Justice Department asserts it could demand source code, signing key from Apple

135

Comments

  • Reply 41 of 82
    ceek74ceek74 Posts: 324member
    This is exactly why companies like Apple keep their funds offshore.  Imagine Apple pulling the plug?
    ewtheckman
  • Reply 42 of 82
    designrdesignr Posts: 673member
    mcarling said:
    In theory, with source code and a signing key, the Justice Department could break into any iPhone.  The question is whether or not they have enough competence to do so before the heat death of the universe.  The bad news is that that both would leak and every criminal hacker would be able to break into any iPhone.
    Someone here more knowledgeable than me can probably answer this:

    Could Apple generate a new key and do some kind of mass update to devices that would, in effect, invalidate the compromised key?

    lordjohnwhorfin
  • Reply 43 of 82
    tmaytmay Posts: 5,716member
    foggyhill said:
    spacekid said:
    If Apple wins, Congress can make it law that they have to do what the FBI is requesting.
    So, if the supreme court sides with Apple congress can go around that? WTF are you talking about.
    I'm hoping that Congress can create new legislation favorable to encryption; otherwise, the DOJ will be working overtime to come up with more cases. The Supreme Court would, at this point, only be considering All Writs as a legal framework for warrants, and that would be too narrow even if it was in Apple's favor.

    Darrel Issa has been known to push his political agenda, but in this case, he may actually be the one to pull this all together.
    latifbp
  • Reply 44 of 82
    ChasVSChasVS Posts: 2member
    Yeah, we don't need to follow the CONSTITUTIONAL Protection from Unreasonable Search and Seizure, we're just looking out for you!
    lordjohnwhorfintallest skilbaconstang
  • Reply 45 of 82
    MarvinMarvin Posts: 14,731moderator
    dinoone said:
    Apple has likely erased the source code for iOS 8 when it released iOS 9. And portions of iOS may belong to non-US Apple international subsidiaries, where US judicial system orders have no validity (jurisdiction). Oops...
    They have stored the source code on a locked iPhone.

    It will be on encrypted storage of some kind but not likely ones that have an erase feature. The source code request was suggested by Darrell Issa who was defending Apple:

    http://qz.com/628745/i-have-no-idea-the-fbi-director-at-the-apple-judiciary-hearing-gets-schooled-on-security-tech-by-a-congressman/

    but this would be a worse outcome for Apple. The raw effort that Apple puts into building a cracking tool is not the issue here. That effort involves ensuring that they don't build something that undermines the security of every other iPhone. Giving away the source code and signing key allows the FBI to do that damage, not caring what it does to iPhones around the world. The FBI can 'mistakingly' upload the source code or key somewhere and wreck the security of every iPhone and they'd never be held accountable for it, they'd just play dumb like they always do. That would allow them to plant bugging software/malware on iPhones. The code wouldn't be the whole iOS code, just the encryption code and maybe some firmware.

    The least negative outcome for Apple while still allowing the FBI to continue the investigation would be to find a way to extract an encrypted image from the phone and hand it over to the FBI to try and brute-force it. It uses a hardware encryption key that is part of the CPU (secure enclave) to unlock it but they can still hand over the heavily encrypted data. If the FBI can't break that, that's their failure. Some iPhone security details are in the following document:

    https://www.apple.com/business/docs/iOS_Security_Guide.pdf

    "The device’s unique ID (UID) and a device group ID (GID) are AES 256-bit keys fused (UID) or compiled (GID) into the application processor and Secure Enclave during manufacturing. No software or firmware can read them directly; they can see only the results of encryption or decryption operations performed by dedicated AES engines implemented in silicon using the UID or GID as a key. Additionally, the Secure Enclave’s UID and GID can only be used by the AES engine dedicated to the Secure Enclave. The UIDs are unique to each device and are not recorded by Apple or any of its suppliers. The GIDs are common to all processors in a class of devices (for example, all devices using the Apple A8 processor), and are used for non security-critical tasks such as when delivering system software during installation and restore. Integrating these keys into the silicon helps prevent them from being tampered with or bypassed, or accessed outside the AES engine. The UIDs and GIDs are also not available via JTAG or other debugging interfaces.
    The UID allows data to be cryptographically tied to a particular device. For example, the key hierarchy protecting the file system includes the UID, so if the memory chips are physically moved from one device to another, the files are inaccessible. The UID is not related to any other identifier on the device."

