back to article US DoJ files motion to compel Apple to obey FBI iPhone crack order

The US Department of Justice has today filed a motion compelling Apple to comply with a court order to help the FBI break into a killer's iPhone. On Tuesday, a magistrate judge in central California granted an order filed by the Feds that requires Apple to reprogram San Bernardino murderer Syed Farook's smartphone with a …

Page:

            1. This post has been deleted by its author

          1. JeffyPoooh Silver badge
            Pint

            Re: Honest Question

            John H Woods - "The 'serious' encryption is universally the XOR function -- No, it isn't."

            At its heart, yes it is.

            Advanced Encryption Standard: "...InitialRound - AddRoundKey - each byte of the state is combined with a block of the round key using bitwise XOR." "The subkey is added by combining each byte of the state with the corresponding byte of the subkey using bitwise XOR."

            Note the "XOR" mentioned.

            Yes, there's also some shuffling and such. But it's nearly universal that there be an XOR function at the heart of any cryptographic system, ...obviously.

            You were clearly incorrect in your rebuttal. Clearly.

            1. John H Woods Silver badge

              Re: Honest Question

              "Yes, there's also some shuffling and such. " -- JeffyPooh

              This "shuffling and such" is far more critical to the cipher than the use of the XOR function. If this did not happen, then a plaintext attack vulnerability would exist. None of what you have quoted supports the statement you made, which I rejected, that "The 'serious' encryption is universally the XOR function"

        1. Tom 38 Silver badge
          Headmaster

          Re: Honest Question

          The WWII Enigma machine had billions and billions of combinations in the 'keyspace', but because they sent weather reports in standard format, and ended with "HEIL HILTER", the nearly-infinite rotor settings fell out each morning in about 20 minutes.

          Who is this Hilter character, sounds interesting.

          PS: If a few of them had ended like that, it would probably have taken us a little longer each day.

    1. Rainer
      Megaphone

      Re: Honest Question

      Someone on reddit explained it very well: part of the key is wired to the hardware of the phone.

      You can't clone that part. The data has to be decrypted on that specific phone.

      It's even more (much much more) complicated on later phones.

      Apple has thousands of people working on this thing (the iPhone) and employs some of the smartest minds on this planet to think for every possible attack vector.

      Later phones probably even shield against side-channel attacks (measuring minuscule discrepancies in power-usage etc) to help guess the key that is stored outside the control of iOS on the "secure enclave".

      Today, it might be an iPhone. But what if (in a future that may be not so far away) it was possible to directly read data from the brain?

      You'd use it every day at work, probably, and in your spare time. You'd think of a flower and your brain would send that image via your phone to someone else's phone and from there it would directly reach the brain. The device to enable this would be built in such a way that it wouldn't work without you giving explicit consent to this "transfer".

      But what about when you committed a crime? Would law-enforcement be allowed to "tap your brain", against your will to recover details of the crime that you yourself didn't want to tell?

      What if you were in a coma? Would it be OK to tap your brain? After all, when they asked you, you didn't really object ;-)

      The above mentioned device would have to modified to allow overriding the protection-mechanism.

      So, quite rightfully, Tim Cook takes a stand and says "it has to stop somewhere".

      Because it has to.

      Maybe Tim Cook thinks, this is his "Rosa Parks" moment. It was a small thing at the time. But somebody had to do it and as remarked by someone above, both sides may think this is the case of all cases to drag into the limelight.

  1. This post has been deleted by a moderator

    1. This post has been deleted by its author

  2. Anonymous Coward
    Anonymous Coward

    Something doesn't compute

    Why is it that critical that someone has access to this one phone?

    What sort of undeniable, ultimately incriminating evidence do they expect to find there?

    Or is that some detective going all cocky and thinking "it'd be cool if I ask those guys to backdoor the thing for me, it'll make me look important", and then he gets told to fuck off and decides to adopt what the Spaniards call the "por mis cojones" approach?

