To the FBI... I can recommend a girl called Chloe O'Brian. Can break anything. Lots of experience in a firm called CTU. Last seen in London wearing a lot of black clothing. Hangs out with a guy called Jack something or other.
First, the FBI assumes there is information they need on these phones and this is the issue with court orders they no long have to prove the information they seek actually exist, they just say they need to look to see if it does exist.
Base on some of the information which leak out like the computer they used were clean of any incriminating information, but why do you need incrimination information when you already know they did it. They also said they could not find the HDD of one of the computers which lead the FBI to believe they dispose of it. If they were this smart they probably cleared their phones of any information as well or dispose of the phones which had any information.
I think the police would have to first prove what they are looking for in fact exist before any court order is issue to gain access to information.
As someone already said, the FBI are idiots to making publicly known they are not able to gain access. This is not going to help their case pointing this out, The government will be hard press to change the rules since companies like Google and Apple will make sure the general public knows the government is trying to under mind your privacy.
BTW, if you encrypt you computer files and email with PGP the government can not break into that information either and that program has been around a long time.
The police only need to show probable cause. I think a mass shooting satisfies that.
Making it public is smart, because they'll get public support. People will choose their safety over their privacy.
Quote:
I don't want a back door... I would like people to comply with court orders, and that is the conversation I am trying to have," he explained.
End Quote
If that's all it takes, let's mandate via court order that all companies are profitable, all employees well-compensated, all citizens get unlimited paid vacation, all schools are free, all medical programs are free, all taxes are low and all days are sunny.
So before cellphones, how in the world did law enforcement do their job???? Oh, that's right, they used the resources they had! We spend BILLIONS of dollars every year on national security - let them do their jobs with what they already have. It's that simple. We DO NOT need to give them access to our information whenever they ask for it. We should be able to fully and securely protect our personal information. And please quit using the scare tactic of finding pedophiles as the reason law enforcement should have total access to our data. We do not live, thankfully, in an "any means necessary" society. If that's what you want, I'd be happy to point you to a couple places in other parts of the world that should meet your criteria.
This type of encryption is relatively new. This is the first time they have no way of accessing the information they need.
Australian researchers have recently demonstrated how to make quantum computers in silicon - easily and cheaply. Any encryption system other than a one time pad is obsolete.
Your referenced claim was "THE NSA says basically that you can't really wipe Flash at all and the only way to safely dispose of flash memory is to grind the chips into dust."
No such claim is made in that document. That's a guide for destroying things containing sensitive data, and I suspect they recommend grinding things up because they can't possibly write a document that covers the proper method for wiping data from the internal storage of countless different systems. The document is driven by practicality, not any fundamental technological limit.
It is possible to securely erase data from Flash/SSD devices, though the internal firmware of such devices may allow some blocks of data to remain in the redundant portions of the device. But, if you execute commands down at that firmware level, secure erasure is quite possible. If Apple were to claim that a secure wipe of an iPhone is indeed secure (and I've no idea if they do or not), I expect it would truly be secure. If you have sufficient control of the technology (and Apple does, via its Anobit acquisition), it's easy to do.
Yeah, well there’s a difference between you protecting your drunken orgy photos and a pedophile protecting the photos of abuse of a three year old child isn’t there. And for those who are always screaming about the Fourth Amendment try reading it sometime. It has an intentional back door that the founding fathers put there so legitimate, legal search and seizure can take place.
That's fine but there is also the Fifth Amendment that protects a person against being compelled to be a witness against himself or herself in a criminal case. I see their phone as being included in that protection...
The US Supreme Court has ruled that corporations are people, but not that computing devices are.
So providing the passcode (or biometry needed to unlock it) isn't self-incriminating, it is simply handing over the key to your house before they simply break down the door.
True, if you mean to compare them to a door that is unbreakable. No key, no entry.
