Apple employees threaten to quit if forced to build GovtOS, report says

1235789

Comments

  • Reply 81 of 164

    ...

  • Reply 82 of 164
    singularitysingularity Posts: 1,328member
    Saying you will quit if x happens is very easy. Quiting when x happens is a different proposition especially when it means giving up a job with benefits etc
    Sir_Turkey
  • Reply 83 of 164
    lightknightlightknight Posts: 2,312member
    Still waiting for Russia to demand iOS source code. As a global trade partner for America, and of course a democracy sitting at the United Nations, it's not like Apple can give the source code to the US Government and not Russia :)
  • Reply 84 of 164
    lightknightlightknight Posts: 2,312member
    Between a rock and a hard place...

    And it's not just about iOS....

    - OS X
    - tvOS
    - watchOS

    If Apple loses this battle, the FBI could theoretically tap into your heartbeat at any time.

    And a year from now, a whole slew of third-party options will be available to encrypt your data and communications, and then what? 
    Who would not want a spy in their home. Hello, Alexa.
  • Reply 85 of 164
    ppietrappietra Posts: 288member
    JeffA2 said:
    ppietra said:
    Sorry but the cases the DOJ cites actually didn’t require any computer programming like in this case, they didn’t create new software. Those companies already had the equipment necessary to do what was ordered and had already done those things to serve costumer requests. The programming was something like defining the phone number to monitor and took less than a minute.
    I'm not sure that's a qualitative difference. They were compelled to write software they did not have. The court seemed only to be concerned with the question of 'undue burden.' But even Apple concedes that the software modifications are not complex or costly to do. Well, that's why the specifics of this are going to be heard by judges who know more about the law than I do -- probably all the way to the supreme court.
    It seems like you didn’t understood what I said. They didn’t write software or used something they hadn’t already used on other circumstances. Consumers didn’t write software when they programmed VCR’s back in the day, etc. Programming doesn’t only mean to write software.
  • Reply 86 of 164
    tenlytenly Posts: 710member
    CMA102DL said:
    Peter H said:
    I have a question:  why not let the FBI create the software they want, and then apple signs it software with the key?  That way Apple doesn't get involved with making something they don't want to, and their keys never make it to the FBI. 
    No. It is never going to happen. The Apple source code is intellectual property the Government is not entitled to have. Plus Apple would voluntarily cease operations  rather than turning over any intellectual property to the US gov. This is worse than letting Apple develop GovOS.
    This is a perfect example of the exaggeration coming from some people in the pro-Apple camp.  This poster starts off with a valid point but then he ruins his credibility by claiming that "Apple would voluntarily cease operations rather than turning over intellectual property".  They can't and they won't cease operations.  They have a responsibility to their shareholders and the shareholder would have to vote on such a proposal.  That motion would never pass.  Investors would have to be willing to take massive losses essentially burning their existing shares which would be nearly worthless.
    singularity
  • Reply 87 of 164
    JeffA2 said:
    Why do people keep saying this as if it were true? The 'version of iOS that allows infinite attempts at the password' is to loaded onto the phone in question via DFU mode. An iPhone will not load arbitrary software that way. It must have a valid signature and only  Apple can do that. Furthermore, the software can (and by court order must) include the specific UUID of the target phone. Therefore even if this patch got out of Apple's hands, was disassembled and the UUID changed, it would fail to load on any iPhone because it would fail the signature check. To further ensure security the phone is allowed to remain in Apple's possession for the entire time it is running the altered software. As a final condition of the court order, the entire patch must be RAM resident. No flash memory on the phone can be altered. Therefore the patch will be erased from memory as soon as the target phone is unpowered. 

    What we have here is a procedure for producing a key for any specific phone, not a skeleton key. The difference is fundamental.

