Tim Cook's Letter on the need for Encryption

anvilfour

*** DISCLAIMER - I WORK FOR APPLE BUT AM EXPRESSING MY OWN OPINIONS! ***

Full link here:

http://www.apple.com/customer-letter/

This comes on the back of the FBI trying to order Apple to provide a government mandated backdoor for iPhones, story available here:

http://www.cnbc.com/2016/02/17/apple-order-to-hack-iphone-for-fbi-in-san-bernardino-case-chilling-tim-cook.html

See also:

pah

I don't see why in very serious cases, with a court order, apple would not decrypt a device for the authorities.

Open the box and provide the contents but retain the keys.

timmywex

pah wrote: »

I don't see why in very serious cases, with a court order, apple would not decrypt a device for the authorities.

Open the box and provide the contents but retain the keys.

Precedent.

It's a shooter this time, next up it's someone who's pirating music.

Apple's point is also that it cannot do it at the moment without large technical influence, potentially a new OS, which if in the wrong hands could have massive consequences.

liamo

pah wrote: »

....Open the Pandora's box .....

There. Fixed that for you.

liamo

pah wrote: »

I don't see why in very serious cases, with a court order, apple would not decrypt a device for the authorities.

Open the box and provide the contents but retain the keys.

Actually, Apple has not been instructed to decrypt a device as such.

From this article in The Washington Post.

"The order, signed Tuesday by a magistrate judge in Riverside, Calif., does not ask Apple to break the phone’s encryption but rather to disable the feature that wipes the data on the phone after 10 incorrect tries at entering a password. That way, the government can try to crack the password using “brute force” — attempting tens of millions of combinations without risking the deletion of the data."

It's also not the FBI simply demanding access to someone's phone against their wishes. Complicating this matter is the fact that the user of the phone - one of the San Bernadino shooters - is dead and the actual owner of the phone - the County Health Dept - has consented to the phone being searched.

I can see why the court ruled the way it did in this specific instance.

Having said that, however, I do agree with timmywex. It's a slippery slope and not a very long one.

Manach

I would side with pah here. The has to be a balance struck and no rights are absolute including privacy. While any blanket gathering of data by the state for surveillance is wrong, individual served under proper legal process should hand over their keys to the phone data and under rare circumstances the data should be capable of being accessed if this does not occur.

But I do acknowledge the other point made that this has a potential to be a sliding slope: legally it is common both here and elsewhere for 'emergency
' measures to morph into standard law due to precedent.

anvilfour

Manach wrote: »

I would side with pah here. The has to be a balance struck and no rights are absolute including privacy. While any blanket gathering of data by the state for surveillance is wrong, individual served under proper legal process should hand over their keys to the phone data and under rare circumstances the data should be capable of being accessed if this does not occur.

But I do acknowledge the other point made that this has a potential to be a sliding slope: legally it is common both here and elsewhere for 'emergency
' measures to morph into standard law due to precedent.

Hi Manach,

Thank you for sharing your thoughts.

The concern I have here is that if Apple were to supply the FBI with custom firmware, that they have digitally signed to unlock this specific phone, there's no real reason that they couldn't use this to unlock any iPhone 5C.

This not only has chilling effects for human rights - if one of the bad guys gets their hands on one copy of the custom firmware, then our secrets are also laid open to the shadowy government organisations of foreign countries too.

We have already seen in the UK that there has been abuse of key disclosure laws such as those used to try to intimidate David Miranda into handing over content protected by reporter's privilege and also a harmless schizophrenic man being jailed for refusing to hand over his password.

anvilfour

pah wrote: »

I don't see why in very serious cases, with a court order, apple would not decrypt a device for the authorities.

Open the box and provide the contents but retain the keys.

As timmy says, unfortunately this isn't possible.

If I could put on my Apple Tech Support hat here for a second, in simplest terms a non-jailbroken iOS device will check its own firmware each time it's powered on to see if it's been digitally signed by Apple - if Apple were to create a new version of iOS which is easier to break into, it could be flashed onto potentially any iOS device, making us all vulnerable.

The only way to keep everyone's data safe is to say no.

Boskowski

There has to be a no. These things always work the same way. Set a precedent and of course its under court control and only for crimes of the highest order. The two 'highest order' things currently being trotted out on an ongoing basis are terror and kiddy porn, brilliant, nobody could possibly object to that. So then a few years on the court control thing has mutated to a form being filled out and signed by default - if we're lucky and they even continue to bother - and terror and kiddy porn has become file sharing and revenue troubles.

