
Justice Department Wants Apple to Unlock Nine More iPhones - jstreebin
http://www.nytimes.com/2016/02/24/technology/justice-department-wants-apple-to-unlock-nine-more-iphones.html?partner=rss&emc=rss&_r=0
======
jrapdx3
The article describes the Justice Dept. doing exactly what has been so widely
predicted on HN and elsewhere. Doesn't seem like good timing on the
government's part to publicly announce the intention to seek numerous iPhone
"unlockings". Rather it plays into Apple's argument about unleashing a torrent
of court-ordered demands which will have adverse consequences for security.

Legal minds should weigh in, but I'm thinking the only effective remedy is
going to be congressional action, to pass law that defines the limits of court
discretion re: forcing firms' assistance breaching their carefully constructed
security/privacy systems.

This news prompts me to write my representative and senators and strongly urge
them to support enacting this form of protective legislation. If there's
enough of an outcry from the electorate there's a far greater chance of
putting sensible policies in place. The fact it's an election year can only
make voicing our concerns all the more effective.

~~~
edraferi
It makes total sense that the givernment would use it's forensic capabilities
whenever the need arises. The question at hand is: "can the All Writs Act
compel a company to proactively defeat its own security measures?" The answer
will apply to all cases.

The more important question is "Should the government be able to access
citizen's digital data with a court order? And if so, how can that be enabled
without compromising the general security of the device?

I suspect we'll ultimately wind up with mainstream device manufacturers
maintaining some kind of per-device master key that they turn over when
ordered.

This will enable government to access data in the typical case. Including
foreign governments. Sophisticated bad guys will continue to use zero
knowledge software, which government will attack by other means. The per-
device master keys will be compromised eventually, which will force
enterprises to upgrade their fleeta but normals won't care.

~~~
ktRolster
The best way (IMO) is to make it unbreakable, and off by default. Then the
people who care about privacy can have it, and the justice department can be
happy most of the time.

~~~
SanFranManDan
But I am sure a large portion of the people involved in activities where the
government wants their info will have it turned on. I'm sure if Snowden's
phone was encrypted they wouldn't go "Oh well ~90% of americans dont have
encryption turned on so we'll just be happy with that."

~~~
bobwaycott
Snowden is a poor example here. He worked in intelligence, a field the
government would logically and rightly expect to value encryption. This,
Snowden would fit in by using encryption here. He'd stand out if he _didn 't_.

------
sago
> “What we discover is that investigation into one crime often leads into
> criminal activity in another, sometimes much more serious than what we were
> originally looking at,”

They want access so they can go fishing too? They're really not doing a good
job of sticking to the 'necessary and proportionate' line.

~~~
Derbasti
That sentence caught my eye, too.

So they are publicly stating that they are not really interested in just
solving the case and prosecuting the offender. Instead, they want to see what
else they can stick to the man.

I'm sure if you just dig deep enough, you will find some crime in everyone's
data. Guilty until proven innocent.

~~~
alanwatts
>We are to look upon it as more beneficial, that many guilty persons should
escape unpunished, than one innocent person should suffer. The reason is,
because it’s of more importance to community, that innocence should be
protected, than it is, that guilt should be punished; for guilt and crimes are
so frequent in the world, that all of them cannot be punished; and many times
they happen in such a manner, that it is not of much consequence to the
public, whether they are punished or not. But when innocence itself, is
brought to the bar and condemned, especially to die, the subject will exclaim,
it is immaterial to me, whether I behave well or ill; for virtue itself, is no
security. And if such a sentiment as this, should take place in the mind of
the subject, there would be an end to all security what so ever.

