And who in the FBI would understand how to code IOS? Would be *Hilarious* if Apple did give it to them and then the FBI botched it and wiped the phone with a bug
Apple has likely erased the source code for iOS 8 when it released iOS 9. And portions of iOS may belong to non-US Apple international subsidiaries, where US judicial system orders have no validity (jurisdiction). Oops...
No, that would all be archived. Nothing can ever be erased for legal and quality system reasons.
The assumption that you could just hand over the entire source code to an iPhone and makes sense of it in a reasonable time is ludicrous. This is the same government that cannot roll out a health care website, but would be trying to understand and repurpose an entire operating system. And I'm sure there will be plenty of Apple engineers to jump ship to a government salary to help explain it to them.
I would love to watch members of Congress debate whether Apple should be nationalized. They could get the source code for iOS and Mac OS and enough money to pay for another small invasion.
Not sure it can stop the demand, but it could provide legal protection from actually getting it. I'm not sure how international law handles these things.
Then the US could prohibit sales of iPhones in the US and perhaps other countries that support the US.
Not sure it can stop the demand, but it could provide legal protection from actually getting it. I'm not sure how international law handles these things.
Unless it's covered by such treaties such a TTP. In this scenario I could see Apple having a bad time conducting business in the USA, but it won't get to that point either it goes through all the legal hurdles and Apple complies or Apple wins and nothing changes.
If Apple wins, Congress can make it law that they have to do what the FBI is requesting.
Not sure it can stop the demand, but it could provide legal protection from actually getting it. I'm not sure how international law handles these things.
Then the US could prohibit sales of iPhones in the US and perhaps other countries that support the US.
Then, Apple relocates and lobbies the other countries stop the sales of whatever the US is selling and you have a god damn mess. This kind of thing never goes well with anyone. Between killing tens of billions of dolllars and tens of thousands of high paying jobs going into the US economy and starting a global trade war, I'm sure "maybe" preventing one crime every decade will be worth it.
Unless it's covered by such treaties such a TTP. In this scenario I could see Apple having a bad time conducting business in the USA, but it won't get to that point either it goes through all the legal hurdles and Apple complies or Apple wins and nothing changes.
If Apple wins, Congress can make it law that they have to do what the FBI is requesting.
So, if the supreme court sides with Apple congress can go around that? WTF are you talking about.
In theory, with source code and a signing key, the Justice Department could break into any iPhone. The question is whether or not they have enough competence to do so before the heat death of the universe. The bad news is that that both would leak and every criminal hacker would be able to break into any iPhone.
If Apple wins, Congress can make it law that they have to do what the FBI is requesting.
So, if the supreme court sides with Apple congress can go around that? WTF are you talking about.
I'm hoping that Congress can create new legislation favorable to encryption; otherwise, the DOJ will be working overtime to come up with more cases. The Supreme Court would, at this point, only be considering All Writs as a legal framework for warrants, and that would be too narrow even if it was in Apple's favor.
Darrel Issa has been known to push his political agenda, but in this case, he may actually be the one to pull this all together.
Apple has likely erased the source code for iOS 8 when it released iOS 9. And portions of iOS may belong to non-US Apple international subsidiaries, where US judicial system orders have no validity (jurisdiction). Oops...
They have stored the source code on a locked iPhone.
It will be on encrypted storage of some kind but not likely ones that have an erase feature. The source code request was suggested by Darrell Issa who was defending Apple:
but this would be a worse outcome for Apple. The raw effort that Apple puts into building a cracking tool is not the issue here. That effort involves ensuring that they don't build something that undermines the security of every other iPhone. Giving away the source code and signing key allows the FBI to do that damage, not caring what it does to iPhones around the world. The FBI can 'mistakingly' upload the source code or key somewhere and wreck the security of every iPhone and they'd never be held accountable for it, they'd just play dumb like they always do. That would allow them to plant bugging software/malware on iPhones. The code wouldn't be the whole iOS code, just the encryption code and maybe some firmware.