Just as an example in the naughties the right to secret banking has been softened up in Germany, of course to control the flow of financing terror groups. Only in exceptions of course and it took a judge for the authorities to gain access to a statement history. Last year it was revealed by virtue of parliamentary enquiry they acquired access to 300,000 bank accounts in that year alone. Just ten years on that is and no changes to the laws were made. Apparently welfare fraud is now the same as planning 9/11.

anvilfour

What would be wonderful is if manufacturers like Apple could say that they simply have no way from a technical perspective to make it easier for anyone to bypass device encryption.

Unfortunately for as long as a court thinks it can force them to create custom firmware then we're all in trouble. Perhaps if the wipe of the device took place at a hardware level after X incorrect attempts?

pah

Agreed in general. As it is law enforcement have a number of avenues to try and get a phone pin unlocked.

But what about the psycopath that has kidnapped your child? He's been caught somehow but no sign of the child in 24hrs. His iphone is sitting like a paper weight on the desk. He will not unlock it no matter what. Would you still feel the same?

liamo

You could use that example to justify absolutely anything. If it was my child I'd happily tie the psycho down to a table and chop pieces off him, apply electric shocks, flay him alive and pour salt on his wounds until he gave me what I needed. However, that's not the case here.

Today it's the bypassing of a security feature (the bricking of the phone after max failed attempts) but only for that specific phone - the court order does identify the phone's serial number and IMEI and tie the order to that specific device.

Once the court's order has been carried out I've no doubt that there will be another specific case and then another. Then there'll be a group of potential terrorists who need to have data on their phone remotely captured. Where does it end?

Once this precedent has been established it's only a question of scale and scope.

pah wrote: »

But what about the psycopath that has kidnapped your child? He's been caught somehow but no sign of the child in 24hrs. His iphone is sitting like a paper weight on the desk. He will not unlock it no matter what. Would you still feel the same?

Khannie

Google CEO just jumped into the fray on Twitter (on Apple's side).

anvilfour

liamo wrote: »

You could use that example to justify absolutely anything. If it was my child I'd happily tie the psycho down to a table and chop pieces off him, apply electric shocks, flay him alive and pour salt on his wounds until he gave me what I needed. However, that's not the case here.

Today it's the bypassing of a security feature (the bricking of the phone after max failed attempts) but only for that specific phone - the court order does identify the phone's serial number and IMEI and tie the order to that specific device.

Once the court's order has been carried out I've no doubt that there will be another specific case and then another. Then there'll be a group of potential terrorists who need to have data on their phone remotely captured. Where does it end?

Once this precedent has been established it's only a question of scale and scope.

Hi liamo,

The problem you have here as I explained above is that you cannot provide firmware to unlock one specific phone in this way. If a copy of this backdoored firmware found its way into the wrong hands then it could potentially be used to unlock any iOS device without a Touch ID.

hooplah

So they're not demanding one device is decrypted, they're demanding that Apple allow a backdoor. If the FBI can brute force a device then so can others.

Looking to the future for service providers I think it might become the case that if they are able to pass on your info then they will be forced eventually to do so. The best way forward is to have it so that they cannot hand over keys / info. I think theis is the way Signal operates - they cannot access or decrypt your info.

If providers are forced to create ****ty software that allows them to see everything then ideally consumers will move to providers outside the US.

That said I can't see the UK being far behind the US on this. Would the rest of the EU go the same way?

anvilfour

pah wrote: »

Agreed in general. As it is law enforcement have a number of avenues to try and get a phone pin unlocked.

But what about the psycopath that has kidnapped your child? He's been caught somehow but no sign of the child in 24hrs. His iphone is sitting like a paper weight on the desk. He will not unlock it no matter what. Would you still feel the same?

Pah,

You're referring to the "ticking bomb scenario" - it's a fairly old argument and has been debunked fairly thoroughly here for instance.

Aside from the fact that this scenario makes a lot of assumptions which wouldn't hold true in reality, you also have to ask what would happen if you or someone you cared about were innocent of the crime for which you were suspected but wanted to keep your data private all the same.

If you think you have nothing to hide, suggest you have a read of the following:

http://www.wired.com/2013/06/why-i-have-nothing-to-hide-is-the-wrong-way-to-think-about-surveillance/

Also wonderful quote from Edward Snowden:

"Arguing that you don't care about the right to privacy because you have nothing to hide is no different than saying you don't care about free speech because you have nothing to say."

anvilfour

What is heartening for me as an Apple employee is that this dispute suggests that there isn't an actual backdoor built into devices. Apple doesn't have a warrant canary any more AFAIK, so I was concerned.