-John Adams

[http://rotunda.upress.virginia.edu/founders/default.xqy?keys...](http://rotunda.upress.virginia.edu/founders/default.xqy?keys=ADMS-
print-05-03-02-0001-0004-0016)

~~~
philovivero
Amazing. Either I'd never seen this quote before, or didn't understand the
huge negative implications of punishing the innocent on society.

If innocence isn't held in the highest regard, then society itself collapses
as people no longer deem it necessary to act in an ethically- and morally-
superior manner.

I see many signs in modern society that this maxim was ignored.

------
newman314
This part is interesting...

" _The judge has indicated skepticism over the government’s demands.
Initially, Apple agreed to a formal order to help the Justice Department gain
access to Mr. Feng’s phone, but Judge Orenstein balked, questioning whether
the All Writs Act could be used that way. He invited Apple’s lawyers to raise
objections._ "

~~~
themartorana
I imagine the judge isn't oblivious to the potential weight of precedent here.

~~~
newman314
Well, also interesting is the fact that Apple originally agreed and it was the
judge that suggested for raising an objection...

~~~
msbarnett
I think that's a misunderstanding on the part of the author.

The judge's initial order was issued _ex parte_ \-- meaning the judge issued
it to the justice department without Apple lawyers being present to argue
against the order. Instead, as it was issued ex parte, the judge invited Apple
lawyers to respond to the order after the fact by offering reasons it was an
undue burden.

Essentially, Apple wasn't there to agree or disagree to it. The Judge
encouraged Apple to object to it in recognition of the fact she was issuing it
ex parte, not to nudge them out of inaction.

~~~
CPLX
Precisely, and it's worth mentioning that ex parte filings are where a lot of
dubious things happen, as that format by definition doesn't really have a
traditional adversarial format. Civil forfeiture is the other big example.

------
kareemm
This sounds exactly right. From an article I posted earlier[1]:

> In interviews with BuzzFeed News Wednesday, the former officers with the FBI
> and NSA acknowledged that U.S. intelligence agencies have technology that
> has been used in past intelligence-gathering operations to break into locked
> phones. The question, they added, was whether it was worthwhile for the FBI
> to deploy that technology, rather than setting a precedent through the
> courts.

This article seems to confirm that Law Enforcement is going to do its best to
set a legal precedent.

[1] -
[https://news.ycombinator.com/item?id=11163338](https://news.ycombinator.com/item?id=11163338)

~~~
awongh
This makes a lot of sense since the government could issue an order through
FISA and afaik apple would be required to comply with it.

The fact that they can resist the order and in a such a public way feels a
little bit theatrical, given what we know about how these things work.

I wonder how much of what's happening between apple and the fbi / rest of the
government is the tip of the iceberg.

~~~
studentrob
> The fact that they can resist the order and in a such a public way feels a
> little bit theatrical, given what we know about how these things work.

I wondered that too. I read that Apple wanted to keep the debate quiet, and
that it was the FBI who wanted to have a public debate.

Anyway, here we are having the "public debate about security vs. privacy on
computers"

FBI sympathizers complain that some people are talking in extremes, and that
the issue needs a balanced, nuanced approach like Bill Gates has offered.

Tech experts tell them that encryption can't be outlawed and the FBI is deaf
to it

Regardless of whether we're talking about zero knowledge devices or not, now
is the time to have the debate, because compelling Apple to act here is one
step away from telling them they can't legally create a completely secure
device. If we do this, so will China and other oppressive regimes, and it will
hurt the global cause of free speech irrevocably.

~~~
mattlutze
> Anyway, here we are having the "public debate about security vs. privacy on
> computers"

What I think we're having is a debate about access vs. security.

The government wants access to be more important than information security.

Apple, and I guess people educated on the topic who aren't the government,
want information security to be more important than access.

If one actor has a magic key to a system, n actors have that key because logic
and the faliability of human systems. The government has proven too often that
information security is not its chief concern, and we should expect they'll
not perfectly protect the capability they're asking for as well.

Do we care to keep information safe, or "safe"? I think that's what the
legislature is going to have to decide.

------
r00fus
Clearly this is an agenda.

I still don't understand why Apple needs to save the FBI from it's own
incompetence in asking the government office that managed the iPhone to reset
the password.

