"In the government’s Friday filing, the Justice Department acknowledged that the password was re-set in the hours after the attack by authorities with San Bernardino County. The county owned the phone and provided it to Farook for work."
USA. Today
Most people are calling this out as an idiotic thing for them to have done - however if they had NOT reset the password for the Apple ID - an accomplice that knew the password could have triggered a remote wipe on the device. Since nobody knows for 100% certain whether there are any accomplices out there with the Apple ID password (or the capability to reset the Apple ID password), the most prudent thing for them to do to safeguard the data on the phone was to reset the password for the Apple ID.
"In the government’s Friday filing, the Justice Department acknowledged that the password was re-set in the hours after the attack by authorities with San Bernardino County. The county owned the phone and provided it to Farook for work."
USA. Today
Most people are calling this out as an idiotic thing for them to have done - however if they had NOT reset the password for the Apple ID - an accomplice that knew the password could have triggered a remote wipe on the device. Since nobody knows for 100% certain whether there are any accomplices out there with the Apple ID password (or the capability to reset the Apple ID password), the most prudent thing for them to do to safeguard the data on the phone was to reset the password for the Apple ID.
The FBI should have gone to Apple quick and simply demanded that nothing regarding the phone should be changed (freezing it's status). I'm sure Apple would have complied with, probably even without a court order. Don't know why the hell it was that long before they talked to Apple; bureaucratic morass? Seems they didn't really know much about the Iphone and it's security model at all. Also, if the county had the Apple ID, could the terrorists do this remote wipe? I don't think so.
I started off being 100% behind Apple on this issue, but the longer this conversation goes on, the more clearly I'm able to see both sides.
From what I understand, it is within the governments authority "in some cases", with the proper warrants - to search and seize all of the property of an individual. But to properly debate the issue, we should probably separate the issue itself from this one specific case - since it just complicates things.
So - assuming a situation arises (because it will) in which the FBI does have a justified reason and a legitimate warrant to search the contents of an individual's smart phone. How is this different conceptually from a warrant to search someone's home or to place wiretaps on their phones? These practices have been occurring for decades and they have been able to compel the phone company into creating a mechanism for them to do so. So - as much as we all despise the idea of it - what makes it significantly different with Apple and smartphones? Why can't Apple be court-ordered to provide access? (Off topic, but what do Microsof, Symantec and other full-disk encryption providers do to comply in the PC World?)
If they were asking for hooks to be built into iOS that would allow them to pull data remotely off of a smartphone, that would be completely unacceptable for many reasons - but especially because those hooks would always be there for hackers, thieves and foreign governments to attack and leverage.
But - if we resign ourselves to the fact that the government can and will legislate a requirement to provide some type of assistance - what kind of system could they create that would protect individuals from hackers and foreign governments while still complying with a legal requirement to help law enforcement agencies?
To that end - unless somebody can point out a serious flaw with the approach - I'm thinking I could probably live with something like this: 1. Apple creates a completely new bootable image - (not a customized version of iOS ). The OS would be extremly minimal in its capabilities - no networking, no Bluetooth, no nothing really. 2. The only thing this bootable image could/would do is to ignore the auto-wipe after 10 bad attempts rule and run a brute force attack on the password/passcode. I read that a 4 digit passcode could be cracked in about 30 min. ( a "good", long password/passphrase that has a mix of letters, numbers, special chars and avoids use of words in the dictionary could take many years to crack.) 3. The software described above would only boot-up if a valid hardware key fob with a signed certificate (that could be revoked) was plugged into the lightning port. 4. The key fob would be "configured" for the specific target device by downloading a certificate from Apple and copying it to the key fob. Each individual iOS device would require its own unique certificate. 5. After the passcode is cracked, the law enforcement agency would be able to reboot the device into off the shelf iOS and unlock it with the passcode. 6. Apple would be reimbursed for the cost of creating this process and maintaining it. I think a fair hourly rate for each employee required to work on it would be the same rate the government approved for the court-appointed monitor in the e-books incident. It's obvious they think that rate is reasonable for a specialized consultant!