    Your second point that Apple will be asked to do this over and over is probably correct. However, even the FBI admits that the utility of this approach is short-lived. All Apple has to do render it obsolete is require a PIN during DFU. I would expect them to add this to upcoming iOS update very soon.
    Thanks for that.  Still, no nation should be asking for this in the modern world.  With hundreds of encryption programs available (most based outside the US) for iOS and Android should Apple customers be forced to act like terrorists and criminals in the way we protect our data in order to be safe from government intrusion (rhetorical question)?  It reminds me of gun laws here in Canada.  We are limited to 5 round magazines for centre fire semi autos and 10 for handguns despite our statistically excellent history of generally not being murderers etc.  Yet criminals don't have the same limitations.  Point being it both punishes the law abiding citizen and is completely ineffective in preventing crime.
  • Reply 88 of 164
    Like anyone is going to quit and if they do they'll regret it. Do they wear monkey suits over at Apple ? 

    Umm... I worked with several Americans at a leading edge (smaller) consulting company, and when they were told they had to dress more professionally for certain customers..... several quit...  so yes, some people will take the change serious enough to quit.
    Sir_Turkey
  • Reply 89 of 164

    JeffA2 said:
    Given a choice between signing their own software and handing over the signing key to the FBI, Apple would be insane to do the latter. Losing control of the signing key is tantamount to losing control of the entire system.

    The next update will replace the key with a new one.
  • Reply 90 of 164
    tenlytenly Posts: 710member
    dinoone said:
    - Can a government compel a pharmaceutical company and its researchers, who took Hippocrates oath to save lives of all, to create or facilitate the creation of a poison necessary to execute a death penalty?
    Not if they have insurance - but from what I see, the Hippocratic oath only applies when the patient has insurance and a drug plan....  Withholding care from someone that will die without it is pretty much the same as administering a lethal poison in the same way that a lie of omission is still a lie.
    edited March 2016 singularitypalomine
  • Reply 91 of 164
    tenlytenly Posts: 710member
    JeffA2 said:

    tenly said:
    If *that* was all they wanted and it was going to end there it wouldn't be then end of the world at all.  It would mean bye-bye to 4-digit passcodes that can be cracked in 30 minutes - but a well chosen passphrase would take thousands of years to brute force.  
    Well an 8-digit numeric code would take only a few weeks. Your right for a 8 character mixed-case alphanumeric code though.
    You missed my point.  If you read my whole message, you'd see i said it takes 30 min or less to crack a 4 digit passcode, but thousands of years to crack a well-chosen passphrase.  8 characters does not constitute the "well chosen passphrase i was referring to".  There are a number of ways to create a well-chosen passphrase and its not as easy as people think - mostly because it has to be easy enough to be memorized and typed occasionally but should be long (>32 characters), not contain any names, dates or words from the dictionary or even any acronyms based upon famous quotes or popular song lyrics - because those things are already built into some of the better brute force attack tools.  The best passphrase would be to join together 3 or 4 good passwords - each of which are a meaningless mix of numbers, letters and special characters - but this is hard to remember and hard to type accurately.  The context that I mentioned 8 characters in was to suggest that 8 characters might be the longest passcode/passphrase that the FBI would be "okay" with since they could brute force it in a "reasonable" amount of time.
  • Reply 92 of 164
    tenly said:
    dinoone said:
    - Can a government compel a pharmaceutical company and its researchers, who took Hippocrates oath to save lives of all, to create or facilitate the creation of a poison necessary to execute a death penalty?
    Not if they have insurance - but from what I see, the Hippocratic oath only applies when the patient has insurance and a drug plan....  Withholding care from someone that will die without it is pretty much the same as administering a lethal poison in the same way that a lie of omission is still a lie.
    The hippocratic oath is generally speaking that they will do no harm (though that phrase is not part of it) to their patient.  There is nothing about being a slave to whoever may be sick - without regard for payment etc. etc.  A doctor does not sign up to lose his right of association or to become indentured to the poor and huddled masses.
    radarthekat
  • Reply 93 of 164
    jcs2305jcs2305 Posts: 1,336member
    Blah1221 said:
    Not sure why the FBI didn't think to search the shooter's computer if they had one 
    Because they destroyed their personal computers and cell phones prior to the attack. 
    icoco3
  • Reply 94 of 164
    dysamoriadysamoria Posts: 3,430member
    “Independence is the recognition of the fact that yours is the responsibility of judgment and nothing can help you escape it—that no substitute can do your thinking—that the vilest form of self-abasement and self-destruction is the subordination of your mind to the mind of another, the acceptance of an authority over your brain, the acceptance of his assertions as facts, his say-so as truth, his edicts as middle-man between your consciousness and your existence.” ― Ayn RandAtlas Shrugged 