It seems to me that unless tech companies come together to defend Apple, we
may see (unregulated and unaccountable) government become very very part of
all facets of computing.

~~~
ikeboy
I can't think of any way in which the FBI's incompetence would have legal
implications for Apple's obligations. How would that work?

If they're able to help, and can be compelled legally, why would the FBI
having previously had the ability to get the data but losing it to a mistake
change their obligation?

~~~
ridgeguy
Perhaps because the FBI's error deprived them of the only clearly legal means
of recovering the data.

Their mistake shouldn't confer access through arguably illegal means (the
legality of the court order compelling Apple not yet being settled).

~~~
rainsford
The point is that the legality of the court order compelling Apple does not
depend on whether or not the FBI made a mistake in other investigative
approaches. If the order is illegal, then it doesn't matter whether the FBI
needs the access it provides or not, it's still illegal. On the other hand, if
the order is legal, then the FBI needing it due to a mistake doesn't suddenly
make the order illegal.

------
Laaw
I know this is going to sound crazy, but there are parallels here between
Apple vs. the FBI, and Superman vs. Batman.

Superman represents an unchecked power, and Batman finds this unchecked power
to be unacceptable as a risk, in case the power is ever used against humanity.

Is this a subtle marketing ploy from DC Comics‽

~~~
orionblastar
Superman vs. Batman, they are making a new movie about that.

Superman caused a lot of damage in The Man of Steel movie and many people died
as a result of his fight with Zod that ended up with him breaking Zod's neck
and killing him. The movie could have gone a different way if he asked his
Father's hologram about Zod, and any weaknesses he might have during the 24
hours he had to think over. Then use the craft he came to Earth with to
destroy Zod's ship engines, defeating him without any property damage or
killing innocent people.

But anyway Batman always has a plan in taking down any super powered being in
case they go rouge or mind controlled. He stores them on his computer and
makes technology or finds items that can weaken them or take away their
powers.

For Superman he has a battlesuit and kryptonite. The battlesuit gives him
strength and power to fight Superman and the kryptonite weakens Superman so
Batman can fight him.

Yet in The Dark Knight, Batman used a program to use everyone's cell phone to
create a spying device that gave hi the location of the criminals Joker
employed and where the victims are. Sort of abusing his own powers for
domestic spying and making cell phones insecure by infecting them with an
exploit that installs his own backdoor to get access to the cameras etc to
scan for things.

~~~
atmosx
Given the _powers_ these two characters have, Superman would kill Batman while
watching a movie with Lois Lein and eating pop-corn - without Lois realising
he was gone for a split of a second.

ps. Not big on DC/Marvel comics/movies, they're all the same to me but keep
some f*cking consistency plz.

~~~
trelltron
Read the post you're replying to plz.

"But anyway Batman always has a plan in taking down any super powered being in
case they go rouge or mind controlled. He stores them on his computer and
makes technology or finds items that can weaken them or take away their
powers."

------
cft
Note how Android unlocking demands never came up in this discussion. That's
because the phones are vulnerable.

I am a Nexus user.

~~~
fooey
Android hasn't come up, but more notable to me, why hasn't this come up over
Windows machines? Bitlocker has been a thing for quite a while now.

Has the FBI/DoJ never encountered an encrypted desktop or server before? or
has it not been a problem when they have?

~~~
zaroth
I believe that by default Microsoft keeps a copy of your BitLocker key and is
happy to provide it to the police when requested. Also, see Bill Gates recent
comments on the topic.

------
BWStearns
At least now all doubt is formally removed that they want to use the precedent
set in the SB case for more mundane requests. Hopefully this should make
Apples' PR fight easier.

------
jMyles
I think I need someone to explain this to me because none of this hype makes
any sense.

I am usually wary of oversimplifying these sorts of controversies, but this
one does seem exceedingly simple to me. It goes like this:

Is it possible, even with Apple's help, to break the encryption of <insert
device model here> without knowing the encryption key, given that the
passphrase provides reasonable entropy?