The approach has the following advantages. It would: 1. Provide oversight by Apple since a certificate would need to be generated by them for the specific device named in the warrant. Certificates would not be issued without the presentation of a valid warrant. 2. Not require any updates to iOS itself. 3. Require that law enforcement have physical possession of the device. (No remote attacks possible) 4. Enable us to keep our devices secure by choosing a "good" passphrase. 5. Only work on one device at a time 6. Not be possible for hackers to compromise 7. Require both a certificate AND a custom key fob (2 factor authentication)
The issues about whether the government has the "right" to do this or not and the preservation of the constitutional rights is one for the courts. I'm glad that Apple is standing up for our rights, but there is only so much that they, as a corporation can and should do. If actual laws are passed - Apple will be forced to comply with those laws. Let's hope that they find a way to do so that continues to protect our rights and ensures that our data remains secure.
Most people are calling this out as an idiotic thing for them to have done - however if they had NOT reset the password for the Apple ID - an accomplice that knew the password could have triggered a remote wipe on the device. Since nobody knows for 100% certain whether there are any accomplices out there with the Apple ID password (or the capability to reset the Apple ID password), the most prudent thing for them to do to safeguard the data on the phone was to reset the password for the Apple ID.
The FBI should have gone to Apple quick and simply demanded that nothing regarding the phone should be changed (freezing it's status). I'm sure Apple would have complied with, probably even without a court order. Don't know why the hell it was that long before they talked to Apple; bureaucratic morass? Seems they didn't really know much about the Iphone and it's security model at all. Also, if the county had the Apple ID, could the terrorists do this remote wipe? I don't think so.
If the end user knew the password for the Apple ID, he could have shared it with anybody. Anybody with the Apple ID password can go into Find My IPhone and initiate a remote wipe.
Am I to understand that this guys employer was a government agency and that they did NOT have any kind of MDM (Mobile Device Management) solution assisting them with the management of the devices they issued to their employees? That's kind of irresponsible on its own, isn't it? Most companies would funnel all web traffic on a business computer, tablet or phone through a corporate web-proxy - in which case they'd know every web site the guy visited - some companies don't allow any internet communications unless it's funneled through a VPN connection connecting the decide to their corporate network. That would have logged not only the websites he visited but ALL of his Internet traffic (i.e. Whatsapp, BBM, Netflix, Yelp, etc) including the traffic created by apps.
"In the government’s Friday filing, the Justice Department acknowledged that the password was re-set in the hours after the attack by authorities with San Bernardino County. The county owned the phone and provided it to Farook for work."
USA. Today
Most people are calling this out as an idiotic thing for them to have done - however if they had NOT reset the password for the Apple ID - an accomplice that knew the password could have triggered a remote wipe on the device. Since nobody knows for 100% certain whether there are any accomplices out there with the Apple ID password (or the capability to reset the Apple ID password), the most prudent thing for them to do to safeguard the data on the phone was to reset the password for the Apple ID.
So, you have another Law Enforcement entity in New York that has stated it has 175 iPhones that they want to have "cracked"; I'm not seeing the same problem with those, i.e., an accomplice that knew the password could have also triggered a remote wipe. What's different? Are the all sitting a faraday cage to prevent them from seeing any RF signal?
Wouldn't it have been prudent to contact the cellular provider immediately, which would have been easy and fast for the county, and then reassign that number to another iPhone just on the off chance there was an attempt at communication? I've actually done that to my brother's iPhone when his wife used his upgrade since I'm the account holder. As for WiFi, I'd assume that it would be easy to find a secure location that the iPhone could not connect to the internet at, probably anywhere but the home or the county office, but almost certainly, a law enforcement facility.
It would be very risky for an accomplice to try this over cellular as the caller would be identified easily and quickly. A remote wipe could not happen without a secure WiFi connection for the iPhone.
Either way, Apple should have been called in immediately, which they were not.
I started off being 100% behind Apple on this issue, but the longer this conversation goes on, the more clearly I'm able to see both sides.
From what I understand, it is within the governments authority "in some cases", with the proper warrants - to search and seize all of the property of an individual. But to properly debate the issue, we should probably separate the issue itself from this one specific case - since it just complicates things.
