Justice Department asserts it could demand source code, signing key from Apple

24

Comments

  • Reply 21 of 72
    creek0512creek0512 Posts: 111member
    dougd said:
    Time to overthrow the God Damn government !
    We have regularly scheduled government overthrows, they are called elections.
    fracwetlanderbaconstangdasanman69bestkeptsecretnouser
  • Reply 22 of 72
    wdowellwdowell Posts: 226member
    And who in the FBI would understand how to code IOS? Would be *Hilarious* if Apple did give it to them and then the FBI botched it and wiped the phone with a bug
    baconstangnouser
  • Reply 23 of 72
    ceek74ceek74 Posts: 324member
    creek0512 said:
    dougd said:
    Time to overthrow the God Damn government !
    We have regularly scheduled government overthrows, they are called elections.
    Yeah, everyone's chance to "vote" for the least worst candidate.  Like elections aren't rigged.  They do make many people feel "empowered" though.
  • Reply 24 of 72
    farmboyfarmboy Posts: 152member
    dinoone said:
    Apple has likely erased the source code for iOS 8 when it released iOS 9. And portions of iOS may belong to non-US Apple international subsidiaries, where US judicial system orders have no validity (jurisdiction). Oops...
    No, that would all be archived. Nothing can ever be erased for legal and quality system reasons. 
    baconstang
  • Reply 25 of 72
    The assumption that you could just hand over the entire source code to an iPhone and makes sense of it in a reasonable time is ludicrous. This is the same government that cannot roll out a health care website, but would be trying to understand and repurpose an entire operating system. And I'm sure there will be plenty of Apple engineers to jump ship to a government salary to help explain it to them.
    baconstang
  • Reply 26 of 72
    quinneyquinney Posts: 2,528member
    I would love to watch members of Congress debate whether Apple should be nationalized.  They could get the source code for iOS and Mac OS and enough money to pay for another small invasion.
    ceek74designr
  • Reply 27 of 72
    spacekidspacekid Posts: 183member
    designr said:
    And how would that stop them demanding the code?

    Not sure it can stop the demand, but it could provide legal protection from actually getting it. I'm not sure how international law handles these things.
    Then the US could prohibit sales of iPhones in the US and perhaps other countries that support the US.
  • Reply 28 of 72
    spacekidspacekid Posts: 183member
    designr said:

    Not sure it can stop the demand, but it could provide legal protection from actually getting it. I'm not sure how international law handles these things.
    Unless it's covered by such treaties such a TTP. In this scenario I could see Apple having a bad time conducting business in the USA, but it won't get to that point either it goes through all the legal hurdles and Apple complies or Apple wins and nothing changes.
    If Apple wins, Congress can make it law that they have to do what the FBI is requesting.
  • Reply 29 of 72
    hydrogenhydrogen Posts: 314member
    The source code is useless without the expertise of the ones who created it.
  • Reply 30 of 72
    foggyhillfoggyhill Posts: 4,767member
    spacekid said:
    designr said:

    Not sure it can stop the demand, but it could provide legal protection from actually getting it. I'm not sure how international law handles these things.
    Then the US could prohibit sales of iPhones in the US and perhaps other countries that support the US.
    Then, Apple relocates and lobbies the other countries stop the sales of whatever the US is selling and you have a god damn mess.
    This kind of thing never goes well with anyone.
    Between killing tens of billions of dolllars and tens of thousands of high paying jobs going into the US economy and starting a global trade war, I'm sure "maybe" preventing one crime every decade will be worth it.
    latifbplostkiwi
  • Reply 31 of 72
    foggyhillfoggyhill Posts: 4,767member
    spacekid said:
    Unless it's covered by such treaties such a TTP. In this scenario I could see Apple having a bad time conducting business in the USA, but it won't get to that point either it goes through all the legal hurdles and Apple complies or Apple wins and nothing changes.
    If Apple wins, Congress can make it law that they have to do what the FBI is requesting.
    So, if the supreme court sides with Apple congress can go around that? WTF are you talking about.
    baconstang
  • Reply 32 of 72
    jungmarkjungmark Posts: 6,926member
    Obama's DOJ is acting like the mob. 