If the Police contact us from UK or elsewhere in Europe at least, there's a specific e-mail address for law enforcement enquiries, that's all I know.

As far as I'm aware there's no actual back door but of course there are regular exploits to bypass the lock screen and in particular if you have access both to an iPhone and a computer that was sycned with it via iTunes, there's a good chance you can reset the code or access data via backups.

My understanding as well is that iCloud backups are encrypted with a master key which Apple can unlock although I am too far down the ladder to know either way.

Needless to say if you have sensitive personal information it's best to keep it encrypted and offline, no matter what device you use!

liamo

Hi AnvilFour

I understand and completely agree with your point.

I was referring to the court order and the justification of it. That is - "it's only for this one device". The order (a copy of which is here, if anyone's interested) does address, in a reasonably abstract way, the linking of the software to the specific device :

The SIF (Software Image File) will be coded by Apple with a unique identifier of the phone so that the SIF would only load and execute on the Subject Device.

I'm not at all familiar with Apple hardware or software and have no opinion on whether this order is possible or not so your input into this is helpful.

Regards

Liam

anvilfour wrote: »

Hi liamo,

The problem you have here as I explained above is that you cannot provide firmware to unlock one specific phone in this way. If a copy of this backdoored firmware found its way into the wrong hands then it could potentially be used to unlock any iOS device without a Touch ID.

anvilfour

Hi liamo,

Thanks again for sharing your thoughts - you're absolutely right in saying the court order was intended for one particular device in a certain set of circumstances.

No doubt the Judge signed the order in good faith too, believing this was feasible.

Ignoring the ethical and legal implications for a second though, it's not possible to create a version of iOS with weakened security for an individual device - for Apple to digitally sign a custom version of the firmware and hand it over is tantamount to giving the FBI a way to bypass the passcode on pretty much every iPhone. (It might not work on devices with a Touch ID like the 5s, 6 and 6s but let's not stray too far off topic!)

Even if the device were handed to Apple and a custom version of the firmware was created in controlled conditions, if anything of consequence was found, Apple would most likely be called on to substantiate how they did it to make sure the suspect has a fair trial.

Other people have also pointed out that even if Apple could comply with these orders on a case by case basis without comprising other people's data, the process itself is open to abuse.

I had thought by putting encryption keys in the hands of customers that erosion of civil liberties like this by the government wouldn't be possible but it seems you can trust the FBI to find a way.

liamo wrote: »

Hi AnvilFour

I understand and completely agree with your point.

I was referring to the court order and the justification of it. That is - "it's only for this one device". The order (a copy of which is here, if anyone's interested) does address, in a reasonably abstract way, the linking of the software to the specific device :


I'm not at all familiar with Apple hardware or software and have no opinion on whether this order is possible or not so your input into this is helpful.

Regards

Liam

cowboyBuilder

So are apple taking a moral stand here ?

I don't understand, they have sweatshops running in China :S :S

anvilfour

cowboyBuilder wrote: »

So are apple taking a moral stand here ?

I don't understand, they have sweatshops running in China :S :S

Aside from the fact that simply isn't true (at least not in the way I understand sweat shops!) it's off topic. If you want to start a thread about Apple's corporate work practices in Asia, please feel free though - if you want to comment here, please let's talk about the matter at hand!

liamo

Apple is a business. There's not much room for morality and I doubt it played much of a part in this.

Frankly, it was the only position that they could take. Who's going to buy a phone from a company who might hand over all of their users' data to the FBI?

If Apple don't win this one, Google and Microsoft might be next. Who says it has to be just phones? Why not PCs?

cowboyBuilder wrote: »

So are apple taking a moral stand here ?

I don't understand, they have sweatshops running in China :S :S

cowboyBuilder

liamo wrote: »

Apple is a business. There's not much room for morality and I doubt it played much of a part in this.

Frankly, it was the only position that they could take. Who's going to buy a phone from a company who might hand over all of their users' data to the FBI?

If Apple don't win this one, Google and Microsoft might be next. Who says it has to be just phones? Why not PCs?

In fairness it's an extreme case !.

anvilfour

cowboyBuilder wrote: »

In fairness it's an extreme case !.

The situation is extreme! However complying would mean risking the FBI and anyone who gets their hands on the firmware could read the data of any device they can physically access under any circumstances.

gctest50

anvilfour wrote: »

The situation is extreme! .....