So - assuming a situation arises (because it will) in which the FBI does have a justified reason and a legitimate warrant to search the contents of an individual's smart phone. How is this different conceptually from a warrant to search someone's home or to place wiretaps on their phones? These practices have been occurring for decades and they have been able to compel the phone company into creating a mechanism for them to do so. So - as much as we all despise the idea of it - what makes it significantly different with Apple and smartphones? Why can't Apple be court-ordered to provide access? (Off topic, but what do Microsof, Symantec and other full-disk encryption providers do to comply in the PC World?)
If they were asking for hooks to be built into iOS that would allow them to pull data remotely off of a smartphone, that would be completely unacceptable for many reasons - but especially because those hooks would always be there for hackers, thieves and foreign governments to attack and leverage.
But - if we resign ourselves to the fact that the government can and will legislate a requirement to provide some type of assistance - what kind of system could they create that would protect individuals from hackers and foreign governments while still complying with a legal requirement to help law enforcement agencies?
To that end - unless somebody can point out a serious flaw with the approach - I'm thinking I could probably live with something like this: 1. Apple creates a completely new bootable image - (not a customized version of iOS ). The OS would be extremly minimal in its capabilities - no networking, no Bluetooth, no nothing really. 2. The only thing this bootable image could/would do is to ignore the auto-wipe after 10 bad attempts rule and run a brute force attack on the password/passcode. I read that a 4 digit passcode could be cracked in about 30 min. ( a "good", long password/passphrase that has a mix of letters, numbers, special chars and avoids use of words in the dictionary could take many years to crack.) 3. The software described above would only boot-up if a valid hardware key fob with a signed certificate (that could be revoked) was plugged into the lightning port. 4. The key fob would be "configured" for the specific target device by downloading a certificate from Apple and copying it to the key fob. Each individual iOS device would require its own unique certificate. 5. After the passcode is cracked, the law enforcement agency would be able to reboot the device into off the shelf iOS and unlock it with the passcode. 6. Apple would be reimbursed for the cost of creating this process and maintaining it. I think a fair hourly rate for each employee required to work on it would be the same rate the government approved for the court-appointed monitor in the e-books incident. It's obvious they think that rate is reasonable for a specialized consultant!
The approach has the following advantages. It would: 1. Provide oversight by Apple since a certificate would need to be generated by them for the specific device named in the warrant. Certificates would not be issued without the presentation of a valid warrant. 2. Not require any updates to iOS itself. 3. Require that law enforcement have physical possession of the device. (No remote attacks possible) 4. Enable us to keep our devices secure by choosing a "good" passphrase. 5. Only work on one device at a time 6. Not be possible for hackers to compromise 7. Require both a certificate AND a custom key fob (2 factor authentication)
The issues about whether the government has the "right" to do this or not and the preservation of the constitutional rights is one for the courts. I'm glad that Apple is standing up for our rights, but there is only so much that they, as a corporation can and should do. If actual laws are passed - Apple will be forced to comply with those laws. Let's hope that they find a way to do so that continues to protect our rights and ensures that our data remains secure.
Even if you believe that Apple's stance is inappropriate, and I don't, I"m sure that you can see that this "exceptional" case isn't. The FBI is using the emotional impact of this to attempt to gain a precedent; of this there is no doubt. There's even been a suggestion by Cringely in his latest column that the FBI is doing this now because there is only 8 Justices sitting on the Supreme Court, and a 4 - 4 ruling would default to an Appeal Court decision, a likelihood that would back the FBI.
It's a land grab.
Wouldn't the prudent thing be for Congress to provide legislation with both Industry and Law Enforcement participation? Wouldn't this make better law? It will be needed either way as Apple will surely beef up its current security options for iPhone users in the next release, making it even less likely that a backdoor attempt would be successful.
As for your scenario, by definition, it too is a precedent, and there still is the potential that the technical means could get into the wild.
I've come to the conclusion that the FBI is forcing Americans into a suicide pact, so that the whole world will follow, and all of us will be at risk for our personal data security.
Most people are calling this out as an idiotic thing for them to have done - however if they had NOT reset the password for the Apple ID - an accomplice that knew the password could have triggered a remote wipe on the device. Since nobody knows for 100% certain whether there are any accomplices out there with the Apple ID password (or the capability to reset the Apple ID password), the most prudent thing for them to do to safeguard the data on the phone was to reset the password for the Apple ID.