The least negative outcome for Apple while still allowing the FBI to continue the investigation would be to find a way to extract an encrypted image from the phone and hand it over to the FBI to try and brute-force it. It uses a hardware encryption key that is part of the CPU (secure enclave) to unlock it but they can still hand over the heavily encrypted data. If the FBI can't break that, that's their failure. Some iPhone security details are in the following document:
"The device’s unique ID (UID) and a device group ID (GID) are AES 256-bit keys fused (UID) or compiled (GID) into the application processor and Secure Enclave during manufacturing. No software or firmware can read them directly; they can see only the results of encryption or decryption operations performed by dedicated AES engines implemented in silicon using the UID or GID as a key. Additionally, the Secure Enclave’s UID and GID can only be used by the AES engine dedicated to the Secure Enclave. The UIDs are unique to each device and are not recorded by Apple or any of its suppliers. The GIDs are common to all processors in a class of devices (for example, all devices using the Apple A8 processor), and are used for non security-critical tasks such as when delivering system software during installation and restore. Integrating these keys into the silicon helps prevent them from being tampered with or bypassed, or accessed outside the AES engine. The UIDs and GIDs are also not available via JTAG or other debugging interfaces.
The UID allows data to be cryptographically tied to a particular device. For example, the key hierarchy protecting the file system includes the UID, so if the memory chips are physically moved from one device to another, the files are inaccessible. The UID is not related to any other identifier on the device."
They use multiple layers of 256-bit keys in a combination and removing any of the layers breaks the overall key. When they need to do a full disk wipe, they don't have to overwrite the whole drive because the data is already scrambled with the keys. They just overwrite a single key in the hierarchy.
Separating the data from the keys doesn't mean that the data is inaccessible, it can still be brute-forced. It just means that brute-forcing would take forever. The same would be true if the FBI recovered a 2048-bit encrypted drive though. Intelligence agencies have bypassed this level of encryption online by finding flaws in the software used to encrypt it:
If a terrorist or other suspected criminal used a 3rd party encryption software with no known flaws and only they knew the key, there would be nothing anyone could do.
- Apple making custom software to override the security features on one phone sets a precedent for trivially overriding the security on all phones and the software could end up in the wrong hands. An employee who wrote it leaving Apple could accidentally or deliberately leak it or rewrite it. - Apple making custom brute-forcing software using extracted keys limits the security impact but still sets a precedent and would place an undue burden on them to unlock every phone. - Apple extracting heavily encrypted raw data from the NAND chips would be almost impossible for the FBI to break but it's no different from them recovering a 2048-bit encrypted drive and Apple could do this on hundreds of phones without much effort and leave the burden to the FBI/NSA/whoever.
If Apple just gives them the encrypted data, they are no longer the gatekeeper to the data. The FBI can try and brute-force it all year long. The combined key will be a certain length so they just start firing those numbers at random at the data. Tim Cook should however encrypt a 16GB or so archive full of a picture of him mooning them and hand that over instead so after a year of brute-forcing they get the only backdoor they deserve.
Well then FBI, federal justice dept, etc. I might just have to take you to the European court of human rights. Of the following
1. Compromising my data security - re data protection act. You not apple will be responsible 2. Anti competitive activities - in that by doing this you will give other companies not asked for this information an unfair advantage 3. Acting on accounts outside of your durastiction - i.e any non US accounts 4. Acting on a company outside of your durastiction I.e. Apple's registered headquarters I think is still Ireland (for tax purposes maybe) so the durastiction could be argued to be in the EU not the US. 5. And just because everyone else in this farce is being silly (not this forum) wait until campus 6. is complete and Apple will take of Literally (lol?)
Rant over guys sorry I hope he last point bought some humour at least because some of the law enforcements arguments certainly seem laughable to me.
This move by the DOJ is a bluff. They don't intend to follow through with it. But in doing so they have lessened faith and credit in the US government. Actions like this combined with the brinkmanship of the US congress in budgeting and surmounting national debt ($19.1 trillion as of right now but it's hard to keep current with that out of control figure) are turning this country into a place unfavorable to business.
I'm hoping that Congress can create new legislation favorable to encryption;
I'm wondering what that would look like.
At this point the "genie is out of the bottle". We have encryption. In fact, the primary case with Apple/FBI is not even really about the encryption as it is about the passcode retry limit. I expect Apple to plug that hole in the next OS to the point where they can legitimately say we literallycannot break into the phone. Period. At that point any LE request to break in will be akin to saying "make gravity not so."
So what would legislation "favorable to encryption" look like other than "stop annoying these companies with these fruitless and impossible demands"? I suppose it could be a clearly stated legal immunity from LE for creating and selling strongly encrypted devices and services.
How about "Strong encryption is legal and should not have any deliberate backdoors."
Comments
This kind of thing never goes well with anyone.
Between killing tens of billions of dolllars and tens of thousands of high paying jobs going into the US economy and starting a global trade war, I'm sure "maybe" preventing one crime every decade will be worth it.
"It'll be a shame if your Apple Store is shut down for various violations. You know what I'm saying?"
