I’m not surprised. When will the government learn that you cannot break encryption for some without breaking it for all, and that there is no (easy) way for apple to get into an encrypted device, even if they made it?
Texas Rangers have obtained a search warrant for the contents of a blood-splattered iPhone SE belonging to gunman Devin Kelley who killed 26 people in a murder-suicide at a church. Over the weekend, the US state's cops served the Cupertino phone-flinger a warrant demanding photos, messages and other potential evidence on …
I’m not surprised. When will the government learn that you cannot break encryption for some without breaking it for all, and that there is no (easy) way for apple to get into an encrypted device, even if they made it?
I remember reading that Apple after the last case closed a method where a firmware upgrade could be forced? As potentially they could have been forced to write a custom firmware that unlocked a device. So presumably now if a device is locked on current firmware Apple can say sorry no can do...
I think they know that!
I think they don't care, they want all devices easily decryptable...
there is no (easy) way for apple to get into an encrypted device, even if they made it
Have they tried ddmmyy? First 6 numerics of SSN?
They just want another high profile case, this time one where they can say "please Apple, won't you think of the children?" The Texas Rangers may have filed the warrant, but we know who is behind it.
It will be interesting to see if he was even using iCloud backups. Just having an iCloud account doesn't mean backups are enabled to it (though it defaults to doing so I believe) It will get a lot more contentious if Apple says "sorry, he didn't have anything backed up to iCloud and sorry we can't get into the phone".
"I’m not surprised. When will the government learn that you cannot break encryption for some without breaking it for all, and that there is no (easy) way for apple to get into an encrypted device, even if they made it?"
Looked at another way, in light of a court order, the only way Apple can refuse is if it's not technically possible. I can see why Apple might want to stall in that case because they rely on people believing it's not technically possible. It's not as if it would be financially non-viable for a company with Apples resources.
, something that makes encryption useless for everyone, as people who understand encryption have repeatedly pointed out.
The way it's written makes it sound like "privacy and security advocates" are somehow an obstacle to something desirable.
I've tweaked that sentence slightly but... it seems crystal clear to me. Govt wants backdoors, privacy people are opposed to that.
IIRC, rather than being Texas' equivalent of the FBI, the Rangers are Texas' state troopers. Instead of being focused on investigation as with the FBI, the Rangers commonly take on direct enforcement roles, as evoked by the famous quote above.
I was about to say that calling a state law enforcement agency the equivalent of a federal law enforcement agency is really strange. No offense to either agency!
Uh, well, we wanted to explain state troopers / rangers to a wider audience. Maybe FBI was the wrong analogy. I've tweaked the article.
A mentally defective person kills a bunch of people with a weapon he should have never had access to and the US Gummint is upset about a phone.
So the weapons are not an issue, but we gotta check his phone. NRA will demand a ban on encrypted phones to protect their gun rights.
WHAT ABOUT THE WEAPONS? The phone didn't harm anyone!
"WHAT ABOUT THE WEAPONS? The phone didn't harm anyone!"
that's a rather puerile argument - of course the phones didn't harm people, but nut jobs that commit these crimes rarely commit them in a vacuum - unless its just they are a total nut job.
Wanting to check out the comms of these scumbags is a valid line of investigation - regardless of whether it eventually yields fruit or not it would be irresponsible not to and down right criminal to prevent them doing so if its possible.
but nut jobs that commit these crimes rarely commit them in a vacuum - unless its just they are a total nut job.
Granted, 'the phone didn't harm anyone; is a little puerile, but has a point on the 'nujob/total nutjob' front.
Merely because some terror attacks are group efforts doesn't mean all are networked affairs, social or otherwise.
People rarely commit them in a vacuum, yes, There is always some set of circumstances that set them off down the road, but often what drives them all the way there is a vacuum they create themselves. What Terry Pratchett referred to as 'spiralling inward' (Men at Arms).
However it does appear law enforcement are in the habit now of 'throwing an embarassing tantrum' in public every time it comes to the 'social media/contacts personal associations' checkbox of the investigation and they can't tick the box.
"Wanting to check out the comms of these scumbags is a valid line of investigation - regardless of whether it eventually yields fruit or not it would be irresponsible not to "
Wanting to check out the phone IS a valid line of investigation.
Breaking encryption for everyone just so law enforcement have things a little easier is an awful breach of civil liberties AND a stupid invitation for criminals to take over the internet,
Limiting (not banning) firearm purchases to limited capacity magazines to sane people with no prior convictions is NOT an infringement of civil liberties, nor a violation of the US constitution (if only people knew what a militia is!!!)