It's not extreme!!!1!!! - that's just drama queen carry on from Apple looking for free publicity - in a few days they'll comply

1 Infinite Loop Cupertino needs a 747 cargo plane stuck in it and see how they'd react then

AlanG

Apple want to show they are more powerful than a democratically elected legislator. They want the protection of being based in a country with clear laws but they don't want to cooperate with the upholding of those laws. If this was in the country where Apple run their sweatshops Tim Cooke would be in jail by now.

The people elected the government that made the laws being upheld - Apple are trying to circumvent those laws and in the process are helping terrorists. This is no different than the Swiss banks who helped hide the assets of despots throughout the world - after all if they gave information of the money stolen from those genocide victims it would have been a slippery slope.

The only difference here is that Apple have a great marketing department and are considered cool by people who buy into that image.

Apples great marketing department is trying to make it out that their massive corporation is being picked on by the nasty government (aka. the elected representatives of the American people).

AlanG

liamo wrote: »

Who's going to buy a phone from a company who might hand over all of their users' data to the FBI?

In fairness most apps you install look for permission to access almost all data on your phone and additionally most IT literate people accept that anything on the net will eventually be easily accessed by those determined enough to get at it.
Perhaps the FBI should buy Angry Birds and then most phone users would just sign over their phone data at the next update and change of terms.

If you have anything from Apple, Google or Facebook on your phone you are not too concerned about privacy. These companies will hand over you data if they can make money from it.

This all seems like a publicity stunt from Apple which is putting peoples lives at risk by hampering an investigation into terrorism.

anvilfour

AlanG wrote: »

In fairness most apps you install look for permission to access almost all data on your phone and additionally most IT literate people accept that anything on the net will eventually be easily accessed by those determined enough to get at it.
Perhaps the FBI should buy Angry Birds and then most phone users would just sign over their phone data at the next update and change of terms.

If you have anything from Apple, Google or Facebook on your phone you are not too concerned about privacy. These companies will hand over you data if they can make money from it.

This all seems like a publicity stunt from Apple which is putting peoples lives at risk by hampering an investigation into terrorism.

I hear a lot of this from certain security researchers who seem convinced that the only way to keep your data safe is go and live in a cave somewhere - it's nonsense.

I keep a backup of my personal files in an encrypted container online - the header is removed prior to upload. Without the salt included in the header there is no way that even a Quantum computer could access the data, no matter how much time they had.

This doesn't mean of course that perfect security exists at all times but it's nonsensical to say that data you share over the internet will inevitably be compromised - in any case these days we're all about making cracking someone's password impractical, not impossible.

Anyway, I do share your concern about how readily people hand over their personal data to big companies like Facebook but that's their choice. It's also the choice of privacy conscious people to keep their data just so - today it's an investigation into Terrorism ; if Apple caves in then tomorrow it'll be ordinary users who are at risk for the reasons already outlined.

As for the publicity stunt, Apple didn't ask the FBI to try and break into someone's device, they simply said no, in an open letter.

liamo

Yes - it was, perhaps, a little melodramatic and a bit lazy.

However, if Apple are forced to crack this device it's not unreasonable to wonder if the FBI, having established precedent, could get court orders requiring Apple to design a remote-user-data retrieval "feature".

Then we're at the point where people may wonder if they are vulnerable to the FBI slurping their data at will. That's not going to help Apple's sales.

That's the point I was trying to make.

cowboyBuilder wrote: »

In fairness it's an extreme case !.

liamo wrote: »

Who's going to buy a phone from a company who might hand over all of their users' data to the FBI?

liamo

AlanG wrote: »

Apple want to show they are more powerful than a democratically elected legislator.

Er, what?

They want the protection of being based in a country with clear laws but they don't want to cooperate with the upholding of those laws.

Apple must comply with the law.
Apple are also entitled to object and oppose unfair, illegal, unjust, unconstitutional (take your pick) rulings or orders or instructions. That's what they're doing.

If this was in the country where Apple run their sweatshops Tim Cooke would be in jail by now.

Ignoring entirely the "sweatshops" jibe - are you seriously suggesting that China is a better place because the government can't be challenged?

The people elected the government that made the laws being upheld - Apple are trying to circumvent those laws and in the process are helping terrorists.

Exercising a democratic right is not circumventing laws nor is it helping terrorists.

This is no different than the Swiss banks who helped hide the assets of despots throughout the world - after all if they gave information of the money stolen from those genocide victims it would have been a slippery slope.