If the answer is other than a flat, unambiguous "no," enjoying the consensus
of the scientific and security communities, then that device is simply not
secure, right?

...and, to extrapolate just a bit: when device that are secure by this
definition are in the mainstream (and my understanding is that even current
iPhones, unlike the one at issue in this case, are) then this is entirely
moot, right?

~~~
mrdrozdov
Apple can hypothetically upload an OS update enabling unlimited password
attempts, so that the encryption key can be brute forced.

~~~
jMyles
Right - so that means that the iPhone is already broken, no?

...and, more to the point: when phones come out that don't have this
vulnerability, none of this will matter, right?

~~~
zaroth
The specific technique/functionality they are asking for in this case most
likely only works on the 5c, but there are also reports that the auto-wipe on
the 6s which is handled by the secure enclave could also be disabled on a
locked phone.

Even if both of these particular vulnerabilities are closed, it's almost a
guarantee that additional vulnerabilities exist which Apple could be forced to
exploit.

The next best example is perhaps police forcing Apple to wiretap iMessages in
real-time. They have tried countless times and Apple has said they do not have
the capability and refused to create it. But it is clearly technically
possible from the design. Closing that vulnerability would require significant
changes to the iMessage UX. Some people argue we can't trust Apple and they
should make those changes in any case, but obviously Apple is willing to
impose some level of trust in their own infra in order to gain UX advantages.

------
datashovel
I wish I had a timeline that showed me the frequency of stories coming out on
this.

I am only spitballing here, but does anyone else think the heat has risen for
federal law enforcement to set some precedents on this stuff now that Antonin
Scalia has died? My hunch is that with another liberal judge on the Supreme
Court there may be a push to have some of this type of case heard at the
highest court.

~~~
insaneirish
> I am only spitballing here, but does anyone else think the heat has risen
> for federal law enforcement to set some precedents on this stuff now that
> Antonin Scalia has died?

Scalia often ruled against law enforcement's attempts to abuse their search
powers.

Examples:

[https://www.oyez.org/cases/2000/99-8508](https://www.oyez.org/cases/2000/99-8508)

[https://www.oyez.org/cases/2012/11-564](https://www.oyez.org/cases/2012/11-564)

[https://www.oyez.org/cases/2014/13-9972](https://www.oyez.org/cases/2014/13-9972)

[https://www.oyez.org/cases/2008/07-542](https://www.oyez.org/cases/2008/07-542)

It's not clear to me how he would have ruled in this case, but I don't think
it would have been open and shut.

------
fooey
It seems hard for me to believe that Apple now has at least 10 instances where
the government is trying to force them to decrypt their phones, and this
hasn't happened with Google or MS yet.

I don't recall ever hearing a big standoff with MS refusing to decrypt a
Windows desktop or server.

Is encryption just that much more common on Apple devices? or is Apple just
the first ones to make this all public?

~~~
semi-extrinsic
Windows desktop full-disk encryption means Bitlocker, which is basically
breakable by anyone who can google stuff and buy the right firewire cable:

[https://github.com/carmaa/inception](https://github.com/carmaa/inception)

Note that this is the open source, made by one guy in his spare time version,
so it has some caveats. But I'll bet you dollars to donuts that the three-
letter agencies have their own, more capable version.

~~~
dcvuob
That is an disingenuous representation of how the attacks works. That attacks
OPSEC, not the Bitlocker itself. Any full-disk encryption is "vulnerable", to
this kind of attack.

The page even explains this:

[https://github.com/carmaa/inception#awesome-but-
why](https://github.com/carmaa/inception#awesome-but-why)

[https://github.com/carmaa/inception#unlock](https://github.com/carmaa/inception#unlock)

~~~
semi-extrinsic
Not really. Full disk encryption using Pointsec/other commercial offerings, or
as you typically do it on Linux with LUKS+dmcrypt, asks for the passphrase
before the OS has loaded any Firewire drivers. In which case a fully shut-down
computer is not vulnerable to this attack, ie. you have protection against
evil maids, thieves, FBI etc.

But with Bitlocker, it only requires a password at Windows login, and by then
all the Firewire etc. drivers are up and running. So you have no protection
for computers that are stolen/seized by law enforcement.

