gunner1954

steven n. said:

You didn't answer the question. 'if the app is in foreground then it is actively used. How would you distinguish between "intended" and "unintended" use?'

The way i see this: FarceBook (or Googley or Instagrammy or some other popular app) has this malicious code inserted. Instead of the camera activating ONLY when you make a face-to-face 'call' to a person in your contact list, the 'Facetime' camera ALSO activates while you are simply viewing your feed, reading news, or doing other 'stuff' that normally doesn't use the camera. Because the app is active, the camera is active and the camera is taking pictures/videos of you and uploading them to a secret server. Or maybe you are using a texting app that also allows you to snap a selfie and instantly send it to your significant other, but winds up on said 'secret server' to be leaked later for all the world to see. So, yes,, this could cause embarrassment, and yes, Apple should scan for this misuse of code during the app approval/update process.

radarthekat said:

For those new to the FBI versus Apple battle...

Here is what's going on.  

The iPhone is locked by a passcode that is combined with a hardware key built into each iPhone at manufacture.  This hardware key is randomly generated and encoded into the silicon inside each iPhone AND IS NOT KNOWN EVEN TO APPLE.  So to unencrypt data on an iPhone, you need the user passcode and the hardware key, which exists only in the phone's hardware.

To decrypt the data on an iPhone you need to enter the password ON THAT IPHONE so that the password gets combined with that iPhone's hardware encryption key.  Taking the data off the phone and trying to decrypt it elsewhere won't work because you won't have the hardware key portion of the combined encryption key.

So you need to enter each password guess into the iPhone you are trying to unlock.  And the iPhone has a security feature that wipes all the data in the phone after ten consecutive incorrect password attempts.  This feature is what makes a simple four digit passcode such a strong security measure.  Without that feature, it would be a simple process to manually sit there and try one password after another until you went through all 10,000 combinations.  The FBI, or a school kid with a couple extra days on his hands, could break into any iPhone.  But if the phone erases itself after ten unsuccessful password tries, then you won't dare even try to unlock it, as you'll have only a 10 in 10,000 chance of guessing the correct password and the consequences of that tenth incorrect guess is that you'll lose the data you're after.

The FBI is demanding that Apple remove this security feature so that they can simply brute-force the password.  10,000 tries, even if done manually, wouldn't take very long.  Of course, they are also asking for two additional weaknesses.  One is to allow passwords to be sent to the phone electronically (wirelessly).  That would save time over manually sitting there trying one after another passcode.  And the other is to remove a delay the software inserts between passcode attempts, so that it could blast passcodes at the phone at a very fast clip.  You'd ask for these two additional weaknesses only if you are planning on turning this into a tool for law enforcement to use over and over.  So that puts the lie to the FBI's stance that they want this only for this one time.

Apple is not being asked to use any method they want to just get the data.  Apple is being demanded to build a forensic tool for law enforcement's repeated use.  Apple, and those of us knowledgable about this sort of thing, knows that this tool will need to be maintained and documented, and submitted into evidence to be inspected by defense attorney experts, because defense attorneys will want to be certain that the tool does not modify the evidence it makes available.  This is how the tool will get out into the wild, and when it does then none of us will have any security unless we install additional encryption software on top of the operating system.  Which criminals and terrorists will immediately do, leaving them safe from law enforcement search while leaving the vast majority of casual users open to those same terrorists infiltrating their phones and grabbing their bank account passwords, etc.

Law enforcement will solve a few more crimes, committed by unwitting criminals who didn't think to add additional encryption on top of the weakened encryption in the operating system.

Casual users like you and me and your kids and wife will be more subject to snooping by hackers, some of which will be working for the fund-raising departments of terror organizations.

Terrorists will hold up this incident and the fallout from it as a major victory in their attempts to weaken and manipulate free society.

A couple more points:

1. Passcode being sent electronically does not necessarily mean wirelessly. Could be a wired keypad or wired device acting as a keypad. Apple currently only allows passcode entry via the on-screen keypad, thus they would have to further modify the iOS software to allow passcode entry via a wired or wireless device.

2. To make the changes to the chipsets inside an iPhone Apple has to 'flash the ROMs' by sending a 'signed' update using Apple's secret electronic signature. Normally this occurs via 'Software Update' where the user has to manually enter their passcode to authorize the download and install process. Apple Store Genius Bar employees USED TO be able to do this for a customer without entering the passcode by putting the iPhone into a 'factory mode' and updating the software while wired to a Mac/Mac Server. What people forget is that doing this erases the iPhone (on purpose) after which the customer must now set up the phone and download their saved data via iCloud or from their own computer via iTunes. The FBI wants a version of iOS that will install the modified iOS and NOT erase the data. THIS IS THE BIG BUGABOO! If Apple does this (which I'm sure they could because they have excellent engineers and coders) AND if this revised, less secure software gets into the wild, which it will under our current court system, then criminals and other nefarious entities will have a means to 'break' any iPhone, causing an immediate increase in stolen iPhones, AGAIN. We already went through this with  high thefts rates in NYC, San Francisco and L.A. With the mayors of those cities threatening to sue Apple and others for NOT having their phones more secure! Now NYC wants Apple to make their phones less secure, reverting back to a time when thefts (and muggings and deaths) were rampant!