So, you have another Law Enforcement entity in New York that has stated it has 175 iPhones that they want to have "cracked"; I'm not seeing the same problem with those, i.e., an accomplice that knew the password could have also triggered a remote wipe. What's different? Are the all sitting a faraday cage to prevent them from seeing any RF signal?
Wouldn't it have been prudent to contact the cellular provider immediately, which would have been easy and fast for the county, and then reassign that number to another iPhone just on the off chance there was an attempt at communication? I've actually done that to my brother's iPhone when his wife used his upgrade since I'm the account holder. As for WiFi, I'd assume that it would be easy to find a secure location that the iPhone could not connect to the internet at, probably anywhere but the home or the county office, but almost certainly, a law enforcement facility.
It would be very risky for an accomplice to try this over cellular as the caller would be identified easily and quickly. A remote wipe could not happen without a secure WiFi connection for the iPhone.
Either way, Apple should have been called in immediately, which they were not.
Wow. Your reply is all over the place and full of inaccuracies. Have you ever used Remote Wipe? Or find my iPhone at all? It sure doesn't sound like it.
First of all - the target phone does not require a "secure Wi-Fi connection". Any connection to the Internet is sufficient - 3G, LTE, WiFi, even Bluetooth. Where did you get the idea it has to be Wi-Fi?
As for the accomplice's Internet connection - how are they going to track him when he connects via an Internet Café for 2 minutes from somewhere overseas?
If the former owner had set up his Wi-Fi to "automatically connect" to unlocked access points or even just remembered connections, simply driving past a Mcdonalds or Starbucks could have supplied the phone with an Internet connection for long enough to receive the remote wipe command. Changing the phone number of the device does not prevent the decide from being contacted over the Internet, nor does it make the device unfindable.
I fail to see the relevance of the 175 phones you mention. Are you trying to say that since nobody wiped them, nobody would ever wipe a phone in police custody? LOL. They are completely irrelevant.
Your alternative suggestions all rely on a great deal of chance for them to work. There are so many things that *could* go wrong. The fact that they're "not likely" to go wrong doesn't really matter. Changing passwords is probably standard practice for employees that leave the company.
if you want to play Monday morning quarterback and blast them for changing the password, go ahead - but the actions they took at the time they took them were reasonable things to do from their perspective. It's not like someone made a stupid mistake that had disastrous repercussions!
Any back door is an open door that will lead to millions of identity thefts and more. This cannot happen if everyone's privacy is to be protected. The government cannot protect this if they force Apple to make that door.
Not only govt. himself but general people should come forward to increase privacy. What do you think?
So, you have another Law Enforcement entity in New York that has stated it has 175 iPhones that they want to have "cracked"; I'm not seeing the same problem with those, i.e., an accomplice that knew the password could have also triggered a remote wipe. What's different? Are the all sitting a faraday cage to prevent them from seeing any RF signal?
Wouldn't it have been prudent to contact the cellular provider immediately, which would have been easy and fast for the county, and then reassign that number to another iPhone just on the off chance there was an attempt at communication? I've actually done that to my brother's iPhone when his wife used his upgrade since I'm the account holder. As for WiFi, I'd assume that it would be easy to find a secure location that the iPhone could not connect to the internet at, probably anywhere but the home or the county office, but almost certainly, a law enforcement facility.
It would be very risky for an accomplice to try this over cellular as the caller would be identified easily and quickly. A remote wipe could not happen without a secure WiFi connection for the iPhone.
Either way, Apple should have been called in immediately, which they were not.
Wow. Your reply is all over the place and full of inaccuracies. Have you ever used Remote Wipe? Or find my iPhone at all? It sure doesn't sound like it.
First of all - the target phone does not require a "secure Wi-Fi connection". Any connection to the Internet is sufficient - 3G, LTE, WiFi, even Bluetooth. Where did you get the idea it has to be Wi-Fi?
As for the accomplice's Internet connection - how are they going to track him when he connects via an Internet Café for 2 minutes from somewhere overseas?
If the former owner had set up his Wi-Fi to "automatically connect" to unlocked access points or even just remembered connections, simply driving past a Mcdonalds or Starbucks could have supplied the phone with an Internet connection for long enough to receive the remote wipe command. Changing the phone number of the device does not prevent the decide from being contacted over the Internet, nor does it make the device unfindable.