~~~
pfg
IIRC BitLocker with pre-boot authentication mitigates DMA attacks. Most
Windows hardware doesn't come with FireWire or Thunderbolt ports nowadays.
Microsoft recommends pre-boot auth for devices with DMA ports.

~~~
semi-extrinsic
These are fair points. But for businesses in particular, it's a problem since
many skip on (or are unaware of the need for) pre-boot auth, and business
laptops still pack FW ports, if not on the laptop itself, then surely on the
docking station.

------
tdsamardzhiev
"This is a specific case where the government is asking for access to
information. They are not asking for some general thing, they are asking for a
particular case" \--Bill Gates

Have something to say, Bill?

~~~
mhaymo
They are asking for 10 particular cases, each of which requires a warrant. The
point stands that this is not an incident of mass or unwarranted surveillance.

~~~
tdsamardzhiev
And how many particular cases do they need to ask for before it becomes "an
incident of mass or unwarranted surveillance"?

------
Pxtl
Will we be hearing an apology from FBI spokesmen that insisted this is a one-
time thing?

~~~
imron
> from FBI spokesmen

*Director

[https://www.fbi.gov/news/pressrel/press-releases/fbi-
directo...](https://www.fbi.gov/news/pressrel/press-releases/fbi-director-
comments-on-san-bernardino-matter)

------
arrty88
> The Manhattan district attorney, Cyrus R. Vance Jr., foreground, and New
> York City’s police commissioner, William J. Bratton, behind him, say they
> have about 175 iPhones they have been unable to unlock.

Wait, how many have they been able to unlock and how? Sheer luck?

~~~
Eric_WVGG
nah they have tools that can be embedded between the touchscreen and logic
board, can be used to brute force

[https://www.youtube.com/watch?v=meEyYFlSahk](https://www.youtube.com/watch?v=meEyYFlSahk)

I naively thought it was a machine with a robotic finger, derp

~~~
jonah
This is the blog post that video comes from:
[http://blog.mdsec.co.uk/2015/03/bruteforcing-ios-
screenlock....](http://blog.mdsec.co.uk/2015/03/bruteforcing-ios-
screenlock.html) It has a bit more context.

------
acqq
> Apple has in a number of cases objected to the Justice Department’s efforts
> to force its cooperation through a 1789 statute known as the _All Writs Act_

And the full (!) text of _All Writs Act_ is just:

[https://en.wikipedia.org/wiki/All_Writs_Act](https://en.wikipedia.org/wiki/All_Writs_Act)

\--

"(a) The Supreme Court and all courts established by Act of Congress may issue
_all writs necessary_ or appropriate in aid of their respective jurisdictions
and agreeable to the usages and principles of law.

(b) An alternative writ or rule nisi may be issued by a justice or judge of a
court which has jurisdiction."

\--

Note it's not any law that regulates any form of encryption or communication
security or what some company has to do to help some law enforcement
procedures, a lot of laws with such topics were fought about, proposed,
discussed and introduced through the years, like CALEA. This is just "we can
demand anything we want."

The issue is, should this Act be allowed to be used in such contexts. A
precedent can even make unnecessary the current process by which the laws are
being made. Note there's nothing specific in that sentence from 1789. Who
needs laws if anything goes?

------
merpnderp
Apple does have a point. I probably won't own a device with a known
vulnerability even if it was at the behest of the government.

~~~
Laaw
Do you own a home?

Do you own a car?

The executive branch can obtain warrants from the judicial branch to "exploit
vulnerabilities" and gain access to these "devices".

~~~
cat-dev-null
In the US, these are three distinctly different things:

1\. A person's "papers," memories and life details typically lives as data on
their personal smartphones and other devices. Currently, a phone/laptop seems
to be treated as pocket lint and other personal property, so a warrant is
typically not needed to access contents, i.e., airport enhanced security
screening, traffic stop, etc.

