Not meaning to offend anyone ... but one of the root causes of the problem here has to do with government/military/civil-service culture and the huge disparity between the compensation of top-notch technical professionals in private industry versus the government. If you are at the top of your class or recognized skill set in most any technical profession you are probably not going to take a job working for a government agency. The pay generally sucks at every level compared to private industry and bureaucracy is stifling and an innovation killer. Much of the juicy technical work gets farmed out to hired guns in private industry so many technical professionals in government agencies end up in oversight, monitoring, and program/project management roles rather than diving deep in technically complex challenges. What ends up happening is that the government agencies are not exactly skimming from the cream of the crop to fill out the ranks in early career roles, seasoned professionals bail out for greener pastures, many others settle into the bureaucratic cocoon, and then there are the most dangerous ones that stay around for the power trip.
The ones we fear and hear about are the ones who've ridden the power trip to high levels of authority and have a dedicated staff of minions that jump when they say "jump" and dutifully do whatever they're asked to do, whether it's right, wrong, or somewhere in the fuzzy middle of moral and legal technicalities. Because it's a closed and detached society that lives on the fringes of the the law and they're still working for relative squat compensation compared to their industry peers they develop a distain for anyone outside their bubble. That includes private industry entities they don't control, civilians, courts, foreigners, ... or basically anyone or any agency that doesn't react immediately when they say "jump." Basically you're dealing with people with lots of authority and subpar technical credentials who believe they can justify whatever they deem to be within their sphere of influence. This may sound really bad, but in a complex world where there are lots of people who don't play by any rules - you need some unsavory people like this around. But they need to be moderated and balanced out by people who aren't inside their bubble and who have a broader and more informed legal and technical perspective. That's where the President, Congress, and the Justice department need to intervene and apply some thoughtful restraints and listen to people in industry who have a deeper understanding of the real technical issues at hand and consequences of actions being suggested in knee-jerk "jump" fashion by the FBI and DOJ. From everything I've read it sounds like Apple has tried to be a cooperative partner but the government agencies involved are blinded by their desire to fire before aiming. It looks like a classic ready-fire-aim scenario so real question is whether it's just blind stupidity, ignorance, or whether there is actually an ulterior motive involved, i.e., installing a government backdoor on our phones.
It sounds like the FBI/DOJ people believe that there is some sort of registry key or place in memory in Apple's software/firmware that sets the limit on how many login retries are allowed. Anyone who's done anything non-trivial with design-for-security knows that doing something so naively simple would be a security disaster. This lack of understanding reinforces my belief that we have government agencies and political leaders who are grotesquely out of touch with the technical complexities of the systems that power our modern society including banking and vital infrastructure. They fear science but believe in unicorns and fairy tales. But they are the ones calling the shots and the public at large is blissfully going along for the ride. This does not bode well for the sustainability of the US. We need a massive repartitioning and reformatting of our society to flush all the idiots and ignoramuses from the controls.
It's kind of scary to think that Apple could push an iOS update to a locked phone that would then disable the password security. If Apple could do it, why couldn't a hacker looking to take possession of my iPhone?
I'm a bit late to the game here but: Apple actually *cannot* do what you're worried about (well, they can, by (for example) pushing out an update that has encryption disabled entirely but still saying that the phone is encrypted, or by pushing out an update that has an actual back door into the encryption (these are things that *any* provider of an encrypted product can do)) but that's not actually what the FBI is asking for in this case. (Even then, Apple could not apply such a back door retroactively without knowing the passcode.)
In this case, the FBI is asking for an iOS version that has no "self destruct" and no delay between incorrect passcode guesses. This is only of value to the FBI because (presumably) the phone has a simple (4 digit) passcode. If the phone has a long, alphanumeric passcode, then what is being asked for is of no practical value. That's how encryption works; a weak secret (password) results in easy decryption, but a strong secret makes it *extremely* (practically impossible) to decrypt without knowing the password.
This is why TouchID (and technologies like it) are so important; they make using strong passwords practical. My phone currently has a passcode that's 19 (I think) alphanumeric+symbols digits. Even if the FBI were to get Apple to install a modified version of iOS on my phone, they would still have to brute force attack my passcode, something that is (I think, though I haven't worked out the entropy) as difficult as brute force attacking the 256 bit AES key that is actually being used to encrypt the data on my phone.