3. If Apple does build this forensic tool and does perform the work for law enforcement, they become a de facto 'agent of the state' for which other countries can now use as an excuse to ban Apple products, particularly iPhones, from their countries. Basically, the ruination of Apple as their products can no longer be trusted to be secure. Already there are proposals in the U.S. to ban any phone without a 'back door' for law enforcement (and spy agencies), and France is proposing heavy fines for not assisting their security agencies, and other are proposing to ban phone without heavy encryption. So what is a company to do? Make the same phone with different iOS software for different countries? If they do that, then the one's wanting 'secure' phones will purchase their phones from countries demanding security and not purchase phone sold in the USA. Like I said, the end of iPhone sales and the decline of Apple as an entity.

I'm sure others can add other very plausible scenarios to what I wrote above.

dewme said:

The way the article is worded makes it sound like MacKeeper, MacBooster, and MplayerX are also malware. Is this true?

Yes, in a manner of speaking. MacKeeper, for one, use to send back loads of system information to a server WITHOUT user permission, warning or input. Whether the same is true now or is true of MacBooster or MplayerX I cannot say with certainty as I no longer use or have use for any of them.

Just wondering, instead of Youtube and Net flex, why didn't you play a rented or purchased movie from Apple's iTunes store, or stream a from iTunes from a Mac? Would this have made a difference in volume and controls?

anton zuykov said:

bulk001 said:

maciekskontakt said:

randominternetperson said:

What's the legal justification for searching their phones at all?  If I punch you in the face, can the police get a search warrant to search my house?  What does rioting and destruction of property have to do with your personal information and communications?  Searching the phone sounds like an unreasonable search and taking it in the first place seems like an unreasonable seizure.  They caught these guys red handed and have all the evidence they need to get convictions.  That should be enough.

Presumably the argument will be that they are trying to find evidence for someone "inciting a riot" but they should be able to solve that part of the case with old fashioned interrogation and deal-making with the hundreds of people they arrested.

Yes. It is called hard evidence. If you punch someone in face you go to jail. You are lucky that you just go to jail.... some of us are licensed to carry in many states and that may end-up quite differently including search of phones. So let's stop at that.

Yes. A death sentence for throwing a punch. Red America. And red in more ways than one. 

That is a strawman. If a person throws a punch at you, how do you know what his intentions will be AFTER that punch? Does he wanna throw some more punches and then finish you with a knife, or would one punch be enough? You dont know, but he has already attacked you, so it is reasonable to assume that person wants you dead or injured.
When you throw a punch at a person, you have just given that person a right to use deadly force, if he can prove later, that it was reasonable for him to think he was in danger. I like that every person has the right to defend himself. Sure, responding with a gun to a fist fight might be an overkill ( no pun intended) but a person with a gun was not the one who had the option of choosing if he wants to start the violence or not. 

Besides, if you don't wanna get killed for throwing a punch, DONT THROW PUNCHES without a good reason. That might help to pass throw Darwin filter, you know. Just saying....

Exactly right. Not only that, but look at the inordinate amount of youtube videos showing the 'knockout game' where someone coms up to you and intentionally punches you in the head in an attempt to knock you out. There have been cases where such a 'knock out punch' has killed the victim, either by the punch itself or the victim then striking a hard object during the unconscious fall. Some of those videos show the attacker standing over the semi-conscious victim apparently waiting to strike again should the person get up. If that was me on the ground, I'd stay there, draw my Sig and shoot the MF in his grinning face!

AppleInsider said:...

Apple's serious approach to security has enabled the company to take a leading roll in supplying computing devices to enterprise buyers, one of the markets Windows Phone has made very little progress in, and a market segment that has purposely shunned the sloppy security associated with Google's Android.

Here's hoping Daesh doesn't capture any of those Windows Phones our US military are using in Iraq and Syria. Oh wait! The US military no longer uses MS and Android phones and tablets in the field! Correct? Too insecure! You would think that would be a clue the FBI could fathom!

The_Martini_Cat said:

If it has wireless charging, what is the need for a lightning cable?

Wireless charging is for slow, overnight charging with your iPhone sitting on a pad.
The lightning cable is for FAST charging using a power adapter in a wall or connected to a USB-C equipped Mac.

78Bandit said:

I didn't think the 5C used secure enclave as was stated in the article. I thought that only started with the 5S models that had Touch ID. I have my serious doubts that iPhone 6 encryption can be cracked for only $2,000. A much more likely scenario is the mother knew the daughter's PIN and that was used to access the data mirrored from the recovered phone.

The article did not say that the encryption was cracked. It intimated that Cellbrite used NAND mirroring to decipher the 6-digit access code, which can be done in hours, not years. Once the 6-digit code is known, the phone's contents are 'unlocked' and can be read, but the encryption is still in place.

If the person had use the optional 'Custom Alphanumeric Code,' Cellubrite may still be trying.

As PROX mentioned (through news articles) China wanted the Apple iOS source code to ensure that there are NO backdoors in the code, as Apple alleged. Apple (allegedly) handed over the source code to iOS, NOT the security keys, and they DID NOT create a NEW version with a backdoor, nor did they hand over firmware code (to anyone's knowledge). If all the FBI wanted was the source code, Apple probably would have handed that over, but that is not the NY judge's order.

To me the FBI is asking of Apple the equivalent of asking a safe maker, not only how the safe is designed, AND not only the best way to defeat the safe, but also to build in a special combination to the safe usable only by them (yeah, right) to circumvent any combination set by the owner of the safe.