2\. Important papers may reside in a home in a safe or filing cabinet. A
warrant or probable cause is needed to search a home.

3\. A search warrant is not needed to search a vehicle, only probable cause.
All kinds of road vehicles including van conversions and RVs are considered
vehicles, not homes, even for the folks whom dwell in them, and so there is
currently little protection.

The fourth amendment needs an amendment to explicitly include one's personal
electronic devices, hosted servers and cloud data in order to be congruent
with the spirit of the law, because LEAs clearly do not respect sensible
boundaries.

Furthermore, the Apple refusal is mostly a protest stance but moot considering
the offensive LE tools industry jumps with glee at every opportunity to
provide solutions... if the 10x-wipe retries counter is unencrypted, it will
be broken by third-parties. (I hope this is not the case, and that it is an
encrypted token of some sort)

~~~
taneq
This badly needs to change, now that your "pocket lint" can store more data
than an entire house full of filing cabinets.

------
0x07c0
Cant a legal hack be to move core security development out of US jurisdiction,
and let Apple USA lease tech from Apple Iceland/Switzerland/Ireland/etc, as is
done with taxes today ? This would make Apple USA unable to fulfil any court
order demanding change to source code.

------
lips
Question which I can't get out of my head: It would stand to reason that the
ruling on this case would affect other commercial phone and/or OS
manufacturers, but how would it reflect on some OSS projects, where the coders
are not necessarily employees of the project?

~~~
studentrob
It wouldn't have any impact, and that's the point.

To block all encryption apps, you'd need to censor the internet and check
every digital device at the border. The government needs to understand that
this is the implication of the direction in which it wishes to take us.

Bruce Schneier goes into more detail:
[https://www.schneier.com/blog/archives/2015/07/back_doors_wo...](https://www.schneier.com/blog/archives/2015/07/back_doors_wont.html)

------
pcwalton
> The judge has indicated skepticism over the government’s demands. Initially,
> Apple agreed to a formal order to help the Justice Department gain access to
> Mr. Feng’s phone, but Judge Orenstein balked, questioning whether the All
> Writs Act could be used that way. He invited Apple’s lawyers to raise
> objections.

This is curious, because I was under the impression (due to the lawyers on HN)
that this is basically an open and shut case in the eyes of the law: the
government has the ability to compel Apple to act. Why would the judge think
differently?

(I'm genuinely curious as to the legal aspects of this and not taking a side
either way.)

~~~
s_q_b
It's tricky. The All Writs Act clearly must have some boundaries as to
reasonableness and the due process of the defendant.

What Apple is being asked to do here isn't simply to unlock a phone. They're
being asked to use their engineers, money, and expertise to build a tool to
defeat the very encryption they developed.

It's not clear the All Writs Act enables the government to simply order a
search warrant recipient to create new technology for them.