    Bit unrelated, but that attitude reminds me of their gaffe back in Pristina, when that Merkin General thought it'd be a great idea to send the (British) troops under his command to take on the Russians, the advisability of which was contested by field commander Captain Blount and his superior General Jackson then proceeded to tell the Merkin where to stick his idea, then trod off to meet the Russians, bottle of Scotland's finest (no, not Irn Bru) under his arm. Like the Merkin General, someone at the FBI is going to lose his job over this. As he should, for such an incredibly stupid idea.

    1. Anonymous Coward
      Anonymous Coward

      Re: Something doesn't compute

      Why is it that critical that someone has access to this one phone?

      How about 14 murdered people, 22 severely wounded, many bereaved families wanting answers, unknown accomplices possibly yet to be discovered.

      What sort of undeniable, ultimately incriminating evidence do they expect to find there?

      Who knows, but if it does point to fellow conspirators you'd sure as hell would want to find out. This is not a game.

      And given that this is a global problem we all have an interest in the criminal investigation finding out as much a possible. Who knows where the next one will be? Might happen in your neighbourhood, it could happen to you and your family. I guess that would teach you the importance of the rule of law.

      At the moment Apple are rapidly gaining a reputation as "the Terrorist's friend". If Apple succeed in resisting this order that won't go unnoticed. It would unfortunately be a big encouragement to the kind of guys who commit these crimes. Want to conspire and coordinate an atrocity? Use an iPhone. I don't think Apple has thought this through very well. If there are a string of attacks and each time there's nothing to go on but a locked iPhone and an encrypted iCloud account, it will be difficult for Apple to deny that they materially assisted. That won't be so good for their reputation or for the ongoing liberty of some of their CEOs...

      How would you feel if someone you loved got murdered and Apple refused to play ball?

      1. Tessier-Ashpool

        Re: Something doesn't compute

        How would I feel? For the greater good I would applaud their stance wholeheartedly. It's narrow self interest otherwise, blinded by emotion.

        1. Anonymous Coward
          Anonymous Coward

          Re: Something doesn't compute

          How would I feel? For the greater good I would applaud their stance wholeheartedly. It's narrow self interest otherwise, blinded by emotion

          Yeah right. I'm sure you would.

          You're basically saying that there should be nothing to stop a bunch of guys getting together and forming a terrorist network, plotting, committing a string of atrocities and succeed in protecting the rest of the network before, during and afterwards. You don’t know what the rule of law and freedom are.

          If US society keeps heading in this direction the law and order deficit being espoused by the likes of Apple (who are cravenly reflecting your own opinion in the misguided drive for short term profits) will have a detrimental effect on your freedom. Enjoy...

          1. Adrian 4 Silver badge

            Re: Something doesn't compute

            Americans used to be proud of Benjamin Franklin.

            When did he lose his reputation ?

          2. John H Woods Silver badge

            Re: Something doesn't compute

            "Yeah right. I'm sure you would."

            No need for hypotheticals --- one of the victim's mothers, Carole Adams, supports Apple in this matter.

          3. ckm5

            Re: Something doesn't compute

            There is nothing to stop bad guys from doing anything - all the technology in the world will not stop them, that's just wishful thinking. There were terrorists before iPhones, some were way more successful than the current crop (cf. https://www.washingtonpost.com/news/worldviews/wp/2015/11/18/terrorisms-long-history-in-paris-where-the-french-ask-how-the-story-ends/)

            Making everyone unsafe by using the legal system to create bad public policy is not the role or mission of government agencies or anyone in the executive branch. As someone said upthread, the FBI is asking Apple and ALL OF US to "Please leave all your doors & windows wide open to help us catch the murderous thugs & rapists who are roaming your neighborhood."

            Any way you slice it, it's a very, very bad development - it's the kind of cavalier abuse of legal power that has already undermined the US tech industry in many ways, most visibly in the current EU privacy mess.