Personally, I am a physician, and as such have degrees of patient information on my phone (legitimately, in HIPAA-compliant apps). As a result, I have made it difficult to get into my phone (no 4-digit PIN, etc.).
The FBI says they are not asking for a back door, but are simply asking for Apple to comply with a court order to access data (i.e. a back door).
If the back door exists, then hackers will quickly gain access, as they always do.
At this point, they have access to patient data on my phone. Does this place me in violation of HIPAA laws because of the FBI-mandated back door? In practice, the answer is "no," since I have taken the proper safeguards, but it does not change the fact that some hacker out there has sensitive patient information.
P.S. In case people wonder why patient information would be present on a phone... we have lists of the patients we see, emergencies about patients that get documented, critical labs, etc. At least in my world, the old pager is history. Everything is done by phone now.
If it has a finger print sensor, warm up their dead fingers and have at it.
Its already been ruled that a person can be compelled to unlock a device with their finger prints with a court order. Though they can not be compelled to enter a password/passcode. In this case I would say that the finger prints taken of the "terrorist" could be used to create a high quality 3D print to open the phone. But if was not locked with a finger print then obviously that wouldn't work. Also it might be so far passed the time the phone was last unlocked that its requiring a passcode
Yeah, well there’s a difference between you protecting your drunken orgy photos and a pedophile protecting the photos of abuse of a three year old child isn’t there. And for those who are always screaming about the Fourth Amendment try reading it sometime. It has an intentional back door that the founding fathers put there so legitimate, legal search and seizure can take place.
Can you cite, please? Olmstead Case, and Katz v US seem to say otherwise. But I could be wrong.
Unfortunately, the modelling process needs a perfect fingerprint (not the smudged, distorted kind you find on a mobile phone), several days and several attempts, a skilled technician, and a lot of luck. This is probably why the process seems to only have been tried once or twice successfully under perfect lab conditions. Certainly nothing you can do in a hurry if you're trying to prevent a criminal act.
The process also destroys the original fingerprint, so you can't reuse it if the process fails. And of course, if you make too many attempts (which you may do because you don't know which fingers were used to lock the phone) then you will probably cause the phone to lock completely before you get anywhere.
If you have the phone and not the owner, then he will simply wipe the phone remotely before you've even managed to complete your first cast (though sensibly you'd probably try to cast as many as you can in one go).
I thought changing the fingerprint reader might be a way in, but apparently the phone makes a component check and bricks itself, so we recently discovered.
No, it doesn't take days. A university researcher demonstrated doing it using a fingerprint lifted from the actual phone and it took a a few hours. The capabilities available to security services for 'national security' cases go way beyond that, besides they had the corpse and didn't need to lift a print of anywhere. It might destroy the print on the phone but the process gives you a physical model of the print so you still have that.
If needed the authorities can take a HD that has been broken into pieces and stick them in a magnetic force microscope and read the bits back off, even if it was 'erased' several times before being broken up.
If they 'really' wanted the data they could just unsolder the flash chips and read out their contents directly. If he actually had encrypted the whole thing it might take an extra hour or so for the NSA. THE NSA says basically that you can't really wipe Flash at all and the only way to safely dispose of flash memory is to grind the chips into dust.
I think this FBI person needs to talk to the right people.
Although most of what you are saying is basically true in general, if the device is an iPhone, Apple explains how they defeat the attack you describe on the flash storage in the iOS Security Guide. Latest version is September 2015.
In short, if someone removes the flash storage for an offline attack, they need to brute force at least 2, AES 256 keys in order to decrypt each file. Depending on which files they want, they may need more than this.
Whilst one of those keys has partial relation to the user passcode, the other is completely random generated in hardware .
That makes it exceedingly difficult to guess. The time to guess it, using every computer on the planet, is likely longer than the time till the heat death of the universe, after all the stars have faded away and died. The amount of energy required is equivalent to the sun going supernovae hundreds of times. (See Applied Cryptography by Bruce Schiener for the full maths on this)
Fingerprints won't necessarily work on iOS either - the TouchID sensor resets after 48 hours if you don't use it, as well as simply rebooting , so you'd need to be right on the ball to Unlock the device with the suspects finger.