~~~
spiralpolitik
There is also a first amendment angle in that due to the previous crypto wars
code is considered speech so the act of forcing a developer to write code
could be considered compelled speech.

~~~
studentrob
This is a fantastic point. I hadn't heard that yet, thanks!

For the lazy, here's what I found,

Compelled speech:
[http://law2.umkc.edu/faculty/projects/ftrials/conlaw/compell...](http://law2.umkc.edu/faculty/projects/ftrials/conlaw/compelledspeech.htm)

Code is free speech:
[http://archive.arstechnica.com/wankerdesk/2q99/freespeech-1....](http://archive.arstechnica.com/wankerdesk/2q99/freespeech-1.html)

------
ianamartin
I've already made my legal and political opinions in other threads on the
topic and won't rehash them here, especially since so many other people are
making the points better than I did.

However, here's something I haven't thought of, though I sort of hate to boil
the thing down to a business proposition. The fact is that iPhone is a
_massive_ business. What all is a company allowed to claim as "burden" in the
discussion of undue burden?

Let's say the FBI wins, and Apple is forced into this. Then the narrative in
the mind of the public is that Apple has back-doored their phones and made
them insecure.

Apple loses literally billions of dollars per quarter for some amount of time
until they can repair the PR damage.

Is the loss of, say, 50 billion dollars in revenue over the next calendar year
something a reasonable person would call "undue burden?"

What about other ancillary effects that cost either direct money or
productivity? There are rumors of something like an iPhone 6c that is
scheduled to be released perhaps soon. (Supposedly a revamped 4" phone like
the 5s but with the latest hardware) After all this hubbub about a potentially
insecure 5c, who is going to go buy a 6c without wondering if it has the same
problems?

Casual tech watchers don't understand the nuts and bolts of this situation.
They hear some things, read some things and go along with the popular media
consensus.

If the alleged 6c were actually going to be launched in a couple of months,
the branding, production, packaging, marketing would all have been bought and
paid for already.

Does having to recalibrate the launch of a new product and all the costs that
might incur count as "undue burden?"

Etc., etc. Maybe they need a significant portion of the iOS team to do this,
and the work causes delays in the next version of iOS, iPhone 7 has to get
pushed back for release and misses the holiday quarter, again, lost sales
accounting for billions.

I think the potential impact on Apple's bottom line could honestly be taken
into consideration of burden. Curious about what other people think. Is money
just not talked about in these considerations?

~~~
studentrob
> Is the loss of, say, 50 billion dollars in revenue over the next calendar
> year something a reasonable person would call "undue burden?"

I wonder the same. In another comment in this thread I mention that it's not
just undue burden here that is expected under AWA according to USA vs. New
York Telephone, it is also expected that the FBI pay for any work they ask
Apple to do.

Yahoo was forced to deal with many requests from the NSA in 2008, only those
dealings were unknown to the public until recently. [1] The last 8 years have
not treated Yahoo too well..

It seems when you fight the government on privacy, you lose. It's better if
you roll over and wag your tail like Microsoft

[1] [http://www.theguardian.com/world/2014/sep/11/yahoo-nsa-
lawsu...](http://www.theguardian.com/world/2014/sep/11/yahoo-nsa-lawsuit-
documents-fine-user-data-refusal)

------
exodust
Might criminals, paranoids and privacy extremists wishing for their phones
never to be cracked, just choose an 11 digit passcode? I hear this would take
too long for a computer to crack.

Everyone else can choose a 4 digit code, and still enjoy very good security up
until the point they are wanted by the FBI.

People are confusing the fight for unbreakable encryption with this new fight
to keep manufacturer-specific passcode retry attempts nice and secure.

The very fact we have this dependency between the encryption and the retry
system, is a weakness probably deserving of attention.

~~~
studentrob
The question at hand is whether or not the DOJ can use the AWA to compel a
company to weaken its product. It's unclear as yet whether the court will
consider this too burdensome for Apple, or too expensive for the FBI to be
able to reimburse Apple for any costs.

Apple's argument is that this will set a precedent, and the FBI will ask to
unlock many phones in the future, possibly even to the point of preventing
Apple from creating a phone that is not unlockable. Further, that the creation
of the proposed hack will by its very nature put the whole iPhone ecosystem at
risk if and when it gets out into the wild. The more requests that the FBI
makes, the more people Apple will need to train to service such requests, and
the more risk that there is a leak.

The analogy here, although dramatic, would be the atom bomb. Hillary even
alluded to the need for a Manhattan-like project to circumvent encryption,
although I don't think she thought that would be received as a bad thing.

The FBI's argument is that they're only asking Apple to unlock a single
iPhone. The DOJ is unwilling to comment on how many iPhones law enforcement
across the country would like to use this on, and defers to local officials to
answer that question. They are pretending to focus on this one phone while
knowing full well the value of what they're after. They wouldn't call up the
AWA for a single phone.

Obama is unwilling to draw up legislation with congress about this issue given
the nature of the public's attitude about mass surveillance, particularly
during an election year. They're probably terrified this issue would fracture
the public vote and then there's no telling who we will elect as the next
President. So, they directed the FBI to use the AWA.