      2. Michael Thibault

        Re: Something doesn't compute

        >Why is it that critical that someone has access to this one phone?

        >How about 14 murdered people, 22 severely wounded, many bereaved families wanting answers, unknown accomplices possibly yet to be discovered.

        An arguments based on emotion. Meaning an argument that is entirely context-specific (and so not generalisable) and one which blithely ignores, or is ignorant of, the role of precedence in law.

        I'll resist the temptation to go all Rumsfeldian on the 'possibly yet unknowns' tangent.

        >What sort of undeniable, ultimately incriminating evidence do they expect to find there?

        >Who knows, but if it does point to fellow conspirators you'd sure as hell would want to find out. This is not a game.

        And if there turns out to be no evidence?

        Isn't the court order having been sought at all based on speculation of there being something (or anything at all) to follow up on? It's a fishing expedition! And in at least two ways. And it is a game. One with long-lasting and far-reaching implications for just about every living soul on the planet--phone or no phone.

        1. bazza Silver badge

          Re: Something doesn't compute

          An arguments based on emotion.

          In all jurisdictions a murder investigation is a legal obligation. They don't happen simply because someone is a bit upset about it.

          OK, so murder is practically a national past time, and the terrorists are going to have to really go for it to make a significant contribution to homicide statistics, but I'm not aware of any state where an investigation is somehow optional.

        2. Anonymous Coward
          Anonymous Coward

          Re: Something doesn't compute

          Meaning an argument that is entirely context-specific (and so not generalisable) and one which blithely ignores, or is ignorant of, the role of precedence in law.

          Speaking of context specific, the FBI are asking for specific assistance for this specific iPhone in this specific case. I know they are being a bit thick vs Microsoft and their data centre in Ireland, but in this case they are asking for very limited and sensible assistance.

        3. Anonymous Coward
          Anonymous Coward

          Re: Something doesn't compute

          And it is a game.

          Real life mass murder is a game?

          Heard about a guy called Hitler? Or someone called Stalin? Do you think people go to school or cinemas for the thrilling chance of being shot at?

          Get real.

          1. Anonymous Coward
            Anonymous Coward

            Re: Something doesn't compute

            "Heard about a guy called Hitler? Or someone called Stalin?"

            Exactly, that's the problem - everything they did was legal.

            1. Anonymous Coward
              Anonymous Coward

              Re: Something doesn't compute

              Exactly, that's the problem - everything they did was legal.

              Er, mixed messages. In their domestic legal systems may be, but that was not the only 'jurisdiction' in play.

              They got away with it partly because there was no such thing as TV or small video cameras. Being the perpetrator of secret atrocities is one thing, having those hidden acts publicised on CNN is another thing entirely and will spoil any villain's breakfast. Everyone knows that these days, which is why at the first hint of trouble countries seem to disable the Internet.

              Hitler, had he been captured alive, would have ended up at the Nuremberg Trials like all the other senior Nazis did.

              Stalin was publicly (and shockingly) condemned by his successor, which is probably as close to a public trial as a premier in Soviet Russia was ever likely to get.

              The rule of law and order is paramount. If it is allowed to decline, you can end up with a Hitler running the country. Remember that Hitler was "democratically" elected by the German population in 1933 against a background of unchecked aggression on the part of his henchmen. Had the policing system in Germany been able to bring that aggression to a halt at an early juncture, history may have turned out very differently.

              Ok, so a dispute about a locked iPhone is hardly along quite the same scale. But if Apple succeed in resisting and iPhones really do end up giving bad guys an impregnable means of communicating that's never going to be good for law, order and democracy. The FBI wouldn't even be able to rely on the Wire Fraud act.

              Conflicting Requirements

              There is a fundamental conflict in the Requirements that apply to the Internet.

              First, we want the good guys to be able to quietly go about their business in private, free from snooping by other guys.