>Wanting to check out the comms of these scumbags is a valid line of investigation
Even if they only had a dumb phone? There is an insidious concept here - that if data exists, it must be available to the authorities - even if it is utterly irrelevant.
"Wanting to check out the comms of these scumbags is a valid line of investigation - regardless of whether it eventually yields fruit or not it would be irresponsible not to and down right criminal to prevent them doing so if its possible."
The problem with your reasoning is that this isn't a cost free option and I'm not talking about financial cost. It's a cost in terms of the security of every phone of that type and, by extension every type of phone because this is what law enforcement really want. And it's not just the security of the phone itself, but of the contents and hence of the owner of those contents.
To provide such backdoors would be a trade off between two public interest issues. A crime investigator is not in a position to make that choice, especially in relation to a specific case. I've not even seen evidence that the political overseers of crime investigators have sufficient understanding to make that choice.
"Wanting to check out the phone IS a valid line of investigation."
If there was a chance to unlock the phone using the dead man's fingerprint and the investigation flubbed that they really don't have much of a leg to stand on in insisting the Apple do, at massive public interest cost, what they failed to do. I wouldn't like to be an investigator explaining to a court why I failed in the first place and why I think someone else should make up for may failure.
He was going to bring a bomb (which would have killed everyone) but he opted for a gun. How do you keep people from making bombs?
Size of the magazine is a detail - I'm not sure of the specifics in the USA, but in the UK for each calibre of ammunition, you have two limits - the number you can hold and the number you can buy at any one time.
e.g. Typically, for .22LR rimfire rounds (used for vermin control), that would be 1,200 holding and 1,000 purchase - the holding is larger so you can purchase in bulk as you run out to save money.
So, even in the UK, a person could have a LOT of ammunition. You just have to buy a lot of spare magazines and pre-fill them. You don't need a license for spare magazines.
Note that in the UK we're not allowed fully- or semi-automatic firearms as private individuals, or for that matter, pistols (except "black-powder") or assault weapons etc.
Oh, and we have a proper licensing system with vetting which, generally speaking, is extremely firmly enforced by each regional force.
People with power get really annoyed when they encounter any restrictions on the knowable. They are the Elites with The Right to Know All Things no matter the cost to others directly or incidental. It's no accident that this demand has been increasingly strident after a civil engineer took out the place where so much of the elites trappings of power were centered [World Trade Center]. We've spent trillions of money that doesn't exist to prevent the recurrance of such an attack. Whether that's possible or not.
I'm waiting for the next step after this, where it is not allowed to use additional encryption methods over and above that which normally is applied to a device. I use at least two here.
I can only recommend reading the book 'Secrets' by Daniel Ellsberg. It gives a nice insight on how people in power get sucked into the belief they know more --> they know better --> the public shouldn't know (because they don't know better) . Easy to see how this leads to a vicious circle of the government collecting and controlling information. This mind-set will, of course, destroy democracy (ref.: top-10 evil regimes of human history) , but that is easy to forget when you just focus on the current crisis.
No need to invoke deep conspiracies. But then, “Just because you're paranoid doesn't mean they aren't after you.” (Joseph Heller, Catch-22)
Architect and town planner, not civil engineer. If you mean who I think you're meaning. Other than that...
Having studied the cross-section of the social sciences and toss in a deep appreciation of history, you definitely don't need to require deep conspiricies. Just people being people. Nothing has changed in the last 7,000 years which is a damned shame. We'll jolly our way into the mass graves of our own free stupidity.
The Dark Ages? It was about restricting knowledge to the people to increase control.
Just bad record keeping.
Any argument that Apple should be compelled to write special software to unlock the phone (which was the one that the Government made with respect to the San Bernadino phone) has been fatally torpedoed by the fact that the Government apparently found a way to circumvent the security, removing the need for custom software.
If the could do it then, they can do it now....
That's what I was thinking too. Apple can point out that it's not a good use of taxpayers' money wasting it on lawyers when the government clearly has a way of achieving what they want without needing Apple to help.
Irrelevant to some point
if Apple are compelled to do so by a court then that's what they should do or face the consequences. The law applies to all of us, not just those who can afford expensive lawyers. If Apple are ordered by the courts and don't (assuming they can) then cell doors should be heard closing.
If you're ordered by a court to levitate 1m off the ground, even though that goes against the laws of physics, does that mean you should also go to jail because you cant do it?
Or to be a little bit less facetious (only a little bit admittedly), if you're ordered to hand over the keys to a Ferrari to the court even if you dont own one, and that means you will have to take out a huge loan, and then buy one, just to hand it over to the Courts, that you shouldnt fight that order to the best of your ability?