I fail to see the relevance of the 175 phones you mention. Are you trying to say that since nobody wiped them, nobody would ever wipe a phone in police custody? LOL. They are completely irrelevant.
Your alternative suggestions all rely on a great deal of chance for them to work. There are so many things that *could* go wrong. The fact that they're "not likely" to go wrong doesn't really matter. Changing passwords is probably standard practice for employees that leave the company.
if you want to play Monday morning quarterback and blast them for changing the password, go ahead - but the actions they took at the time they took them were reasonable things to do from their perspective. It's not like someone made a stupid mistake that had disastrous repercussions!
No, I have never wiped an iPhone, but a secure location like a Law Enforcement facility would not routinely allow insecure devices onto a network, but maybe I'm wrong about that. It would be possible that an iPhone could connect to an open network, but most networks would require a password. BT has security provisions as well as limited range, so a wipe through that would be extremely unlikely. As I noted, the County could have easily and quickly disconnected the iPhone from the cellular network, your 3G, LTE connection would have absolutely failed in that case.
In truth, your scenario didn't occur. The FBI made a decision in haste without contacting Apple to have the County change the password. That created the impasse that we have today.
My point about the 175 iPhones waiting to be cracked;
I started off being 100% behind Apple on this issue, but the longer this conversation goes on, the more clearly I'm able to see both sides.
But - if we resign ourselves to the fact that the government can and will legislate a requirement to provide some type of assistance - what kind of system could they create that would protect individuals from hackers and foreign governments while still complying with a legal requirement to help law enforcement agencies?
The issues about whether the government has the "right" to do this or not and the preservation of the constitutional rights is one for the courts. I'm glad that Apple is standing up for our rights, but there is only so much that they, as a corporation can and should do. If actual laws are passed - Apple will be forced to comply with those laws. Let's hope that they find a way to do so that continues to protect our rights and ensures that our data remains secure.
The thing about this case so many people do not seem to want to acknowledge is that this is not about one phone. it's not about Apple being ordered to do this once, it's about them being ordered by courts all over the country to possibly be doing this thousands of times a year.
This idea that information can never be beyond the reach of a Judge is idiotic. The principle already exists that this is the case in that a person can know all sorts of things in their heads and it can't be forced out.
If Apple are compelled to do this, have you considered that if they believe security to be a big selling point that they may decide to remove their own technical ability to comply with such orders in the future and either come up with an A series chip where the OS can't compromise it's security or move their iOS development entirely off-shore, possibly into the hands of an autonomous self entity?
I started off being 100% behind Apple on this issue, but the longer this conversation goes on, the more clearly I'm able to see both sides.
But - if we resign ourselves to the fact that the government can and will legislate a requirement to provide some type of assistance - what kind of system could they create that would protect individuals from hackers and foreign governments while still complying with a legal requirement to help law enforcement agencies?
The issues about whether the government has the "right" to do this or not and the preservation of the constitutional rights is one for the courts. I'm glad that Apple is standing up for our rights, but there is only so much that they, as a corporation can and should do. If actual laws are passed - Apple will be forced to comply with those laws. Let's hope that they find a way to do so that continues to protect our rights and ensures that our data remains secure.
The thing about this case so many people do not seem to want to acknowledge is that this is not about one phone. it's not about Apple being ordered to do this once, it's about them being ordered by courts all over the country to possibly be doing this thousands of times a year.
This idea that information can never be beyond the reach of a Judge is idiotic. The principle already exists that this is the case in that a person can know all sorts of things in their heads and it can't be forced out.
If Apple are compelled to do this, have you considered that if they believe security to be a big selling point that they may decide to remove their own technical ability to comply with such orders in the future and either come up with an A series chip where the OS can't compromise it's security or move their iOS development entirely off-shore, possibly into the hands of an autonomous self entity?
So, we have six random individuals killed tonight in Kalamazoo, Michigan including an 8 year old girl. A mass killing is 3 or more fatalities associated with the same event according to the FBI.
The needs of the many outweigh the needs of the few, or the one.
maybe in your country. here in the US we are each born with inalienable rights. these rights are not given to us, but rather are recognized by the govt.