              Second, we want the bad guys to not be able to quietly go about their business in private, we want them snooped on by other guys so that they can be prevented from killing people.

              The trouble is that the technology we have cannot tell the difference between good guys and bad guys. To resolve that someone somewhere has to do some snooping, preferably before the next 9/11, but definitely afterwards.

              Most of the good guys seemingly want no snooping at all, which is tremendously helpful to the bad guys too. All Apple are doing is going along with that (cynically, to protect their short term profits). I don't think Apple should be that worried - nothing else has stopped people buying a lot of iPhones, and being helpful to the FBI now and then wouldn't stop them either.

              What is Tim Cook Up To?

              Tim Cook, like everyone else, relies on the rule of law and order so as to be able to enjoy a quiet life. One wonders what Apple's attitude would be if the San Bernadino shootings had affected him personally. Ok so they didn't, but he must surely be sensitive to the need to properly investigate all aspects of the case.

              I don't know how it has come to pass that the FBI felt it necessary to go with a public hearing to get a court order to compel Apple to assist. Did the FBI ask privately and did Apple refuse? It would certainly have been more to Apple's liking that this matter had remained private. Clearly the relationship between the FBI and Apple has broken down to the point where the FBI has decided to go nuclear. That's everyone's fault, including Apple's, but probably mostly the politicians who have failed to set a clear and reasonable framework in which law and order can operate effectively in today's technological world. The FBI, with the very puzzling FBI vs Microsoft case, haven't exactly been helping either.

              Now that everyone knows that Apple could technically do this, they're going to be told to do so by a lot of countries with less restrained legal systems than the USA. For many governments its very easy for them to say "give us a policeman's back door to iPhones or we'll close down your business and block your servers". It'd be a much cheaper way of doing it than the approach China has taken. They've basically rendered phone crypto irrelevant because they control the services to which a phone can connect.

              1. SolidSquid

                Re: Something doesn't compute

                > Er, mixed messages. In their domestic legal systems may be, but that was not the only 'jurisdiction' in play.

                > Hitler, had he been captured alive, would have ended up at the Nuremberg Trials like all the other senior Nazis did.

                Being charged under laws which were written post-WW2 specifically for the punishment of the crimes committed by the Nazis and their allies and to prevent anyone else committing the same atrocities. While I'm not saying I agree with what they said, at the time they committed the crimes their domestic legal system *was* the only juristiction in play, it's just another one was created post-war so they could be charged.

                And asserting Apple could technically do this isn't the same as them actually being able to, and certainly not the same as them being able to do it in as narrow a context as the FBI claims they can. They may well be fighting this to prevent a precedent being set rather than because, in this specific case, they don't want to cooperate

        4. Anonymous Coward
          Anonymous Coward

          Re: Something doesn't compute

          Apple are complicit because they are denying a court ordered search warrant for the contents of this phone. Speculation as to contents does not matter here. It is not the private property of the terrorists though it is the property of the State of California. Thus there is NO PRIVACY ARGUEMENT here!

          You people have even helped write the disclaimers you see when you join a domain or use the company network for a company owned device.

          The FBI have a duty to investigate EVERY aspect of this case. Apple is not allowed to deny them access to ANY phone or they will be in contempt of court. That contempt of court citation could have numerous penalties that don't have ANY recourse, including search and seizure of Apple itself.

      3. John H Woods Silver badge

        Re: Something doesn't compute

        "How would you feel if someone you loved got murdered and Apple refused to play ball?"

        How would you feel if someone you loved got murdered because Apple did play ball? For instance someone that ISIS wanted to target, and who was very careful and discrete, is nevertheless killed because one of their kids lost their iPhone and it ended up in the wrong hands?

      4. gnasher729 Silver badge

        Re: Something doesn't compute

        You said "Who knows, but if it does point to fellow conspirators you'd sure as hell would want to find out. This is not a game."