Poor and incomplete reasoning. One does not follow the other.

The only difference here is that Apple have a great marketing department and are considered cool by people who buy into that image

Not that I agree with you anyway... but I don't see your point.

Apples great marketing department is trying to make it out that their massive corporation is being picked on by the nasty government (aka. the elected representatives of the American people).

No. They're defending themselves as they are entitled to do.

anvilfour

AlanG wrote: »

Apple want to show they are more powerful than a democratically elected legislator. They want the protection of being based in a country with clear laws but they don't want to cooperate with the upholding of those laws. If this was in the country where Apple run their sweatshops Tim Cooke would be in jail by now.

The people elected the government that made the laws being upheld - Apple are trying to circumvent those laws and in the process are helping terrorists. This is no different than the Swiss banks who helped hide the assets of despots throughout the world - after all if they gave information of the money stolen from those genocide victims it would have been a slippery slope.

The only difference here is that Apple have a great marketing department and are considered cool by people who buy into that image.

Apples great marketing department is trying to make it out that their massive corporation is being picked on by the nasty government (aka. the elected representatives of the American people).

I agree it's a sad state of affairs that a private company are having to force a government to abide by the Constitution it is sworn to upheld but here we are!

There are unjust laws, just as there are unjust people. Swiss Banks are a bit of a red herring- if there was evidence of specific wrongdoing then an individual's bank records can be released - here you'd need to create a backdoored version of iOS that could potentially be placed on any phone.

As for being in a country with alleged sweatshops, perhaps you might want to take your own advice. We live in a country where the government by and large doesn't punish us for criticising it - governments in dictatorships are able to infringe human rights precisely through using technology like "the Great Firewall" and backdoored versions of computer programs and operating systems. Do you want to be next?

This has absolutely nothing to do with being cool and hip, it's a matter of your rights and mine as an individual.

Update : Further to my last post, it's worth pointing out that the US government has repeatedly criticised China for trying to force software companies to place a backdoor in their products. The hypocrisy is staggering!

anvilfour

Short extract from Tim Cook's letter which explains the issue at hand more succinctly than I can :

We have great respect for the professionals at the FBI, and we believe their intentions are good. Up to this point, we have done everything that is both within our power and within the law to help them. But now the U.S. government has asked us for something we simply do not have, and something we consider too dangerous to create. They have asked us to build a backdoor to the iPhone.

Specifically, the FBI wants us to make a new version of the iPhone operating system, circumventing several important security features, and install it on an iPhone recovered during the investigation. In the wrong hands, this software — which does not exist today — would have the potential to unlock any iPhone in someone’s physical possession.

The FBI may use different words to describe this tool, but make no mistake: Building a version of iOS that bypasses security in this way would undeniably create a backdoor. And while the government may argue that its use would be limited to this case, there is no way to guarantee such control.

gctest50

anvilfour wrote: »

Short extract from Tim Cook's letter which explains the issue at hand more succinctly than I can :

Specifically, the FBI wants us to make a new version of the iPhone operating system, circumventing several important security features, and install it on an iPhone recovered during the investigation. In the wrong hands, this software — which does not exist today — would have the potential to unlock any iPhone in someone’s physical possession.

Why not unlock it in the Apple Labs ( as in on Apple's property) in the presence of the FBI staff

Then dig out what they need and let them get on with it

gctest50

anyway - it specifies the serial number of the phone and so on - see attachment

The SIF will be coded by Apple with a unique identifier of the phone so that the SIF would only load and execute on the SUBJECT DEVICE

liamo

Hi

Your points are well made and would reassure some that there is little risk to privacy from this fenced-off operation.

On it's own, and with these "protections" built-in, it doesn't seem (on the face of it) that it's an entirely unreasonable request.

Others, of which I am one, would wonder if the various three-letter security agencies of the US can be trusted with this.

The ability to bypass the phone's security feature does not exist at the moment. Once created, it's very unlikely that Apple will destroy the work as it is quite likely that there will other "once-off" court orders and they're not going to want to re-create it from scratch again and again.

The existence of this back-door is likely to be too great a temptation for security agencies to ignore and they'll be banging down Apple's door with "once-off" court orders.

Who's to say that the scope of the court order will not expand to cover other security features of the phone? Is it unreasonable to think that the security agencies might want their own control over the back-door and demand that Apple hand it over?