Of course we don't know what phone it is at this stage, so it may not be an iPhone, but it most likely is , as the above applies to pretty much every iPhone since the 4S. (very few Android phones are running 6.0 where full disk encryption is mandatory, and most 5.0 and 5.1 devices don't have it turned on, because it slows the phone down, and kills battery life. )
"I don't want a back door... I would like people to comply with court orders, and that is the conversation I am trying to have," he explained.
You would think the Director of the FBI would understand you can't have the latter without a back door. Might as well get a court order for someone to use a time machine to prevent the attack in the first place.
No, it doesn't take days. A university researcher demonstrated doing it using a fingerprint lifted from the actual phone and it took a a few hours. The capabilities available to security services for 'national security' cases go way beyond that, besides they had the corpse and didn't need to lift a print of anywhere. It might destroy the print on the phone but the process gives you a physical model of the print so you still have that.
If needed the authorities can take a HD that has been broken into pieces and stick them in a magnetic force microscope and read the bits back off, even if it was 'erased' several times before being broken up.
If they 'really' wanted the data they could just unsolder the flash chips and read out their contents directly. If he actually had encrypted the whole thing it might take an extra hour or so for the NSA. THE NSA says basically that you can't really wipe Flash at all and the only way to safely dispose of flash memory is to grind the chips into dust.
I think this FBI person needs to talk to the right people.
Although most of what you are saying is basically true in general, if the device is an iPhone, Apple explains how they defeat the attack you describe on the flash storage in the iOS Security Guide. Latest version is September 2015.
In short, if someone removes the flash storage for an offline attack, they need to brute force at least 2, AES 256 keys in order to decrypt each file. Depending on which files they want, they may need more than this.
Whilst one of those keys has partial relation to the user passcode, the other is completely random generated in hardware .
That makes it exceedingly difficult to guess. The time to guess it, using every computer on the planet, is likely longer than the time till the heat death of the universe, after all the stars have faded away and died. The amount of energy required is equivalent to the sun going supernovae hundreds of times. (See Applied Cryptography by Bruce Schiener for the full maths on this)
Fingerprints won't necessarily work on iOS either - the TouchID sensor resets after 48 hours if you don't use it, as well as simply rebooting , so you'd need to be right on the ball to Unlock the device with the suspects finger.
Of course we don't know what phone it is at this stage, so it may not be an iPhone, but it most likely is , as the above applies to pretty much every iPhone since the 4S. (very few Android phones are running 6.0 where full disk encryption is mandatory, and most 5.0 and 5.1 devices don't have it turned on, because it slows the phone down, and kills battery life. )
Think I covered the decryption and 48hr aspects in posts 12 and 45.
For encryption to protect anyone, it must protect everyone.
Yeah, well there’s a difference between you protecting your drunken orgy photos and a pedophile protecting the photos of abuse of a three year old child isn’t there. And for those who are always screaming about the Fourth Amendment try reading it sometime. It has an intentional back door that the founding fathers put there so legitimate, legal search and seizure can take place.
You're straw man, false equivalence and other demagogic language tics; you can choke on them.
Then you can go work for the GOP or Putin, they're about the same these days.
Pedophiles, terrorists can just encrypt their files with whatever open source programs and dump them on a USB key and there, you're fracking FBI will be screwed. Got that!
This type of encryption is relatively new. This is the first time they have no way of accessing the information they need.
Australian researchers have recently demonstrated how to make quantum computers in silicon - easily and cheaply. Any encryption system other than a one time pad is obsolete.
Symmetric key cryptographic systems (such as the one that's being used to encrypt the iPhone) are not susceptible to attack by quantum computers. Some asymmetric key systems that rely on "difficult to solve" computation are.