        That's what is called a fishing expedition. No reasonable judge should ever give out a search warrant for that kind of thing. You can't get a search warrant because there might be a crime and there might be evidence. You need a reasonable cause to believe that there _is_ evidence. You may turn out to be wrong, but you need the reasonable cause to start with.

        The actual case is solved. The perpetrator will never be convicted because corpses cannot be convicted. There is actual little reason to believe that there is anything incriminating on that phone: The perpetrator destroyed a computer hard drive and two phones, obviously to destroy evidence. He didn't destroy this phone. The obvious reason would be that there is nothing of interest on it.

        It's his work phone. You wouldn't keep evidence of a crime on your work phone. Any time your boss could come to you and say "Joe over there has to go on a trip and his phone is being repaired, please give him your work phone". And then Joe gets curious and finds your weapons purchases... Would _you_ use your work phone to call your terrorist friends, or to watch porn (just something else you wouldn't want people to know), when you own two other phones?

        1. Anonymous Coward
          Anonymous Coward

          Re: Something doesn't compute

          > Would _you_ use your work phone to call your terrorist friends, or to watch porn

          What if I work for the PIRA and part-time for xHamster on the weekends?

      5. KeithR

        Re: Something doesn't compute

        "At the moment Apple are rapidly gaining a reputation as "the Terrorist's friend". "

        Like much of the cities of New York and Boston in the 70s, citizens - and politicians - of which were openly sponsoring the IRA's bombing campaigns in the UK.

        Not as much fun when it happens to you, eh?

      6. Anonymous Coward
        Anonymous Coward

        Re: Something doesn't compute

        > How about 14 murdered people, 22 severely wounded, many bereaved families wanting answers, unknown accomplices possibly yet to be discovered

        Nice straw man you've got there, me fellow AC! :-)

    2. KeithR

      Re: Something doesn't compute

      Oh yeah - the Merkin General who was literally prepared to start WW III by getting BRITISH soldiers to attack the Russians squatting on a relatively strategically unimportant airstrip in order to capture it.

      Fucking bell-end. Bet he shouted "Hooah" a lot though...

      We just waited until the Russians were a bit hungry and thirsty, shared some of our rations, and they let us walk in...

  3. This post has been deleted by its author

  4. Unicornpiss Silver badge
    Meh

    Surely...

    The government has the resources to remove the flash storage, copy the data, and just brute force it. Or based on the exploits they are holding in reserve, they must have extensive knowledge of all smartphones and could engineer their own firmware. Perhaps they already have and this is just a smokescreen to limit public reaction to our lack of privacy, or the "easy way" is being tried first. Or perhaps I'm giving too much credit where it is not due?

    1. This post has been deleted by its author

      1. JeffyPoooh Silver badge
        Pint

        Re: Surely...

        John H Woods "Brute forcing AES256 is possible, of course, but would take some time - at least 10^30 years."

        Which is why, in the entire history of *modern* cryptography, simple unguided brute forcing is rarely (ever?) used.

        The WWII Germans made the same trivial error as you just did. They did the trivial math on the rotor setting combinations, and came to an incorrect conclusion. Churchill read their mail before they did.

        I've posted above about 'Known Text' and 'nounce'. Just two of likely many-thousands of possible attack vectors.

        Yes, it's good to know the 'rules' of cryptography. But it's even better to understand the exceptions.

        1. Steve Todd

          Re: Surely...

          With enigma the problem was a combination of a mathematical weakness in the algorithm, combined with known text, that allowed the Bletchley Park code breakers to very much reduce the search space. AES on the other hand has been the product of multiple cryptographers and much analysis to look for weaknesses, none practical having been found.

          1. JeffyPoooh Silver badge
            Pint

            Re: Surely...

            None?