    They use multiple layers of 256-bit keys in a combination and removing any of the layers breaks the overall key. When they need to do a full disk wipe, they don't have to overwrite the whole drive because the data is already scrambled with the keys. They just overwrite a single key in the hierarchy.

    Separating the data from the keys doesn't mean that the data is inaccessible, it can still be brute-forced. It just means that brute-forcing would take forever. The same would be true if the FBI recovered a 2048-bit encrypted drive though. Intelligence agencies have bypassed this level of encryption online by finding flaws in the software used to encrypt it:

    http://www.newyorker.com/tech/elements/how-the-n-s-a-cracked-the-web

    If a terrorist or other suspected criminal used a 3rd party encryption software with no known flaws and only they knew the key, there would be nothing anyone could do.

    - Apple making custom software to override the security features on one phone sets a precedent for trivially overriding the security on all phones and the software could end up in the wrong hands. An employee who wrote it leaving Apple could accidentally or deliberately leak it or rewrite it.
    - Apple making custom brute-forcing software using extracted keys limits the security impact but still sets a precedent and would place an undue burden on them to unlock every phone.
    - Apple extracting heavily encrypted raw data from the NAND chips would be almost impossible for the FBI to break but it's no different from them recovering a 2048-bit encrypted drive and Apple could do this on hundreds of phones without much effort and leave the burden to the FBI/NSA/whoever.

    If Apple just gives them the encrypted data, they are no longer the gatekeeper to the data. The FBI can try and brute-force it all year long. The combined key will be a certain length so they just start firing those numbers at random at the data. Tim Cook should however encrypt a 16GB or so archive full of a picture of him mooning them and hand that over instead so after a year of brute-forcing they get the only backdoor they deserve.
    edited March 2016 baconstangration al
  • Reply 46 of 82
    designrdesignr Posts: 673member
    tmay said:
    foggyhill said:
    So, if the supreme court sides with Apple congress can go around that? WTF are you talking about.
    I'm hoping that Congress can create new legislation favorable to encryption;
    I'm wondering what that would look like.

    At this point the "genie is out of the bottle". We have encryption. In fact, the primary case with Apple/FBI is not even really about the encryption as it is about the passcode retry limit. I expect Apple to plug that hole in the next OS to the point where they can legitimately say we literally cannot break into the phone. Period. At that point any LE request to break in will be akin to saying "make gravity not so."

    So what would legislation "favorable to encryption" look like other than "stop annoying these companies with these fruitless and impossible demands"? I suppose it could be a clearly stated legal immunity from LE for creating and selling strongly encrypted devices and services.
  • Reply 47 of 82
    Well then FBI, federal justice dept, etc. I might just have to take you to the European court of human rights. Of the following 

    1. Compromising my data security - re data protection act. You not apple will be responsible 
    2. Anti competitive activities - in that by doing this you will give other companies not asked for this information an unfair advantage 
    3. Acting on accounts outside of your durastiction - i.e any non US accounts
    4. Acting on a company outside of your durastiction I.e. Apple's registered headquarters I think is still Ireland (for tax purposes maybe) so the durastiction could be argued to be in the EU not the US. 
    5. And just because everyone else in this farce is being silly (not this forum) wait until campus 6. is complete and Apple will take of Literally (lol?) 