    "It'll be a shame if your Apple Store is shut down for various violations. You know what I'm saying?" 
    designrration allostkiwi
  • Reply 33 of 72
    mcarlingmcarling Posts: 1,106member
    In theory, with source code and a signing key, the Justice Department could break into any iPhone.  The question is whether or not they have enough competence to do so before the heat death of the universe.  The bad news is that that both would leak and every criminal hacker would be able to break into any iPhone.
    fastasleepbaconstang
  • Reply 34 of 72
    ceek74ceek74 Posts: 324member
    This is exactly why companies like Apple keep their funds offshore.  Imagine Apple pulling the plug?
    ewtheckman
  • Reply 35 of 72
    tmaytmay Posts: 6,311member
    foggyhill said:
    spacekid said:
    If Apple wins, Congress can make it law that they have to do what the FBI is requesting.
    So, if the supreme court sides with Apple congress can go around that? WTF are you talking about.
    I'm hoping that Congress can create new legislation favorable to encryption; otherwise, the DOJ will be working overtime to come up with more cases. The Supreme Court would, at this point, only be considering All Writs as a legal framework for warrants, and that would be too narrow even if it was in Apple's favor.

    Darrel Issa has been known to push his political agenda, but in this case, he may actually be the one to pull this all together.
    latifbp
  • Reply 36 of 72
    ChasVSChasVS Posts: 2member
    Yeah, we don't need to follow the CONSTITUTIONAL Protection from Unreasonable Search and Seizure, we're just looking out for you!
    lordjohnwhorfintallest skilbaconstang
  • Reply 37 of 72
    MarvinMarvin Posts: 15,310moderator
    dinoone said:
    Apple has likely erased the source code for iOS 8 when it released iOS 9. And portions of iOS may belong to non-US Apple international subsidiaries, where US judicial system orders have no validity (jurisdiction). Oops...
    They have stored the source code on a locked iPhone.

    It will be on encrypted storage of some kind but not likely ones that have an erase feature. The source code request was suggested by Darrell Issa who was defending Apple:

    http://qz.com/628745/i-have-no-idea-the-fbi-director-at-the-apple-judiciary-hearing-gets-schooled-on-security-tech-by-a-congressman/

    but this would be a worse outcome for Apple. The raw effort that Apple puts into building a cracking tool is not the issue here. That effort involves ensuring that they don't build something that undermines the security of every other iPhone. Giving away the source code and signing key allows the FBI to do that damage, not caring what it does to iPhones around the world. The FBI can 'mistakingly' upload the source code or key somewhere and wreck the security of every iPhone and they'd never be held accountable for it, they'd just play dumb like they always do. That would allow them to plant bugging software/malware on iPhones. The code wouldn't be the whole iOS code, just the encryption code and maybe some firmware.

    The least negative outcome for Apple while still allowing the FBI to continue the investigation would be to find a way to extract an encrypted image from the phone and hand it over to the FBI to try and brute-force it. It uses a hardware encryption key that is part of the CPU (secure enclave) to unlock it but they can still hand over the heavily encrypted data. If the FBI can't break that, that's their failure. Some iPhone security details are in the following document:

    https://www.apple.com/business/docs/iOS_Security_Guide.pdf

    "The device’s unique ID (UID) and a device group ID (GID) are AES 256-bit keys fused (UID) or compiled (GID) into the application processor and Secure Enclave during manufacturing. No software or firmware can read them directly; they can see only the results of encryption or decryption operations performed by dedicated AES engines implemented in silicon using the UID or GID as a key. Additionally, the Secure Enclave’s UID and GID can only be used by the AES engine dedicated to the Secure Enclave. The UIDs are unique to each device and are not recorded by Apple or any of its suppliers. The GIDs are common to all processors in a class of devices (for example, all devices using the Apple A8 processor), and are used for non security-critical tasks such as when delivering system software during installation and restore. Integrating these keys into the silicon helps prevent them from being tampered with or bypassed, or accessed outside the AES engine. The UIDs and GIDs are also not available via JTAG or other debugging interfaces.
    The UID allows data to be cryptographically tied to a particular device. For example, the key hierarchy protecting the file system includes the UID, so if the memory chips are physically moved from one device to another, the files are inaccessible. The UID is not related to any other identifier on the device."