            Wiki copy-and-paste from the 'Side-channel attacks' section:

            << In October 2005, Dag Arne Osvik, Adi Shamir and Eran Tromer presented a paper demonstrating several cache-timing attacks against AES.[33] One attack was able to obtain an entire AES key after only 800 operations triggering encryptions, in a total of 65 milliseconds. This attack requires the attacker to be able to run programs on the same system or platform that is performing AES.

            In December 2009 an attack on some hardware implementations was published that used differential fault analysis and allows recovery of a key with a complexity of 232.[34]

            In November 2010 Endre Bangerter, David Gullasch and Stephan Krenn published a paper which described a practical approach to a "near real time" recovery of secret keys from AES-128 without the need for either cipher text or plaintext. The approach also works on AES-128 implementations that use compression tables, such as OpenSSL.[35] Like some earlier attacks this one requires the ability to run unprivileged code on the system performing the AES encryption, which may be achieved by malware infection far more easily than commandeering the root account.[36] >>

            The [numbers] lead to citations in case you don't trust Wiki. I'd just like to preempt the most obvious rebuttal to a Wiki source. I'm just a bit lazy...

            Consider also that the investigators could use a de-soldering station, etc.

        2. Anonymous Coward
          Anonymous Coward

          Re: Surely...

          I've posted above about 'Known Text' and 'nounce'. Just two of likely many-thousands of possible attack vectors.

          Yes, it's good to know the 'rules' of cryptography. But it's even better to understand the exceptions.

          It is worth noting, however, that all your posts are based on an as yet unproven assumption that Apple has made the sort of trivial errors that would indeed reduce the available keyspace. Apple screwed up (IMHO) with the quality of fingerprint reader they've used, but as far as I can tell, their crypto is fairly solid and I think we can safely assume they can read those reports you have been quoting too. Security on the iPhone has been incrementally getting better, and they had to get it right in software before they finally managed to add the hardware support for it so I disagree with you that breaking this will be as much a walk in the park as you seem to think based on the videos you've seen and some limited Wikipedia browsing.

          We are heading towards another lovely question here, though: even if we assume the FBI succeeds in compelling Apple and so start a takedown of the whole Silicon Valley (the only positive would be the demise of Facebook, really), the question remains if Apple can break the phone.

          After all, you are talking about developing new software that has to undo a well established process that may not work. What if Apple itself bricks the phone? Is Apple then going to be guilty of contempt, no matter what it does? There is no guarantee so far that Apple can indeed do what is demanded and that demand, by the way, included the phrase "REASONABLE efforts" - a concept I think we're straying well beyond.

          Even in the case Apple gets compelled, there is still no guarantee that the phone can be breached. At the moment this is but theory.

          I have another question. If this is a company phone, and said company is the government, why was that phone not in an MDM? Who screwed up there?

          1. JeffyPoooh Silver badge
            Pint

            Re: Surely...

            AC (John?) "...as yet unproven assumption that Apple has made the sort of trivial errors that would indeed reduce the available keyspace."

            The latest crypto and latest implementations are just the latest in a very long line.

            It's called Inductive Reasoning to see the sun 'rise' in the East every morning and leap to the unproven hypothesis that it'll almost certainly continue to 'rise' in future mornings.

            It's extremely unlikely that the iPhone 5C will end up in a museum as the very first perfect implementation in history.

            In fact, the Feds have already identified an attack vector. It's underway and they're very likely to succeed.

            There would be 'N' such attack vectors. The theory that 'N' = 0 is extremely unlikely.

            "...trivial errors..."

            The crackers find implementation errors that are sometimes trivial (often only in hindsight), but sometimes they find implementation errors are unbelievably subtle. Other times they're exploiting an inherent physical or design weakness, that may have nothing directly to do with the security designers.

            The attacks do not "reduce the available keyspace" (you're still stuck in that same limited thinking, sigh... seriously, please stop...). The side-channel attacks often reveal the key almost directly. The key could be a million bits and their attack would still read it out bit by bit.