    There is a rational conversation to be had regarding the balance between security and freedom. However, when the DOJ threatens to take Apple's source code, the conversation is over. Before surrendering a thing to our would-be overlords, I would liquidate, pay off the stockholders and burn anything left to the ground. NO ONE has the right to another's property, intellectual or otherwise.
    Yet our corporate overlords are doing just that, every day of the week, to almost every employee, and somehow libertarians think that's ok because they see themselves as the dominant agents in that arrangement (even when they're not, and are merely hoping to ride the coattails of others to a position of their own elitism), and the will of the corporate entity is legally and socially elevated to the position of being superior to the will of the individual worker in this country.

    im fully with Apple on this subject, but quotes of Ayn Rand's selfishness against society isn't something I'll ever get behind; that's just more arrogant elitism and sociopathy.


  • Reply 95 of 164
    ppietrappietra Posts: 288member
    tenly said:
    JeffA2 said:

    Well an 8-digit numeric code would take only a few weeks. Your right for a 8 character mixed-case alphanumeric code though.
    You missed my point.  If you read my whole message, you'd see i said it takes 30 min or less to crack a 4 digit passcode, but thousands of years to crack a well-chosen passphrase.  8 characters does not constitute the "well chosen passphrase i was referring to".  There are a number of ways to create a well-chosen passphrase and its not as easy as people think - mostly because it has to be easy enough to be memorized and typed occasionally but should be long (>32 characters), not contain any names, dates or words from the dictionary or even any acronyms based upon famous quotes or popular song lyrics - because those things are already built into some of the better brute force attack tools.  The best passphrase would be to join together 3 or 4 good passwords - each of which are a meaningless mix of numbers, letters and special characters - but this is hard to remember and hard to type accurately.  The context that I mentioned 8 characters in was to suggest that 8 characters might be the longest passcode/passphrase that the FBI would be "okay" with since they could brute force it in a "reasonable" amount of time.
    To brute force the password it has to be done on the iPhone and its hardware takes a minimum of 80 mili-seconds between attempts. That means that it could take thousands of years to break a 8 character alphanumeric password.
    ration al
  • Reply 96 of 164
    ppietrappietra Posts: 288member
    JeffA2 said:
    No Jeff that is not the case at all.  The FBI are asking Apple to create a version of iOS that allows infinite attempts at the password.  If such a version were created and subsequently stolen/leaked it could be used on any other iPhone.  Hence the "skeleton key" that opens all the locks analogy.

    The other issue Apple has is where does this end?  At first the FBI said this is just for this one phone but them Comey (spelling?) admitted they would want to use such a compromised version many many times.  So that would compel Apple to constantly maintain a compromised version of iOS in perpetuity.  
    Why do people keep saying this as if it were true? The 'version of iOS that allows infinite attempts at the password' is to loaded onto the phone in question via DFU mode. An iPhone will not load arbitrary software that way. It must have a valid signature and only  Apple can do that. Furthermore, the software can (and by court order must) include the specific UUID of the target phone. Therefore even if this patch got out of Apple's hands, was disassembled and the UUID changed, it would fail to load on any iPhone because it would fail the signature check. To further ensure security the phone is allowed to remain in Apple's possession for the entire time it is running the altered software. As a final condition of the court order, the entire patch must be RAM resident. No flash memory on the phone can be altered. Therefore the patch will be erased from memory as soon as the target phone is unpowered. 

    What we have here is a procedure for producing a key for any specific phone, not a skeleton key. The difference is fundamental.