There are so many instances of

• wholesale monitoring of citizens and their data;
• blatant abuses of technology and legal process;
• complete lack of regard for the privacy of US (and, let's not forget, EU) citizens;

by security agencies that it is not unreasonable to assume that any tools that weaken security will be abused by these same agencies.

These (and more) reasonable and justifiable concerns are at the heart of Apple's efforts to resist attempts by the FBI to compel them to create this tool.



Not specifically related to this post but to the topic in general : I came across the FBI's motion to the court for this order. It doesn't really add much but it was interesting to read and is here if anyone's interested.

gctest50 wrote: »

Why not unlock it in the Apple Labs ( as in on Apple's property) in the presence of the FBI staff

Then dig out what they need and let them get on with it

gctest50 wrote: »

anyway - it specifies the serial number of the phone and so on - see attachment

anvilfour

gctest50 wrote: »

Why not unlock it in the Apple Labs ( as in on Apple's property) in the presence of the FBI staff

Then dig out what they need and let them get on with it

I've already answered that question, please use scroll button!

anvilfour

gctest50 wrote: »

anyway - it specifies the serial number of the phone and so on - see attachment

As has been pointed out a dozen times already in the thread, it's not possible to create a version of the firmware to unlock this specific phone. Please read before commenting! Thanks.

liamo

anvilfour wrote: »

As has been pointed out a dozen times already in the thread, it's not possible to create a version of the firmware to unlock this specific phone. Please read before commenting! Thanks.

You have indeed made this very point earlier in this thread. Tim Cook's letter would seem to support your point:

The government suggests this tool could only be used once, on one phone. But that’s simply not true. Once created, the technique could be used over and over again, on any number of devices. In the physical world, it would be the equivalent of a master key, capable of opening hundreds of millions of locks.

However, I do find it interesting that the FBI, in their motion to the court, says that this can be done.

Apple has the ability to modify software that is created to only function within the SUBJECT DEVICE

the SIF (Software Image File) would be created with a unique identifier of the SUBJECT DEVICE so that the SIF would only load and execute on the SUBJECT DEVICE.

The judge, in his order, also refers to this

The SIF will be coded by Apple with a unique identifier of the phone so that the SIF would only load and execute on the SUBJECT DEVICE.

If Apple are able to demonstrate to the satisfaction of the court that it cannot carry out this instruction - that is, software that will only load and execute on that device - I wonder does that nullify the entire order? If it does, I don't expect the FBI to give up. Nor do I expect Apple to be the only company to be on the receiving end of similar orders.

I don't expect this to be over quickly!

anvilfour

liamo wrote: »

You have indeed made this very point earlier in this thread. Tim Cook's letter would seem to support your point:



However, I do find it interesting that the FBI, in their motion to the court, says that this can be done.




The judge, in his order, also refers to this


If Apple are able to demonstrate to the satisfaction of the court that it cannot carry out this instruction - that is, software that will only load and execute on that device - I wonder does that nullify the entire order? If it does, I don't expect the FBI to give up. Nor do I expect Apple to be the only company to be on the receiving end of similar orders.

I don't expect this to be over quickly!

Before the SIF could be coded to an individual device, a generic version would have to be created (at least that is my understanding). It is not possible to create a weakened version of iOS and be certain it'll only be used in this one circumstance ; also if the defence dispute the evidence found on the phone, it's likely that the code would be made available to the court.

It's also important to see the bigger picture. If it's a gunman this time, who will it be next? I like the idea of a Judge signing search warrants on a case by case basis but it's not technically feasible to allow access to just one device without risking everyone else's privacy. Sorry, it just isn't, even if you create a weak version of iOS under controlled conditions.

gctest50

anvilfour wrote: »

Before the SIF could be coded to an individual device, a generic version would have to be created (at least that is my understanding). .....

It is not possible to create a weakened version of iOS and be certain it'll only be used in this one circumstance

course it is unless you don't trust yer programmers not to run off with it


Zerodium were offering 3 million for ios9 fun n games :

The Million Dollar iOS 9 Bug Bounty is tailored for experienced security researchers, reverse engineers, and jailbreak developers, and is an offer made by ZERODIUM to pay out a total of three million U.S. dollars ($3,000,000.00) in rewards for iOS exploits/jailbreaks.

https://www.zerodium.com/ios9.html

anvilfour

gctest50 wrote: »

course it is unless you don't trust yer programmers not to run off with it


Zerodium were offering 3 million for ios9 fun n games :

They're not "my" programmers and this is a lot bigger than corrupt employees. As I mentioned previously the defence would most likely need a full disclosure on how iOS was bypassed.