            Just because I can't be arsed to give you anything more than a quote from Wiki, it doesn't mean that I don't have a shelf bulging with books on the history of cryptography. Cryptographer-Hubris is a recurring theme in history. I'm here to make the world a better place by gently mocking such dangerous cryptographer-hubris.

            You'd be a better person if you drop the naive faith in cryptography. Learn the endlessly recurring history. We've been through this exact same cycle so many times before.

            (Unless you're a terrorist. Then, please... ...trust the crypto fully.)

            1. Anonymous Coward
              Anonymous Coward

              Re: Surely...

              Just because I can't be arsed to give you anything more than a quote from Wiki, it doesn't mean that I don't have a shelf bulging with books on the history of cryptography. Cryptographer-Hubris is a recurring theme in history. I'm here to make the world a better place by gently mocking such dangerous cryptographer-hubris.

              The FBI has one particular vector in mind, and that is killing the time delay and max count of the PIN code so they can iterate through the possible PIN codes without the device killing the master key which would require the content to be broken with more traditional means.

              Side channel attacks are only found when someone has already used the correct key and the system and state changes that occur as a result of that can be observed, analysed and possibly replicated. As there is no correct key yet, there's nothing to observe.

              Even a shelf full of crypto history books won't change that...

            2. This post has been deleted by its author

        3. JeffyPoooh Silver badge
          Pint

          Re: Surely...

          John H Woods = this post has been deleted by its author

          Seriously?

          Boss reminded you not to post crypto topics from work? Your work being in GCHQ?

    2. Anonymous Coward
      Anonymous Coward

      Re: Surely...

      > The government has the resources to remove the flash storage, copy the data, and just brute force it

      It doesn't work like that¹. It is not "the government" trying, allegedly, to get at some data, but some employees in some division of some office of a police department.

      Unless they are far more stupid than one would give them credit for, I should expect their department of commerce to vehemently oppose the idea, not to mention their constitutional courts (whatever those are called in the US).

      ¹ Leaving aside for a moment that "the government" used to supposedly mean "those who represent me and run things strictly on behalf of me and my fellow citizens"

  5. dan1980

    "And how exactly do you, under the US Constitution, force programmers to write software . . ."

    Surely that is the pertinent question, no?

    Taking this out of the digital/computing realm and into the (slightly) more familiar physical world, we can compare this to a safe manufacturer.

    A safe manufacturer might be compelled to assist authorities by opening one of their safes using proprietary knowledge.This could be considered a sort of 'back door' in that the safe will likely have been built in such a way that one can open it without the combination - but only with detailed technical knowledge of its construction.

    Expanding on that, it is likely that, at least in advanced designs, specialised equipment will be required and this equipment may only be accessible to the manufacturer.

    Well and good, but let's imagine that the required specialised equipment does not exist. That is essentially the situation with Apple - the FBI is asking them to use their knowledge to custom-build a tool to break into their product.

    Which law grants them the power to compel a company to do such a thing?

    1. DainB Bronze badge

      As far as I understand new firmware has to be signed for phone to accept it. All FBI needs to have is a private key Apple uses to sign firmware, modification of firmware is not that complex.

      1. Mephistro Silver badge
        Black Helicopters

        Now, that..

        .. would be a really bad idea. If the feds have that private key, who -and how- could guarantee that they won't retain a copy of said key for similar ocassions, without needing to resort to those pesky judges? or even for mass surveillance?

        1. DainB Bronze badge

          Re: Now, that..

          So you're fine with private corporation being able to update firmware on your phone whenever and however they want without your consent and probably even knowing it ?

          1. Mephistro Silver badge

            Re: Now, that.. (@ DainB)

            "So you're fine with private corporation being able to update firmware on your phone whenever..."