Another way of looking at this is that the FBI is asking for Apple to provide something that makes the iOS encrypted data "only" as secure as Apple's FileVault. (Of course, the fact that nearly everyone uses 4digit numeric passcodes makes it really easy to break into the phone without Apple's built in restrictions.)
Anyone who wants to protect themselves from this kind of intrusion can do so by creating and using a "strong" passcode.
To me, the more troubling part of all of this is that if Apple is forced to comply with the FBI, there could be a legal precedent set that would lead to the mandating of actual back doors in encrypted products. Ultimately, that's no good for anyone, not even those who would seem to benefit in the short term.
The US government and FBI are being quite stupid here. They are just opening the door for countries like China. Once apple agrees to a backdoor for US, they have no choice but to agree to the same for china. There is very little US will gain from this, and a lot it will lose.
Comments
The ones we fear and hear about are the ones who've ridden the power trip to high levels of authority and have a dedicated staff of minions that jump when they say "jump" and dutifully do whatever they're asked to do, whether it's right, wrong, or somewhere in the fuzzy middle of moral and legal technicalities. Because it's a closed and detached society that lives on the fringes of the the law and they're still working for relative squat compensation compared to their industry peers they develop a distain for anyone outside their bubble. That includes private industry entities they don't control, civilians, courts, foreigners, ... or basically anyone or any agency that doesn't react immediately when they say "jump." Basically you're dealing with people with lots of authority and subpar technical credentials who believe they can justify whatever they deem to be within their sphere of influence. This may sound really bad, but in a complex world where there are lots of people who don't play by any rules - you need some unsavory people like this around. But they need to be moderated and balanced out by people who aren't inside their bubble and who have a broader and more informed legal and technical perspective. That's where the President, Congress, and the Justice department need to intervene and apply some thoughtful restraints and listen to people in industry who have a deeper understanding of the real technical issues at hand and consequences of actions being suggested in knee-jerk "jump" fashion by the FBI and DOJ. From everything I've read it sounds like Apple has tried to be a cooperative partner but the government agencies involved are blinded by their desire to fire before aiming. It looks like a classic ready-fire-aim scenario so real question is whether it's just blind stupidity, ignorance, or whether there is actually an ulterior motive involved, i.e., installing a government backdoor on our phones.
It sounds like the FBI/DOJ people believe that there is some sort of registry key or place in memory in Apple's software/firmware that sets the limit on how many login retries are allowed. Anyone who's done anything non-trivial with design-for-security knows that doing something so naively simple would be a security disaster. This lack of understanding reinforces my belief that we have government agencies and political leaders who are grotesquely out of touch with the technical complexities of the systems that power our modern society including banking and vital infrastructure. They fear science but believe in unicorns and fairy tales. But they are the ones calling the shots and the public at large is blissfully going along for the ride. This does not bode well for the sustainability of the US. We need a massive repartitioning and reformatting of our society to flush all the idiots and ignoramuses from the controls.
In this case, the FBI is asking for an iOS version that has no "self destruct" and no delay between incorrect passcode guesses. This is only of value to the FBI because (presumably) the phone has a simple (4 digit) passcode. If the phone has a long, alphanumeric passcode, then what is being asked for is of no practical value. That's how encryption works; a weak secret (password) results in easy decryption, but a strong secret makes it *extremely* (practically impossible) to decrypt without knowing the password.
This is why TouchID (and technologies like it) are so important; they make using strong passwords practical. My phone currently has a passcode that's 19 (I think) alphanumeric+symbols digits. Even if the FBI were to get Apple to install a modified version of iOS on my phone, they would still have to brute force attack my passcode, something that is (I think, though I haven't worked out the entropy) as difficult as brute force attacking the 256 bit AES key that is actually being used to encrypt the data on my phone.
Another way of looking at this is that the FBI is asking for Apple to provide something that makes the iOS encrypted data "only" as secure as Apple's FileVault. (Of course, the fact that nearly everyone uses 4digit numeric passcodes makes it really easy to break into the phone without Apple's built in restrictions.)
Anyone who wants to protect themselves from this kind of intrusion can do so by creating and using a "strong" passcode.
To me, the more troubling part of all of this is that if Apple is forced to comply with the FBI, there could be a legal precedent set that would lead to the mandating of actual back doors in encrypted products. Ultimately, that's no good for anyone, not even those who would seem to benefit in the short term.