So - assuming a situation arises (because it will) in which the FBI does have a justified reason and a legitimate warrant to search the contents of an individual's smart phone. How is this different conceptually from a warrant to search someone's home or to place wiretaps on their phones? These practices have been occurring for decades and they have been able to compel the phone company into creating a mechanism for them to do so. So - as much as we all despise the idea of it - what makes it significantly different with Apple and smartphones? Why can't Apple be court-ordered to provide access? (Off topic, but what do Microsof, Symantec and other full-disk encryption providers do to comply in the PC World?)
[....]
The issues about whether the government has the "right" to do this or not and the preservation of the constitutional rights is one for the courts. I'm glad that Apple is standing up for our rights, but there is only so much that they, as a corporation can and should do. If actual laws are passed - Apple will be forced to comply with those laws. Let's hope that they find a way to do so that continues to protect our rights and ensures that our data remains secure.
I don't have the answer, and we're all working toward one, but I know your house search and wiretap analogy is off by an order or two of magnitude, and different in kind besides.
Inspecting your cell phone/pocket computer is like attaching a bug to your shirt that you don't know is there, which records every call you make, where you go, what you take a picture of, who and what you message, every personal waking moment of your day. Very, very different from bugging your house and your landline.
the police are assuming they have a right to search this deeply into our lives. Not at all, screams back common sense and logic. It's an unreasonable and therefore unconstitutional search. And "the courts" are not the place to decide where new lines have to be drawn, because the courts are notoriously out of touch with digital technology and its implications. Congress too.
it may be that the Internet, the tech press, the startup world, the tech companies, the campuses and the streets are the place where new privacy rights have to be defined first, which the courts then reflect. Hopefully.
Inspecting your cell phone/pocket computer is like attaching a bug to your shirt that you don't know is there, which records every call you make, where you go, what you take a picture of, who and what you message, every personal waking moment of your day. Very, very different from bugging your house and your landline.
It’s the same thing operationally, just more encompassing. It’s unconstitutional, of course, so differences don’t matter much.
I think if this was another company, people would think it prudent to help unlock phones on a court-ordered by court-ordered basis. The odds of this technology getting out are quite low.
Both sides make a great case. I just lean slightly towards national security on this one. Even with an encryption key safeguarded by the govt./FBI, I would feel like my data was safe from prying eyes.
We don't have all that much privacy out in the wild as it is. It's part of the give and take of rights vs. safety.
Do you even know what 'risk' is?
Being harmed through an act of terrorism is one of the least likely - therefore lowest risk - things that are likely to happen to someone living in a politically developed country. You are about 4 times more likely to be hit by lightning in the US than be harmed through terrorism. If it was proposed by the three letter agencies that giving them full access to all your communications and documents would allow them to reduce the chances of you being hit by lightning you would laugh - well I hope you would.
You are 33,842 times more likely to die of cancer than through terrorism, yet because the three letter agencies effectively run the country, the US government spends $500M per terrorism mortality vs $10,000 per cancer victim. Is that sane?
Somewhere between 180,000 to 440,000 people die in the US annually from preventable medical mistakes and infections. Maybe money would be better spent on educating people as to how low a risk terrorism really is and then diverting the enormous sums spent on the war-on-terror to health care. Even just being slightly more thorough in cleaning hospitals would have a greater beneficial impact than has ever been derived from the TSA groping people.
Comments
That’s poetically ironic.
I'm sure Apple would have complied with, probably even without a court order.
Don't know why the hell it was that long before they talked to Apple; bureaucratic morass?
Seems they didn't really know much about the Iphone and it's security model at all.
Also, if the county had the Apple ID, could the terrorists do this remote wipe? I don't think so.
on this issue, but the longer this conversation goes on, the more clearly I'm able to see both sides.
From what I understand, it is within the governments authority "in some cases", with the proper warrants - to search and seize all of the property of an individual. But to properly debate the issue, we should probably separate the issue itself from this one specific case - since it just complicates things.