Once this genie is let out of the bottle and a less secure version of iOS is made, it would only take one mistake for it to end up in the wrong hands.. or of course the FBI could just keep trying to pressure Apple to reveal data on people's devices on a case by case basis indefinitely.

As for jailbreaks and exploits, there's no doubt these exist for iOS devices. However in this case the only way to bypass the passcode would be to flash a less secure version of the firmware onto the device.

The answer is no.

No, no, a thousand times no!

Impetus

If some ‘law officer’ has a good case against someone, let them get a court order to force the mobile phone manufacturer/agent to supply a certified printout of everything that is stored on the phone of the suspect in question – addressbook, caller/called list with date and time, addresses, textos, celltowers, etc . In that way, it helps catch criminals, but leaves billions of normal honest people outside of a broken encryption state, where their devices would be weakened and made even easier to hack etc.

Otherwise they may as well put serial numbers on barcodes on ballot papers in an election, so they can monitor the voting choices of each citizen.
And some might be tempted to take things even further.

A line has to be drawn. Period.

I don’t particularly like Apple (the only thing I share with Trump), and I suspect that their stance is part of a marketing campaign rather than a real commitment to customer privacy and security.

However, I have to agree with much of Tim Cooke’s case in this instance.

anvilfour

Impetus wrote: »

If some ‘law officer’ has a good case against someone, let them get a court order to force the mobile phone manufacturer/agent to supply a certified printout of everything that is stored on the phone of the suspect in question – addressbook, caller/called list with date and time, addresses, textos, celltowers, etc . In that way, it helps catch criminals, but leaves billions of normal honest people outside of a broken encryption state, where their devices would be weakened and made even easier to hack etc.

It's a nice idea Impetus but not very feasible if you want to prevent honest people having their encryption broken like you said.

For starters we're already in a situation where a court order has been made to try to force the mobile phone manufacturer to reveal what is on the device. Apple have (rightly refused).

The issue here is that even if the phone is brought securely to Apple, a non-secure version of iOS would still have to be developed - once this was on the phone it could be copied to other devices (admittedly this would be difficult). Also once a non-secure version of iOS has been created it could also be copied onto any other device as we've already discussed.

Even if Apple produced a shopping list of the data mentioned, if it were used in court the Defence would most likely need access to data on how the information was gathered to make sure the suspect gets a fair trial, making it quite likely that the code for a non-secure version of iOS will end up in the wrong hands.

Don't forget also that the FBI have the phone so they can get a court order from the cellphone provider to release details about numbers dialled, the rough location of the phone at any given time etc.

anvilfour

Please see the FAQ about this matter here on Apple website:

http://www.apple.com/customer-letter/answers/

Please read this before commenting as we've had the same points come up several times now.

gctest50

anvilfour wrote: »

Please see the FAQ about this matter here on Apple website:

http://www.apple.com/customer-letter/answers/

Please read this before commenting as we've had the same points come up several times now.

Has Apple unlocked iPhones for law enforcement in the past?

No..............




For devices running the iPhone operating systems prior to iOS 8 and under a lawful court order, we have extracted data from an iPhone.


We’ve built progressively stronger protections into our products with each new software release, including passcode-based data encryption, because cyberattacks have only become more frequent and more sophisticated. As a result of these stronger protections that require data encryption, we are no longer able to use the data extraction process on an iPhone running iOS 8 or later.
Hackers and cybercriminals are always looking for new ways to defeat our security, which is why we keep making it stronger.



We are now helping terrorists worldwide

.

liamo

The case for fighting the court's order has been made a few times in a few different ways in this thread.

While you are most definitely entitled to your opinion, it would count for more if you were to back it up with a little explanation. As it stands, it's little more than a soundbite.

Why do you say "We are now helping terrorists worldwide"?

There are many other means of encrypting voice and data that have nothing to do with Apple. If Apple (and/or others) are compelled to break or weaken security on their devices, the people who most want to keep their secrets will find a way to do so. Terrorists and criminals will still do what terrorists and criminals do and nothing will have been achieved except to weaken security for everyone else.

Care to comment with something a little more substantial?

gctest50 wrote: »

We are now helping terrorists worldwide

anvilfour

gctest50 wrote: »

.

The idea that promoting the use of encryption without a backdoor is aiding terrorism is a very old one and has been fairly thoroughly debunked.

You can readily take the time to find this out yourself but the most compelling arguments against mandated backdoors or key escrow for encryption products are :

- It's largely ineffective, at least in the case of bulk data collection. The NSA program for instance failed to prevent a single terrorist incident.

