Encryption

[Krom]

So have any of you been following the FBI vs Apple case on unlocking that iphone?

I find this case alarming because what the FBI wants is incredibly dangerous, but also completely unnecessary if they were just willing to put in a trivial amount of effort.

In the past, I've worked for people who had a computer suddenly die on them. The power supply burned out the motherboard, the southbridge was smoldering, the computer would never work again, but they had stuff on it they needed. So no problem, I opened up the case, lifted out the hard drive, dropped it into a drive dock attached to a working computer and copied the stuff they needed directly off the drive. And that is relevant here, because the iphone is at its heart a computer. It is like a laptop, or a desktop; open it up inside and it has various components, including a storage component. What the FBI wants isn't access to that whole working iphone, what they want is access to the data stored within it. Open up the case and inside is a flash memory chip, which is the iphone equivalent of a hard drive. The FBI needs only to get some fairly specialized but commercially available equipment to be able to read all the data off that memory chip without actually going through the phone itself. After that, they can then brute force the encryption pin code on the copy they made with total impunity and no need for any assistance from Apple.

This equipment is the kind of stuff a data recovery company would have, if someone needed something off a phone that was damaged beyond repair and no longer functional, a data recovery company specializing in flash memory could still get it off. And the phone that this lawsuit is about still works, which makes it even easier. Just send the phone to such a company and have them image the data off the internal flash memory, and there is no need to risk breaking encryption on a global scale.

I mean seriously, what would the government be saying right now if China was suing Apple so they could unlock an iphone they had obtained from a US diplomat?

[Jeff250]

My understanding is that the generated encryption key isn't created just as a function of the passcode. It's also a function of a hardcoded key in the phone's hardware that isn't directly retrievable. Without knowing the hardcoded key, you would have to search the entire keyspace of whatever encryption algorithm the phone uses, which is most likely computationally intractable, compared to just having to search the much smaller passcode space. So if they want to search just the passcode space, then they need to go through the phone.

[Ferno]

[Sergeant Thorne]

What any intelligence agency wants in our day, IMO, is for their system to have access to all information for use in a relational database format. This way all they have to do is keep their system apprised of their current concerns, as it were, and your data basically raises its hand if it fits the bill, and gets in line in order of importance. One could make a funny ad, if one were so inclined, about information privacy: I picture a person standing at a cross-walk, or in an elevator with a law enforcement officer, and their smart phone in their hand begins to talk directly to the officer, suggesting that it suspects you of being in criminal activity and that the officer really ought to haul you in for questioning. Another good one might be a crowd of people sitting at a lecture, with the speaker asking personal questions of the crowd and their smart phones immediately volunteer answers for them and even competing over for who best characterizes the question being asked with embarrassing anecdotes.

I don't think the FBI is interested in just breaking into a phone they have in their physical possession, because it's extraordinarily inefficient by comparison. Anyone who doesn't give a damn about our constitutional right to privacy would much rather make their job easier by putting everything everyone is and does at their fingertips. I promise you, anyone in intelligence today wouldn't be caught dead without relational databases, and "privacy" is simply a fading obstruction.

[Foil]

My understanding is that the generated encryption key isn't created just as a function of the passcode. It's also a function of a hardcoded key in the phone's hardware that isn't directly retrievable. Without knowing the hardcoded key, you would have to search the entire keyspace of whatever encryption algorithm the phone uses, which is most likely computationally intractable, compared to just having to search the much smaller passcode space. So if they want to search just the passcode space, then they need to go through the phone.

Thanks for the clarification.

From what I understand (correct me if I'm wrong), the FBI is demanding that Apple create a mechanism for obtaining the hardcoded hardware key. Creating such a mechanism, effectively breaking the hardware security, is what Apple is balking at.

[Jeff250]

Although that would be sufficient, I don't know if that would be easy to do. My understanding is that the FBI wants Apple to create a new software image that just removes the limitation on the number of passcode entry attempts (I think they also want Apple to create a facility that allows them to automatically guess passcodes too, but when you are dealing with a 4-digit number, you can give just give it to a student intern to manually try all 10,000 combinations).

[woodchip]

So why doesn't Apple just say, OK FBI, give us the phone and we'll get the data but we won't write a program that you can use to get into any Iphone. The other thing I heard was the phone was a company phone and as such the business could of accessed the data as they have the ability to change the password. True?

[Tunnelcat]

Because the FBI wants the whole shebang, the lock AND the key, and they're willing to make a pubic case for it. They're getting tired of those pesky court orders. I think however, that the tactic may backfire on them because what they want is way beyond the legal norm. Of course, if there's another bad terrorist attack, Americans will side with the FBI and turn over their privacy to the FBI and every cyber criminal in the world, all in the name of "safety".

[Spidey]

Apple should just tell the government that they don’t have the technical expertise to do what they want, and be done with it.

[Grendel]

My suggestion to the FBI: talk to the NSA.

[callmeslick]

My suggestion to the FBI: talk to the NSA.

I think that number is unlisted.

[Vander]

So why doesn't Apple just say, OK FBI, give us the phone and we'll get the data but we won't write a program that you can use to get into any Iphone. The other thing I heard was the phone was a company phone and as such the business could of accessed the data as they have the ability to change the password. True?

Doing it once effectively does do it for any phone because it sets precident. Not only does it show that Apple has written the software they are refusing to write, (which is compelled speech) it signals their willingness to circumvent their own security for the FBI. The FBI (and other law enforcement agencies) will simply bring them more phones to repeat the process. Apple has specifically written their software so as to take themselves out of this loop. They are willing to do what they can within their system as designed (for example they'll provide icloud backups) but they won't write software to specifically circumvent the security they've designed.

My understanding of the company phone angle is that the employer had control over the icloud account. They reset the icloud password at the FBI's request, which prevented them from initiating a phone backup. If they had left the icloud password alone, they could've initiated a backup, and then pulled the phone data from the icloud backup. But since they changed the password on the icloud account, and they didn't know the PIN on the phone to change that icloud password on the phone, they effectively locked themselves out.

[Lothar]

if the FBI wanted in to the phone, they'd talk to the NSA, the Air Force, or any of the other agencies that are good at hacking.

But this case isn't about this phone. This case is about precedent. The FBI wants to establish a legal precedent that compels tech companies to create backdoors for them, so that they can unlock any phone or any other type of device in any investigation with minimal effort. They want to be able to say to Microsoft "unlock the following 10,000 computers for us" and to Samsung "unlock the following 3,000 phones for us" and to Apple "unlock the following 8,000 iDevices for us" and be able to get at everyone's personal data in broad, sweeping strokes with only the barest of justification.

https://www.eff.org/deeplinks/2016/02/t ... phone-case

https://www.eff.org/deeplinks/2016/03/n ... s-whatsapp

[woodchip]

Vander, thanks for clearing that up.

[snoopy]

I'm curious to see how this goes. It really has the feel for a watershed case to me...

EDIT: It looks like we'll have to wait for another day: link