Australian researchers have recently demonstrated how to make quantum computers in silicon - easily and cheaply. Any encryption system other than a one time pad is obsolete.
Symmetric key cryptographic systems (such as the one that's being used to encrypt the iPhone) are not susceptible to attack by quantum computers. Some asymmetric key systems that rely on "difficult to solve" computation are.
FBI technicians have been trying and failing to break the encryption of a phone used by the couple who killed 14 people in a terrorist attack in San Bernardino, Calif. in
If they've been identified as the killers, why do you still need access to their phone? They've already been convicted. Using their phone to track somebody else is illegal and a search warrant must be granted. If they have a search warrant, the owner must unlock the device, if the owners are dead, too bad. Why is this so difficult?
Comments
Making it public is smart, because they'll get public support. People will choose their safety over their privacy.
No such claim is made in that document. That's a guide for destroying things containing sensitive data, and I suspect they recommend grinding things up because they can't possibly write a document that covers the proper method for wiping data from the internal storage of countless different systems. The document is driven by practicality, not any fundamental technological limit.
It is possible to securely erase data from Flash/SSD devices, though the internal firmware of such devices may allow some blocks of data to remain in the redundant portions of the device. But, if you execute commands down at that firmware level, secure erasure is quite possible. If Apple were to claim that a secure wipe of an iPhone is indeed secure (and I've no idea if they do or not), I expect it would truly be secure. If you have sufficient control of the technology (and Apple does, via its Anobit acquisition), it's easy to do.
Personally, I am a physician, and as such have degrees of patient information on my phone (legitimately, in HIPAA-compliant apps). As a result, I have made it difficult to get into my phone (no 4-digit PIN, etc.).
The FBI says they are not asking for a back door, but are simply asking for Apple to comply with a court order to access data (i.e. a back door).
If the back door exists, then hackers will quickly gain access, as they always do.
At this point, they have access to patient data on my phone. Does this place me in violation of HIPAA laws because of the FBI-mandated back door? In practice, the answer is "no," since I have taken the proper safeguards, but it does not change the fact that some hacker out there has sensitive patient information.
P.S. In case people wonder why patient information would be present on a phone... we have lists of the patients we see, emergencies about patients that get documented, critical labs, etc. At least in my world, the old pager is history. Everything is done by phone now.
In short, if someone removes the flash storage for an offline attack, they need to brute force at least 2, AES 256 keys in order to decrypt each file. Depending on which files they want, they may need more than this.
Whilst one of those keys has partial relation to the user passcode, the other is completely random generated in hardware .
That makes it exceedingly difficult to guess. The time to guess it, using every computer on the planet, is likely longer than the time till the heat death of the universe, after all the stars have faded away and died. The amount of energy required is equivalent to the sun going supernovae hundreds of times. (See Applied Cryptography by Bruce Schiener for the full maths on this)
Fingerprints won't necessarily work on iOS either - the TouchID sensor resets after 48 hours if you don't use it, as well as simply rebooting , so you'd need to be right on the ball to Unlock the device with the suspects finger.
Of course we don't know what phone it is at this stage, so it may not be an iPhone, but it most likely is , as the above applies to pretty much every iPhone since the 4S. (very few Android phones are running 6.0 where full disk encryption is mandatory, and most 5.0 and 5.1 devices don't have it turned on, because it slows the phone down, and kills battery life. )
You're straw man, false equivalence and other demagogic language tics; you can choke on them.
Then you can go work for the GOP or Putin, they're about the same these days.
Pedophiles, terrorists can just encrypt their files with whatever open source programs and dump them on a USB key and there, you're fracking FBI will be screwed. Got that!
San Bernardino surveillance video released on 02/05/16.
https://www.youtube.com/watch?v=tHH7gvHXLzQ
Why are the "terrorists" driving slowly with their Hazard Lights on??
The FBI probably has one guy in the back room punching in possible passwords on the device's touchscreen.