- Split key encryption (whereby the government has a copy of a key to unlock everyone's personal data) is not technologically feasible. Even the FBI has admitted this already. Even if we could come up with backdoored devices/software there'd be nothing to stop people from using alternatives or even creating their own. Even if you introduced a national standard for encryption where the government has the master key, terrorists are known for not obeying the rules.

- As pointed out earlier in the thread and by this paper written by the foremost computer security experts in the world, any attacker who discovers the backdoor e.g Chinese Intelligence services would have access to your personal information. Again Terrorists would simply avoid using such backdoored products but innocent people's privacy could be compromised.

- Further to the above, A new worldwide survey of encryption products, compiled by noted cryptographer Bruce Schneier and colleagues Kathleen Seidel and Saranya Vijayakumar, shows just how rich the worldwide catalogue of encryption products is for anyone seeking alternatives.
Bruce who is probably the world's best known expert on Computer Security says : "The implication: "Any mandatory backdoor will be ineffective simply because the marketplace is so international."".

A good example is one of Bruce's own encryption algorithms Blowfish (old but reliable!) - Source code available here though in reality you could write it on the back of a napkin.

- This said, in countries where access to the internet is severely curtailed e.g Cuba, a mandatory backdoor would be an ideal way for a dictatorship to crack down on dissidents. Again Terrorists would have more resources to get their hands on an alternative product.


TLDR : A "key under the digital door mat" is a bad idea is because it is :

- Unfeasible to set up given how prolific encryption products are.
- Unfairly affects innocent people.
- Doesn't help stop Terrorists who will switch to different products.
- Further to the above there is little evidence to support the idea that mass surveillance prevents terrorism.
- Could be exploited by foreign governments to spy on our citizens or dissidents in their own regime.

BigEejit

Anyone remember this news: http://www.telegraph.co.uk/news/uknews/3333366/Half-of-councils-use-anti-terror-laws-to-spy-on-bin-crimes.html

If they make a law compelling Apple to break their own encryption to gain access to someones data, its only a matter of time before that same law is abused by other parts of government.

anvilfour

See article here where Tim Cook hits back at FBI handling of the case:

http://www.bbc.com/news/technology-35656553

drcortex1124

FBI fails to make its encryption case to Congress:

In a Congressional hearing today that included both Apple’s chief attorney and government officials, FBI head James Comey didn’t win many people over to his side.

The meeting allowed both sides to make their arguments for and against Apple creating a less secure version of the iPhone’s operating system that would allow officials to get by the password lock on a dead terrorist’s phone. And things seemed to go squarely in the company’s favor, although it was not without its caveats.

This hearing was the latest development in a series of legal battles that have had Apple squaring off with law enforcement to protect their devices’ encryption schemes. While the FBI has claimed that it would only use the modified operating system on this one phone in this one case, Apple has said that even creating the software would compromise the security of hundreds of millions of devices. And an apparent win for Apple in front of Congress and another ruling in its favor on another case suggests that privacy is winning out over security.

Comey claimed that it was counterproductive for companies to create security that they themselves couldn’t crack and compared such measures to “vicious guard dogs.” He also claimed that device makers were creating “warrant-free spaces” that could stifle law enforcement investigations.

“The logic of encryption will bring us to a place in the not-too-distant future where all of our conversations and all our papers and effects are entirely private,” he said, as if that were a bad thing.

Once he got over some technical difficulties at the start, Apple’s general counsel Bruce Sewell accused investigators of trying to bypass the debate over encryption and public safety. Apple has repeatedly said that it wants the legislature, not the judiciary, to have the final say in this matter.

Congressman James Sensenbrenner, whose criticism of the NSA’s surveillance actions make him no stranger to the privacy debate, told Sewell that he’s “not going to like what comes out of Congress” if it reaches that point.

But Comey’s testimony — and Congress’ questioning of it — provided the most insight into the case. Representatives picked apart the FBI director’s claims one at a time, getting Comey to admit that changing the iPhone’s iCloud password was part of the reason the government had to make increasing demands on Apple, as well as the possible legal ramifications that could have officials in China or Russia also asking Apple to provide backdoor access to their devices.

Source : Cult of Mac.

Sin City

Looks like the battle is over as FBI unlocks Iphone using a third party (Iseraily intelligence)


http://www.independent.ie/world-news/fbi-unlocks-gunmans-iphone-through-third-party-after-apple-battle-34579939.html