So - assuming a situation arises (because it will) in which the FBI does have a justified reason and a legitimate warrant to search the contents of an individual's smart phone. How is this different conceptually from a warrant to search someone's home or to place wiretaps on their phones? These practices have been occurring for decades and they have been able to compel the phone company into creating a mechanism for them to do so. So - as much as we all despise the idea of it - what makes it significantly different with Apple and smartphones? Why can't Apple be court-ordered to provide access? (Off topic, but what do Microsof, Symantec and other full-disk encryption providers do to comply in the PC World?)
If they were asking for hooks to be built into iOS that would allow them to pull data remotely off of a smartphone, that would be completely unacceptable for many reasons - but especially because those hooks would always be there for hackers, thieves and foreign governments to attack and leverage.
But - if we resign ourselves to the fact that the government can and will legislate a requirement to provide some type of assistance - what kind of system could they create that would protect individuals from hackers and foreign governments while still complying with a legal requirement to help law enforcement agencies?
To that end - unless somebody can point out a serious flaw with the approach - I'm thinking I could probably live with something like this:
1. Apple creates a completely new bootable image - (not a customized version of iOS ). The OS would be extremly minimal in its capabilities - no networking, no Bluetooth, no nothing really.
2. The only thing this bootable image could/would do is to ignore the auto-wipe after 10 bad attempts rule and run a brute force attack on the password/passcode. I read that a 4 digit passcode could be cracked in about 30 min. ( a "good", long password/passphrase that has a mix of letters, numbers, special chars and avoids use of words in the dictionary could take many years to crack.)
3. The software described above would only boot-up if a valid hardware key fob with a signed certificate (that could be revoked) was plugged into the lightning port.
4. The key fob would be "configured" for the specific target device by downloading a certificate from Apple and copying it to the key fob. Each individual iOS device would require its own unique certificate.
5. After the passcode is cracked, the law enforcement agency would be able to reboot the device into off the shelf iOS and unlock it with the passcode.
6. Apple would be reimbursed for the cost of creating this process and maintaining it. I think a fair hourly rate for each employee required to work on it would be the same rate the government approved for the court-appointed monitor in the e-books incident. It's obvious they think that rate is reasonable for a specialized consultant!
The approach has the following advantages. It would:
1. Provide oversight by Apple since a certificate would need to be generated by them for the specific device named in the warrant. Certificates would not be issued without the presentation of a valid warrant.
2. Not require any updates to iOS itself.
3. Require that law enforcement have physical possession of the device. (No remote attacks possible)
4. Enable us to keep our devices secure by choosing a "good" passphrase.
5. Only work on one device at a time
6. Not be possible for hackers to compromise
7. Require both a certificate AND a custom key fob (2 factor authentication)
The issues about whether the government has the "right" to do this or not and the preservation of the constitutional rights is one for the courts. I'm glad that Apple is standing up for our rights, but there is only so much that they, as a corporation can and should do. If actual laws are passed - Apple will be forced to comply with those laws. Let's hope that they find a way to do so that continues to protect our rights and ensures that our data remains secure.
Am I to understand that this guys employer was a government agency and that they did NOT have any kind of MDM (Mobile Device Management) solution assisting them with the management of the devices they issued to their employees? That's kind of irresponsible on its own, isn't it? Most companies would funnel all web traffic on a business computer, tablet or phone through a corporate web-proxy - in which case they'd know every web site the guy visited - some companies don't allow any internet communications unless it's funneled through a VPN connection connecting the decide to their corporate network. That would have logged not only the websites he visited but ALL of his Internet traffic (i.e. Whatsapp, BBM, Netflix, Yelp, etc) including the traffic created by apps.
Wouldn't it have been prudent to contact the cellular provider immediately, which would have been easy and fast for the county, and then reassign that number to another iPhone just on the off chance there was an attempt at communication? I've actually done that to my brother's iPhone when his wife used his upgrade since I'm the account holder. As for WiFi, I'd assume that it would be easy to find a secure location that the iPhone could not connect to the internet at, probably anywhere but the home or the county office, but almost certainly, a law enforcement facility.
It would be very risky for an accomplice to try this over cellular as the caller would be identified easily and quickly. A remote wipe could not happen without a secure WiFi connection for the iPhone.
Either way, Apple should have been called in immediately, which they were not.