An iphone is an encrypted device. Creating a program to decrypt that device is not a trivial piece of work, it's highly expensive, would require numerous engineers and a lot of man hours of work, and in the end may not actually be physically possible (I'm not aware of what encryption they use on an iphone or whether they have methods to stop brute forcing or stop copies being made of the hard drive built in to the device). The encryption keys are not stored by Apple, so why should they be expected to know them or come up with a way to get around them.
Also, if an engineer at Apple refuses to work on this out of their personal beliefs, should they also go to jail? And if all their engineers refuse, what then?
When the lower Courts make unreasonable demands it's well within a person or company's rights to fight them. I'd be interested to know why you think Apple should bear the costs of breaking this encryption, not just the direct costs of working out a break (if it's even possible) but also the massive reptuational damage and almost certain loss in sales associated with having breakable encryption?
"Also, if an engineer at Apple refuses to work on this out of their personal beliefs, should they also go to jail? "
Yes, or Apple as a minimum should turf them as they are the ones being dragged through the courts.
I don't believe I should pay taxes which go to fund things like subsidising the restaurants in the houses of parliament or MPs second homes - but I have to - and if I don't I fully expect to be sanctioned by the courts system.
I can prove I don't own a Ferrari so wouldn't have to hand over my keys. The laws of physics say I cant levitate, so wouldn't have to prove that. If Apple can prove they have no physical way of doing the decryption then lay out the evidence, if Apple hadn't already worked out if its breakable or not before they put it out in the big wide world then they weren't doing their job back then as seeing if your system can be hacked is a fundamental in security design.
"if Apple hadn't already worked out if its breakable or not before they put it out in the big wide world then they weren't doing their job back then as seeing if your system can be hacked is a fundamental in security design."
Presumably when they did their tests, they weren't able to find a way to break it, and that's why the software got released.
I think that avenue has been paved over. There have been some updates and upgrades since the SB shootings. Apple have surely closed the hole the FBI paid for. Doesn't mean there aren't others, but they probably have not been found by law enforcement yet.
Apple have designed the system to be resistant to them breaking the encryption.
If the law were changed to prevent them from doing that, then the courts may well be able to order them to decrypt a device, but otherwise it's just the same as asking someone to prove a negative - it can't be done.
For example, Wallaby claims he can prove he doesn't own a Ferrari. Well, I'm sure he can generate enough evidence to create reasonable doubt as to whether he owns one or not, but there is no way to actually *prove* you don't own one. Same principle applies to Apple and breaking the encryption on their devices - which they have *specifically* designed to be secure (even from them).
"I can prove I don't own a Ferrari so wouldn't have to hand over my keys. The laws of physics say I cant levitate, so wouldn't have to prove that. If Apple can prove they have no physical way of doing the decryption then lay out the evidence"
You cannot prove a negative, you can only prove a positive. You cannot prove you do not own a Ferrari, in a bizarre incident someone may have just given you one. You can present evidence that shapes a belief that you do not own a Ferrari, but only a positive can prove you do own one.
Experience tells us humans cannot levitate, and yet the laws of physics have produced MagLev trains - trains that levitate. Positive proof of levitation. Just because you lack the desire to try does not prove it cannot be done.
Apple cannot prove there is no physical way to bypass the security, we can only take their word, and the word of their qualified peers, that is cannot be done. Courts have a duty to accept what is reasonable.
a very strong magnet. I infer that would work for humans, and possibly be cheaper than the approach involving the ISS or similar.
"f you're ordered by a court to levitate 1m off the ground, even though that goes against the laws of physics, does that mean you should also go to jail because you cant do it?"
Another puerile comment on the reg.. Let's hope you never suffer at the hands of a nutjob because law enforcement were hamstrung by encryption technologies.
"Another puerile comment on the reg.. Let's hope you never suffer at the hands of a nutjob because law enforcement were hamstrung by encryption technologies."
Considering the chances of suffering at the hands of a nutjob that is on the loose because of, as you say, law enforcement being hamstrung by encryption technologies (Chance - extremely f%&king low) or the chance of suffering at the hands of law enforcement authorities with the ability to invade people's privacy at will (Chance - high - based on the results of any regime which has got to that point in the past e.g. Stasi East Germany, Stalin's Russia, and to a lesser or greater extent modern China), I'll take my chances with the nutjob any day of the week!
Let's hope you never suffer at the hands of a nutjob because law enforcement were hamstrung by encryption technologies.
Says the Anonymous Coward. Deliberate irony, or just another idiot who thinks safety is the highest goal we can strive for?