Darrel Issa has been known to push his political agenda, but in this case, he may actually be the one to pull this all together.
It will be on encrypted storage of some kind but not likely ones that have an erase feature. The source code request was suggested by Darrell Issa who was defending Apple:
http://qz.com/628745/i-have-no-idea-the-fbi-director-at-the-apple-judiciary-hearing-gets-schooled-on-security-tech-by-a-congressman/
but this would be a worse outcome for Apple. The raw effort that Apple puts into building a cracking tool is not the issue here. That effort involves ensuring that they don't build something that undermines the security of every other iPhone. Giving away the source code and signing key allows the FBI to do that damage, not caring what it does to iPhones around the world. The FBI can 'mistakingly' upload the source code or key somewhere and wreck the security of every iPhone and they'd never be held accountable for it, they'd just play dumb like they always do. That would allow them to plant bugging software/malware on iPhones. The code wouldn't be the whole iOS code, just the encryption code and maybe some firmware.
The least negative outcome for Apple while still allowing the FBI to continue the investigation would be to find a way to extract an encrypted image from the phone and hand it over to the FBI to try and brute-force it. It uses a hardware encryption key that is part of the CPU (secure enclave) to unlock it but they can still hand over the heavily encrypted data. If the FBI can't break that, that's their failure. Some iPhone security details are in the following document:
https://www.apple.com/business/docs/iOS_Security_Guide.pdf
"The device’s unique ID (UID) and a device group ID (GID) are AES 256-bit keys fused (UID) or compiled (GID) into the application processor and Secure Enclave during manufacturing. No software or firmware can read them directly; they can see only the results of encryption or decryption operations performed by dedicated AES engines implemented in silicon using the UID or GID as a key. Additionally, the Secure Enclave’s UID and GID can only be used by the AES engine dedicated to the Secure Enclave. The UIDs are unique to each device and are not recorded by Apple or any of its suppliers. The GIDs are common to all processors in a class of devices (for example, all devices using the Apple A8 processor), and are used for non security-critical tasks such as when delivering system software during installation and restore. Integrating these keys into the silicon helps prevent them from being tampered with or bypassed, or accessed outside the AES engine. The UIDs and GIDs are also not available via JTAG or other debugging interfaces.
They use multiple layers of 256-bit keys in a combination and removing any of the layers breaks the overall key. When they need to do a full disk wipe, they don't have to overwrite the whole drive because the data is already scrambled with the keys. They just overwrite a single key in the hierarchy.
Separating the data from the keys doesn't mean that the data is inaccessible, it can still be brute-forced. It just means that brute-forcing would take forever. The same would be true if the FBI recovered a 2048-bit encrypted drive though. Intelligence agencies have bypassed this level of encryption online by finding flaws in the software used to encrypt it:
http://www.newyorker.com/tech/elements/how-the-n-s-a-cracked-the-web
If a terrorist or other suspected criminal used a 3rd party encryption software with no known flaws and only they knew the key, there would be nothing anyone could do.
- Apple making custom software to override the security features on one phone sets a precedent for trivially overriding the security on all phones and the software could end up in the wrong hands. An employee who wrote it leaving Apple could accidentally or deliberately leak it or rewrite it.
- Apple making custom brute-forcing software using extracted keys limits the security impact but still sets a precedent and would place an undue burden on them to unlock every phone.
- Apple extracting heavily encrypted raw data from the NAND chips would be almost impossible for the FBI to break but it's no different from them recovering a 2048-bit encrypted drive and Apple could do this on hundreds of phones without much effort and leave the burden to the FBI/NSA/whoever.
If Apple just gives them the encrypted data, they are no longer the gatekeeper to the data. The FBI can try and brute-force it all year long. The combined key will be a certain length so they just start firing those numbers at random at the data. Tim Cook should however encrypt a 16GB or so archive full of a picture of him mooning them and hand that over instead so after a year of brute-forcing they get the only backdoor they deserve.
1. Compromising my data security - re data protection act. You not apple will be responsible
2. Anti competitive activities - in that by doing this you will give other companies not asked for this information an unfair advantage
3. Acting on accounts outside of your durastiction - i.e any non US accounts
4. Acting on a company outside of your durastiction I.e. Apple's registered headquarters I think is still Ireland (for tax purposes maybe) so the durastiction could be argued to be in the EU not the US.
5. And just because everyone else in this farce is being silly (not this forum) wait until campus 6. is complete and Apple will take of Literally (lol?)
Rant over guys sorry I hope he last point bought some humour at least because some of the law enforcements arguments certainly seem laughable to me.