    Rant over guys sorry I hope he last point bought some humour at least because some of the law enforcements arguments certainly seem laughable to me. 
    palomine
  • Reply 48 of 82
    linkmanlinkman Posts: 1,026member
    This move by the DOJ is a bluff. They don't intend to follow through with it. But in doing so they have lessened faith and credit in the US government. Actions like this combined with the brinkmanship of the US congress in budgeting and surmounting national debt ($19.1 trillion as of right now but it's hard to keep current with that out of control figure) are turning this country into a place unfavorable to business.
    latifbp
  • Reply 49 of 82
    jungmarkjungmark Posts: 6,918member
    designr said:
    tmay said:
    I'm hoping that Congress can create new legislation favorable to encryption;
    I'm wondering what that would look like.

    At this point the "genie is out of the bottle". We have encryption. In fact, the primary case with Apple/FBI is not even really about the encryption as it is about the passcode retry limit. I expect Apple to plug that hole in the next OS to the point where they can legitimately say we literally cannot break into the phone. Period. At that point any LE request to break in will be akin to saying "make gravity not so."

    So what would legislation "favorable to encryption" look like other than "stop annoying these companies with these fruitless and impossible demands"? I suppose it could be a clearly stated legal immunity from LE for creating and selling strongly encrypted devices and services.
    How about "Strong encryption is legal and should not have any deliberate backdoors." 
    designrewtheckman
  • Reply 50 of 82
    SpamSandwichSpamSandwich Posts: 33,407member
    ceek74 said:
    creek0512 said:
    We have regularly scheduled government overthrows, they are called elections.
    Yeah, everyone's chance to "vote" for the least worst candidate.  Like elections aren't rigged.  They do make many people feel "empowered" though.
    The popular vote is meaningless. The president is elected by delegates at the Electoral College.
    tallest skil
  • Reply 51 of 82
    tommikeletommikele Posts: 583member
    rob53 said:
    Wow, we're getting closer to a dictatorship where nothing is protected. The headline is a little sensationalist compared to the actual article but if the Justice Dept is even thinking about it, it worries me. I'm sure they don't have any legal grounds to do this just like they don't have any legal grounds to compel Apple to write software to hack its own system. This insanity by the Justice Dept and FBI really needs to stop. It's an embarrassment to the people of the US and is making us look even more foolish than we already do to the rest of the world.
    Our appearance to the rest of the world is irrelevant. Without our constitutional protections the US is no better than China or Russia...which may be what Obama and his globalist buddies have been going for.
    You think Obama and his "globalist buddies" are going for a China and Russia look alike? Really, really ignorant comment that reflects someone who is lead by his preferred flavor of media and not by strong thinking and analysis based on a variety of sources. Why don't you tell us how you think some of the current crop seeking the Presidency stands on this issues and related constitutional privacy and freedoms. Once you do that it will be a bit easier to assess the level of politically motivated hypocrisy in your comment.
    jmoore5196baconstang
  • Reply 52 of 82
    palominepalomine Posts: 362member
    Okay. This whole encryption debate has gone on too long in my opinion.  
    The logic never made ANY sense.  It is crazy stuff. I have to start looking deeper for "why".

    It is a transparent fact that weakening the security of iOS will affect everyone, it would destroy our personal device's security. Which would greatly increase law enforcement's workload chasing finance crime, extortion, etc.

    Equally transparent is the fact that the criminals have lots of crypto software alternatives or could write their own, since it is Mathematics that enables it. Can't outlaw math.

    So, if it won't change the future in terms of encrypted criminal communications, and if it would increase the amount of crime and fraud, then
    WHAT THE HELL IS THIS CASE ABOUT????? 

    You know, I'm getting the idea that the US simply HATES Apple. I would like to know why they have it in for this company so bad. Just look at the hassles Apple has been going through with the Justice Dept. in the past couple years.

    What is the reason for all of this ire directed at Apple? 