You can't prove a negative.
"The law applies to all of us, not just those who can afford expensive lawyers."
Yes, of course. The majority of Apple customers won't be able to afford expensive lawyers to protect them against government overreach so it's just as well that Apple are doing that for them. I'm glad you appreciated that point.
The phone they got into before was a 5c, which does not have the secure enclave. This is an SE, which does. The method that was used to break into that other phone may not work on this one.
Not saying there isn't a way to break into this one, maybe there is, but the bar is a lot higher. They have to go through the motions of asking Apple and getting shot down again before they give it up to a third party company to have a whack at.
The FBI would probably prefer all third parties to fail to access it, so they can go to congress and whine about how evil Apple must be forced to give them a backdoor. I'm sure a lot of "tough on crime, clueless on technology" congressmen would be happy to go along with that, and we know the orange snowflake would sign such a bill since he's already spoken out against Apple last time. This fight could be much uglier than the last one if the phone is as secure as Apple intends.
Similarly, Apple would have to prove an impossibility -- if, with a gun to their collective head, they can't, in fact, break the encryption. Either because they've done their self-selected job well. Or breaking the encryption just isn't within the realm of the possible. Putting things another way: How much of an effort should Apple expend if they're forced to walk the plank? Should they be required to try until the heat death of the universe?
"How much of an effort should Apple expend if they're forced to walk the plank?"
If pushed enough they might just walk; de-list from the US stock exchange and go to live with their money on some island that has a climate to match California's.
The ability to break into an iPhone depends on the model and to a lesser extent on the iOS version.
The phone cracked by a third party was (if I recall correctly) an iPhone 5 or 5S (or as noted above, a 5c), and they have exploitable security holes that are no longer available in the more recent iPhone SE which has the on-chip secure enclave. So it is probable that the hack (I don't think the details of exactly what that hack was are in the public domain) that worked with the iP5 won't work on an SE.
Also worth noting that you get three "free" attempts at guessing a screen code, after that each successive failure is greeted by a longer period before another attempt can be made - assuming that the user hasn't set the permanently lock after X attempts flag. After the 4th failure one must wait 5 minutes for another entry attempt, after 5 I think it is 30 minutes, and so on up to 10. This does not, to my recollection, reset.
Many, if not most, iPhone users have a code with a visual pattern, so one could try that, but there are a lot of potential patterns; so not a strategy with a high probability of success given the limited number of possible tries.
Interesting that in the previous case, the phone's actual owner (the Utility the person worked for) had the ability to change the phone's password without knowing the actual login code and in fact did so. However that locked them out of the iCloud backup for the phone. So although they could access the phone itself they could not get to the extra information stored in iCloud.
The solution that is being asked for is for Apple to create a version of iOS that does NOT set a limit on the pass-code attempts so the number can be brute-force guessed. It will be at most (probably) a 6 digit number so the actual number of possible combinations isn't that large and is able to be brute forced reasonably quickly. It is secure in general because the inbuilt and not (other than through a forced iOS reload which Apple can force) avoidable hard limit on the number of actual guesses permitted before the phone locks up.
If they could do it then, they can't do it anymore today.
The iPhone 5c used by the San Bernardino shooter was the last iPhone model with the "Secure Enclave" chip. The procedure that was used to recover the data from that phone wouldn't work on an iPhone 5s, or any iPhone 6/6+/7/8/X.
"Yes, or Apple as a minimum should turf them as they are the ones being dragged through the courts."
Actually, such an engineer would demonstrate that he has the highest respect for the safety of Apple's customers and a high degree of work ethics, so Apple would never want to risk any such engineer.
If there are any subsidiary charges they should be brought on Air Farce personnel who failed to do their duty. This is the real breakdown in this case as he was found guilty of domestic abuse in a court martial. By US law, this should automatically bar him from ever buying or possessing a gun. In his case possession would have been a feral felony. However, the Air Farce (the same idiots who brought the F-35) did pass this conviction the national database.
Over here, when you buy a gun there is a mandatory feral background database check. If you are in the database, you can not buy a gun period. There are several specific reasons you can end up in the database (mental illness, felony conviction, etc.) States may add more restrictions like a waiting period before actually taking possession. Obviously the system requires diligence by low level bureaucrats who often do not care about doing their jobs correctly to make sure information is passed on.
Also, I doubt there is anything of real investigatory interest on his phone (or backups) that they probably do not already know from talking to people who knew him. They should have the phone logs by now and know who to talk to. Plus, who else are they going to charge as some of his intended targets appeared to be his in-laws.
Biting the hand that feeds IT © 1998–2018