information. So, what's the interaction between this "key" that Apple is being asked to create and the security around my financial information, which I access on my phone through apps developed by my bank? Isn't there also a level of encryption at the app level, so that they would need yet another "key" to get at it?

(obviously there are a number of issues at play, this is just one that occurred to me, which I haven't seen discussed yet)

[Wormius]

The cynical side of me says Apple already did this for the FBI, and this is all sabre rattling by Apple so they don't lose face. Soon the FBI will have magically cracked it without Apple's help, and Apple can pretend that it didn't do anything to undermine the security of its phones.

[Fuzz]

Quote:

Originally Posted by puckhog

I'm trying to learn more about this, so I have a question, perhaps someone on here can answer.

If Apple were to create this software, and it were to fall into the wrong hands, by far my biggest concern would be my financial information. So, what's the interaction between this "key" that Apple is being asked to create and the security around my financial information, which I access on my phone through apps developed by my bank? Isn't there also a level of encryption at the app level, so that they would need yet another "key" to get at it?

(obviously there are a number of issues at play, this is just one that occurred to me, which I haven't seen discussed yet)

Your banking app will have it's own key encryption. Keep in mind what the FBI is asking for isn't a crack. They want Apple to disable the feature that locks the phone after 10 failed passcode tries. So even if that software was created by Apple and it got out, someone would still need to steal your physical phone, apply this tool, then brute force by guessing every passcode. To make this more difficult you can use a 6 number code, or I believe alphanumeric as well.

[oilyfan]

Curious about this, and not sure if these questions have been answered:

1. couldn't Apple release a software update that is only applicable to this phone?
2. I am assuming even if they did that the worry is that software update could be hacked to be applicable to more more apple phones?
3. Couldn't apple then release a software update that closed this hole?

I mean this is a brute force hack that the FBI is asking for, not a key to the encryption.

[Resolute 14]

1. Yes and no. Yes, because they could write it specifically for the one phone, but No, because of the answer to question 2.
2. Yes.
3. Nope. The entire point of this demand is to undermine encryption. If Apple fails to have this order quashed, then there is no software or firmware they could write to close the hole that the US government couldn't turn around and get another judicial order to undermine.

[Resolute 14]

Meanwhile in New York, a magistrate judge rejected an attempt at using the All Writs Act to force Apple to unlock a phone. That case is a little different though as the owner of the phone already pleaded guilty, and the judge basically asked Apple for some basic arguments explaining why forcing an unlock is unnecessary given the plea. He is evidently rather critical of the government's efforts to overreach. Also, older iPhone that Apple could unlock easily if it wished.

Assuming that district and then appeals courts in New York and California side with the local magristrates, this pretty much creates the recipe for a Supreme Court case as there would then be conflicting precedents between two circuits over the applicability of the All Writs Act.

[photon]

http://arstechnica.com/apple/2016/03...g-it-for-them/

Interesting ways to get the data, some without Apple's help at all. I wondered why they didn't do some variation of the last one.