    They use multiple layers of 256-bit keys in a combination and removing any of the layers breaks the overall key. When they need to do a full disk wipe, they don't have to overwrite the whole drive because the data is already scrambled with the keys. They just overwrite a single key in the hierarchy.

    Separating the data from the keys doesn't mean that the data is inaccessible, it can still be brute-forced. It just means that brute-forcing would take forever. The same would be true if the FBI recovered a 2048-bit encrypted drive though. Intelligence agencies have bypassed this level of encryption online by finding flaws in the software used to encrypt it:

    http://www.newyorker.com/tech/elements/how-the-n-s-a-cracked-the-web

    If a terrorist or other suspected criminal used a 3rd party encryption software with no known flaws and only they knew the key, there would be nothing anyone could do.

    - Apple making custom software to override the security features on one phone sets a precedent for trivially overriding the security on all phones and the software could end up in the wrong hands. An employee who wrote it leaving Apple could accidentally or deliberately leak it or rewrite it.
    - Apple making custom brute-forcing software using extracted keys limits the security impact but still sets a precedent and would place an undue burden on them to unlock every phone.
    - Apple extracting heavily encrypted raw data from the NAND chips would be almost impossible for the FBI to break but it's no different from them recovering a 2048-bit encrypted drive and Apple could do this on hundreds of phones without much effort and leave the burden to the FBI/NSA/whoever.

    If Apple just gives them the encrypted data, they are no longer the gatekeeper to the data. The FBI can try and brute-force it all year long. The combined key will be a certain length so they just start firing those numbers at random at the data. Tim Cook should however encrypt a 16GB or so archive full of a picture of him mooning them and hand that over instead so after a year of brute-forcing they get the only backdoor they deserve.
    edited March 2016 baconstangration al
  • Reply 38 of 72
    Well then FBI, federal justice dept, etc. I might just have to take you to the European court of human rights. Of the following 

    1. Compromising my data security - re data protection act. You not apple will be responsible 
    2. Anti competitive activities - in that by doing this you will give other companies not asked for this information an unfair advantage 
    3. Acting on accounts outside of your durastiction - i.e any non US accounts
    4. Acting on a company outside of your durastiction I.e. Apple's registered headquarters I think is still Ireland (for tax purposes maybe) so the durastiction could be argued to be in the EU not the US. 
    5. And just because everyone else in this farce is being silly (not this forum) wait until campus 6. is complete and Apple will take of Literally (lol?) 

    Rant over guys sorry I hope he last point bought some humour at least because some of the law enforcements arguments certainly seem laughable to me. 
    palomine
  • Reply 39 of 72
    linkmanlinkman Posts: 1,035member
    This move by the DOJ is a bluff. They don't intend to follow through with it. But in doing so they have lessened faith and credit in the US government. Actions like this combined with the brinkmanship of the US congress in budgeting and surmounting national debt ($19.1 trillion as of right now but it's hard to keep current with that out of control figure) are turning this country into a place unfavorable to business.
    latifbp
  • Reply 40 of 72
    jungmarkjungmark Posts: 6,926member
    designr said:
    tmay said:
    I'm hoping that Congress can create new legislation favorable to encryption;
    I'm wondering what that would look like.

    At this point the "genie is out of the bottle". We have encryption. In fact, the primary case with Apple/FBI is not even really about the encryption as it is about the passcode retry limit. I expect Apple to plug that hole in the next OS to the point where they can legitimately say we literally cannot break into the phone. Period. At that point any LE request to break in will be akin to saying "make gravity not so."

    So what would legislation "favorable to encryption" look like other than "stop annoying these companies with these fruitless and impossible demands"? I suppose it could be a clearly stated legal immunity from LE for creating and selling strongly encrypted devices and services.
    How about "Strong encryption is legal and should not have any deliberate backdoors." 
    designrewtheckman
Sign In or Register to comment.