            No, I'm not. That's why I don't trust my phone and use it in 'paranoid mode' whenever possible and only put data on it I don´t mind being made public. A pain in the ass, and I haven't "much to hide", but I do it out of principle. For my PCs, I accept the updates manually, usually after a one day delay and some searching in technical forums, to see whether it comes with some nasty surprise. Not a perfect solution, I know, but It has saved me some trouble in the past.

            Anyway, there are several BIG differences between Google or Apple and American TLAs.

            The worst that these private companies can do to you is to cause your inbox to get filled with commercial spam, which is a big nuisance, but just a nuisance. On the other hand TLAs have been harvesting all the data they can about private citizens for many years, either breaking, corrupting or ignoring American laws, not to speak about other countries laws. The reason they're doing this? So they can look for possible culprits or scapegoats AFTER a crime has been commited. So, even if you are not guilty of as crime, the fact that e.g. you where two times in the same area where two similar crimes where commited may well cause your home to be raided by armed FBI agents, you and your family arrested/interrogated/imprisoned until they find the culprit or a better scapegoat (if ever). This way, they can feed to the media an image of continous success that's handy for getting promotions, medals and all that shit.

            Also, citizens can control Apple and Google by "voting with their wallets" or "voting with their browser". American TLAs have proved to exhaustion they can't be controlled neither by their own country's laws nor by the citizens.

            Allowing TLAs to break phones in a whim without any oversight is a really bad idea, and things are fucked up enough the way they're now, without giving them more tools.

        2. KeithR

          Re: Now, that..

          ".. would be a really bad idea. If the feds have that private key, who -and how- could guarantee that they won't retain a copy of said key for similar occasions, without needing to resort to those pesky judges? or even for mass surveillance?"

          Which is the entire crux of the matter - a fact lost to many on here, it seems.

    2. Anonymous Coward
      Anonymous Coward

      @dan1980

      re: "Which law grants them the power to compel a company to do such a thing?"

      Um, you miss the point - the US is not a nation of laws, it's a nation of optional laws. Some people or companies are above the law.

      The overriding US law is that the ends justifies the means.

  6. Frank N. Stein

    Who is it again exactly who confirmed that Apple actually can, or has ever successfully written a custom build of iOS that can be installed on a locked phone for which no one but a dead man has the unlock PIN? And why exactly is it that the FBI couldn't get the NSA to do it, given that they are supposed to be able to hack anyone's phone?

    1. bazza Silver badge

      Er, Apple kinda have confirmed it. They do so every time they put out an update.

      The whole point of signed firmware updates is that the existing firmware will trust them implicitly. Putting down a signed update that does what the FBI wants is easy for Apple. They have the source code and signing keys.

      There's fiddly bits and pieces concerning what user input is required to start the installation running, but the user plays no role in deciding whether the update is legitimate and from Apple. And unless Apple has used a mask ROM for the secure enclave on later phones (which seems unlikely - unupgradeable firmware can't be bug fixed), that too could probably be circumvented in a similar way.

      Signed updates are used by everything - Windows, Linux, OS X, BlackBerry, etc.

      The whole thing is fine so long as Apple or anyone else don't leak their signing keys. Apple are not being asked for those in this court order. They're being asked for a special update that works on this specific iPhone and no other (so it won't work on yours).

      Of course if they do leak the keys then there's no defence left. Keeping such keys on an Internet connected computer is asking for trouble.

      Unless NSA have got something really good (which I doubt) they can't realistically hack the keys either.

      1. Charles 9 Silver badge

        "The whole point of signed firmware updates is that the existing firmware will trust them implicitly. Putting down a signed update that does what the FBI wants is easy for Apple. They have the source code and signing keys."

        Ah, but here's the rub. Last I checked, user intervention is required to actually perform a new firmware installation. You can have the phone download and keep the installation without intervention, but because people USE their phones everyday, every update I've seen requires the user to say OK first, and THAT requires unlocking the phone. So now, to turn something said once by Spike Milligan, the crowbar you need to open the crate is inside the crate.

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019