Even if you believe that Apple's stance is inappropriate, and I don't, I"m sure that you can see that this "exceptional" case isn't. The FBI is using the emotional impact of this to attempt to gain a precedent; of this there is no doubt. There's even been a suggestion by Cringely in his latest column that the FBI is doing this now because there is only 8 Justices sitting on the Supreme Court, and a 4 - 4 ruling would default to an Appeal Court decision, a likelihood that would back the FBI.
It's a land grab.
Wouldn't the prudent thing be for Congress to provide legislation with both Industry and Law Enforcement participation? Wouldn't this make better law? It will be needed either way as Apple will surely beef up its current security options for iPhone users in the next release, making it even less likely that a backdoor attempt would be successful.
As for your scenario, by definition, it too is a precedent, and there still is the potential that the technical means could get into the wild.
I've come to the conclusion that the FBI is forcing Americans into a suicide pact, so that the whole world will follow, and all of us will be at risk for our personal data security.
First of all - the target phone does not require a "secure Wi-Fi connection". Any connection to the Internet is sufficient - 3G, LTE, WiFi, even Bluetooth. Where did you get the idea it has to be Wi-Fi?
As for the accomplice's Internet connection - how are they going to track him when he connects via an Internet Café for 2 minutes from somewhere overseas?
If the former owner had set up his Wi-Fi to "automatically connect" to unlocked access points or even just remembered connections, simply driving past a Mcdonalds or Starbucks could have supplied the phone with an Internet connection for long enough to receive the remote wipe command. Changing the phone number of the device does not prevent the decide from being contacted over the Internet, nor does it make the device unfindable.
I fail to see the relevance of the 175 phones you mention. Are you trying to say that since nobody wiped them, nobody would ever wipe a phone in police custody? LOL. They are completely irrelevant.
Your alternative suggestions all rely on a great deal of chance for them to work. There are so many things that *could* go wrong. The fact that they're "not likely" to go wrong doesn't really matter. Changing passwords is probably standard practice for employees that leave the company.
if you want to play Monday morning quarterback and blast them for changing the password, go ahead - but the actions they took at the time they took them were reasonable things to do from their perspective. It's not like someone made a stupid mistake that had disastrous repercussions!
In truth, your scenario didn't occur. The FBI made a decision in haste without contacting Apple to have the County change the password. That created the impasse that we have today.
My point about the 175 iPhones waiting to be cracked;
http://www.select-fabricators.com/rf-emi-shielding/rf-security-stealth-solutions/lightweight-rf-shielding-pouches/
Was the FBI using something like this? I hope so, and your scenario collapses entirely in that case.
This idea that information can never be beyond the reach of a Judge is idiotic. The principle already exists that this is the case in that a person can know all sorts of things in their heads and it can't be forced out.
If Apple are compelled to do this, have you considered that if they believe security to be a big selling point that they may decide to remove their own technical ability to comply with such orders in the future and either come up with an A series chip where the OS can't compromise it's security or move their iOS development entirely off-shore, possibly into the hands of an autonomous self entity?
https://www.fbi.gov/news/stories/2014/september/fbi-releases-study-on-active-shooter-incidents/pdfs/a-study-of-active-shooter-incidents-in-the-u.s.-between-2000-and-2013
The following is based on casualties, 4 or more, including both killed and wounded but not the shooter:
https://www.washingtonpost.com/news/wonk/wp/2015/10/01/2015-274-days-294-mass-shootings-hundreds-dead/
Kind of puts the threat of terrorism in the U.S. in context with our routine mass shootings.
http://www.gunviolencearchive.org
Inspecting your cell phone/pocket computer is like attaching a bug to your shirt that you don't know is there, which records every call you make, where you go, what you take a picture of, who and what you message, every personal waking moment of your day. Very, very different from bugging your house and your landline.
the police are assuming they have a right to search this deeply into our lives. Not at all, screams back common sense and logic. It's an unreasonable and therefore unconstitutional search. And "the courts" are not the place to decide where new lines have to be drawn, because the courts are notoriously out of touch with digital technology and its implications. Congress too.
it may be that the Internet, the tech press, the startup world, the tech companies, the campuses and the streets are the place where new privacy rights have to be defined first, which the courts then reflect. Hopefully.
http://www.npr.org/2016/02/21/467547180/it-s-not-just-the-iphone-law-enforcement-wants-to-unlock