    Your second point that Apple will be asked to do this over and over is probably correct. However, even the FBI admits that the utility of this approach is short-lived. All Apple has to do render it obsolete is require a PIN during DFU. I would expect them to add this to upcoming iOS update very soon.
    You are technically correct about how Apple signature works, but wrong on the big picture because there are vulnerabilities that have been explored that don’t require Apple signature to change the system. Once others understand what Apple did in this tool they will try to replicate it while using those vulnerabilities for their benefit and that will work on many other phones, capable of unlocking those with bad passwords, hence being compared to a skeleton key
    ration al
  • Reply 97 of 164
    jidojido Posts: 125member
    JeffA2 said:
    Your analogy is also incorrect. Apple is not being asked to create a skeleton key. They are being asked to create a procedure for unlocking phones. The software itself -- the 'key' in your parlance -- only fits a single lock. But the procedure could be used to create other keys for other phones. But -- and here's the big difference -- each of those new keys must be separately authorized by a warrant and a subsequent court order. Then that specific 'key' must signed by Apple before it will open the lock. That means there is judicial review for each individual case. That's exactly the type of protection guaranteed by the US constitution.
    No Jeff that is not the case at all.  The FBI are asking Apple to create a version of iOS that allows infinite attempts at the password.  If such a version were created and subsequently stolen/leaked it could be used on any other iPhone.  Hence the "skeleton key" that opens all the locks analogy.

    The other issue Apple has is where does this end?  At first the FBI said this is just for this one phone but them Comey (spelling?) admitted they would want to use such a compromised version many many times.  So that would compel Apple to constantly maintain a compromised version of iOS in perpetuity.  
    Otto, if the software is signed and includes the phone UUID how can it be reused?

    On the other hand, when the precedent is set it can be reused many times in court which is clearly against the interest of customer privacy. 
  • Reply 98 of 164
    metrixmetrix Posts: 256member
    Saying you will quit if x happens is very easy. Quiting when x happens is a different proposition especially when it means giving up a job with benefits etc
    I'm thinking PayPal, Amazon,Micrsoft,will hire them immediately
  • Reply 99 of 164
    tenlytenly Posts: 710member
    ppietra said:

    To brute force the password it has to be done on the iPhone and its hardware takes a minimum of 80 mili-seconds between attempts. That means that it could take thousands of years to break a 8 character alphanumeric password.


    ppietra said:
    tenly said:
    You missed my point.  If you read my whole message, you'd see i said it takes 30 min or less to crack a 4 digit passcode, but thousands of years to crack a well-chosen passphrase.  8 characters does not constitute the "well chosen passphrase i was referring to".  There are a number of ways to create a well-chosen passphrase and its not as easy as people think - mostly because it has to be easy enough to be memorized and typed occasionally but should be long (>32 characters), not contain any names, dates or words from the dictionary or even any acronyms based upon famous quotes or popular song lyrics - because those things are already built into some of the better brute force attack tools.  The best passphrase would be to join together 3 or 4 good passwords - each of which are a meaningless mix of numbers, letters and special characters - but this is hard to remember and hard to type accurately.  The context that I mentioned 8 characters in was to suggest that 8 characters might be the longest passcode/passphrase that the FBI would be "okay" with since they could brute force it in a "reasonable" amount of time.
    To brute force the password it has to be done on the iPhone and its hardware takes a minimum of 80 mili-seconds between attempts. That means that it could take thousands of years to break a 8 character alphanumeric password.
    You're right.  I knew about the 80ms delay between attempts but I accidentally did the math for an 8 digit NUMERIC password instead of ALPHA-numeric. (It worked out to about 3 months.)

    If you switch to alphanumeric - even without any punctuation, you have 62 possible values for each of the 8 characters instead of 10.  Unless my math is still wrong, that would be about 553,000 years to iterate through all possible combinations.  7 characters would take 8,900 years, 6 characters - 144 years, 5 characters - 2.3 years and 4 characters - 13.7 days.

    So I guess the only thing that works in my original example would be to say that "the FBI could go after legislation that would force Apple to limit passphrases to 4 characters so that they can be able to unlock them in a reasonable  amount of time!l

    Thanks for pointing out my mistake.




    edited March 2016 ration al
  • Reply 100 of 164
    stevehsteveh Posts: 480member
    Saying you will quit if x happens is very easy. Quiting when x happens is a different proposition especially when it means giving up a job with benefits etc
    Not so much of a problem when by so doing you probably increase your chances of getting an equivalent or better position somewhere else very quickly.

    I worked at Apple (a very long time ago), and know some of the people who are still there. Standing up for a principle to the point of quitting the job before violating that principle doesn't seem unlikely to me at all.
Sign In or Register to comment.