    1. Maybe they haven't spent enough money lobbying/schmoozing the govt? 
    2. Maybe encryption debate is a lie to get bad guys to use their iPhones to talk when govt knows nsa really can get in?
    3. Maybe Eric Schmidt is pulling strings against a competitor as a part of new nsa technology group ?( he was appointed around same time)
    4. Maybe the military industrial complex has an angle I can't imagine?
    5. Maybe the nsa really can't help them get in?
    6. Maybe this is a counterintelligence story directed at some other govt?
    7. What precedent? Clipper Chip failed in the 90s. End-run around Congress via the courts?
    9. This is step one before they destroy all our liberties, and they expect it will be resolved with another attack of some sort.

    Feel free to add your own paranoid ideas. It is time to start looking at reasons for Apple's woes other than those the govt claims and Wall Street bs.  The more ideas the better. I eagerly await your replies, and a million others.

    baconstang
  • Reply 53 of 82
    tallest skiltallest skil Posts: 43,399member
    michael_c said:
    The FBI's actions are a repeat of the McCarthyism era - coercion, intimidation and deceit.
    McCarthy was a national hero. Do a comparison to Stalin or something.
    The popular vote is meaningless. The president is elected by delegates at the Electoral College.
    And there’s nothing wrong with that, because we’re not a direct democracy. Thing is, we ought to undo what Andrew Jackson did (only thing he did wrong, really) and allow the Electoral College to be proportional again instead of winner take all. Makes every state a battleground .
    edited March 2016 gatorguybaconstang
  • Reply 54 of 82
    volcan said:
    Soli said:
    LOL Good luck with that.
    They could be found in contempt of court, FBI could raid Apple's US locations and confiscate all their computers. Farfetched but not completely out of the realm of possibility.

    Apple should relocate all software development outside of US immediately, and it needs to be to a country that is not a US puppet and can stand up to pressure. That makes at the most two, neither of which could probably ultimately withstand US sanctions and none of Apple's software engineers are going to want to live there.

    Great idea chasing the single largest taxpayer out of the country.
    Apple has enough cash to just buy some islands and become a sovereign nation.  All hail Macland!
    ration al
  • Reply 55 of 82
    dasanman69dasanman69 Posts: 13,001member
    webweasel said:
    Maybe Apple should headquarter themselves in Switzerland if the FBI are going to behave like this. How depressingly moronic.
    And how would that stop them demanding the code?
    They could always demand it but would have no jurisdiction to enforce the demand. 
  • Reply 56 of 82
    nolamacguynolamacguy Posts: 4,758member
    webweasel said:
    Maybe Apple should headquarter themselves in Switzerland if the FBI are going to behave like this. How depressingly moronic.
    And how would that stop them demanding the code?
    while this will never happen, if apple relocated outside the US they could tell the US govt to kiss off
  • Reply 57 of 82
    tmaytmay Posts: 5,716member
    linkman said:
    This move by the DOJ is a bluff. They don't intend to follow through with it. But in doing so they have lessened faith and credit in the US government. Actions like this combined with the brinkmanship of the US congress in budgeting and surmounting national debt ($19.1 trillion as of right now but it's hard to keep current with that out of control figure) are turning this country into a place unfavorable to business.
    The debt is trivial; U.S. Government assets are way beyond $20 Trillion in valuation, and the U.S. is a very secure place to do business; a situation that I would like to continue.
    palomine
  • Reply 58 of 82
    tallest skiltallest skil Posts: 43,399member
    tmay said:
    The debt is trivial; U.S. Government assets are way beyond $20 Trillion in valuation
    That’s literally not at all how it works. There is more than a dollar of debt for every dollar in existence. It is physically impossible to pay it back. Foreign debt is only about a 10th of total debt.
  • Reply 59 of 82
    George Orwell was only a few decades out, it isn't going to stop at the iPhone folks.
    ration al
  • Reply 60 of 82
    Why doesn't apple add the argument that since all info on a phone was placed there by the user or with the permission of the user, the phone should be protected by our fifth amendment right against self incrimination: "No person shall be … compelled in any criminal case to be a witness against himself, nor be deprived of life, liberty, or property, without due process of law".
Sign In or Register to comment.