~~~
exodust
I'm aware of all that, your summary wasn't needed, and is lacking your
personal opinion! "I think" is not a bad thing to say once in a while.

I'll take a guess that your position is identical to Apple's recent letter on
the matter.

I think Apple should help unlock these phones, with the condition that such
help may be impossible in future versions of the OS. Who wouldn't want future
versions of iOS to prevent these requests from being possible even with
Apple's intervention? How that can be achieved I don't know. Perhaps some
fancy new hardware chip that kills the phone at any sign of tampering. I'd
vote for that, most people would, but the FBI would hate it.

The crucial point is getting as much of the public on side as possible. Most
people would support increased security and privacy measures for their phones.
They would feel threatened by legislation denying Apple or others the right to
improve security for customers, meaning such legislation would unlikely pass.

By fighting this current situation, Apple are putting themselves in an awkward
situation of "not helping criminal investigation" which is not easy to get
everyone on side if you're not being helpful.

It's a bit like chess, and Apple might have done better to make their move at
a later time, first helping with these iPhones, then shutting the door on that
option in later OS releases. "Sorry, it's encrypted inside and out, no way in,
that's how good the security is, because that's what our customers wanted"
would be impressive, and hard to defeat with new legislation.

So Apple should comply now, and make a better chess move later. I could be
wrong, but that's what I think for now :)

~~~
studentrob
> I'm aware of all that

Was your original question rhetorical? In case it wasn't clear by my summary,
no, we should not be satisfied with a longer passphrase. We should be
concerned about the precedent-setting nature of this case.

> your summary wasn't needed

This is an open discussion. Nobody's forcing you to read my summary.

> "I think" is not a bad thing to say once in a while.

I think that is implied by the fact that I wrote all that. Anything that I
haven't cited is my personal take on the issues.

> I think Apple should help unlock these phones, with the condition that such
> help may be impossible in future versions of the OS

Nobody believes the FBI will adhere to this condition. They can always change
their minds down the road.

> It's a bit like chess

It is like chess, you're right. The move has been made and the hand removed
from the piece. Time to act, carpe diem. The best thing to do now is educate
people about encryption and potentially make this an election issue at some
point in the future. Right now the public has nothing to do with this case.
It's going to be decided in a court among experts, lawyers and judges.

> Apple should comply now, and make a better chess move later

That's fine, it's your opinion. I disagree, and would add that now is the
right time to take a stand while this is in the public spotlight. It will take
time to educate the public about encryption and we might as well start now.
Compelling Apple to circumvent its own security will make us less safe. There
is a black market where exploits are bought by intelligence communities, and
if Apple creates this exploit, there's a chance it will fall into the wrong
hands.

------
caf
Here's what I wonder.

Suppose Apple loses and tells its engineers to produce this update. What
happens if those engineers all refuse? Can they be found individually in
contempt of court?

~~~
studentrob
I don't think so. But Apple could face some hefty fines, and they would offer
engineers more money to avoid such fines.

If every engineer refused to do it at any price, Apple would cease to exist.

Around 2007-2008, Yahoo faced a $250,000 per day fine for non-compliance with
the NSA's Prism program [1], according to documents released in 2014 [2]

Note also that the CEO and co-founder Jerry Yang left his position at the end
of 2008, after which time, it seems, they became compliant and the orders
stopped.

[1]
[https://en.wikipedia.org/wiki/PRISM_%28surveillance_program%...](https://en.wikipedia.org/wiki/PRISM_%28surveillance_program%29)
[2] [http://www.theguardian.com/world/2014/sep/11/yahoo-nsa-
lawsu...](http://www.theguardian.com/world/2014/sep/11/yahoo-nsa-lawsuit-
documents-fine-user-data-refusal)

------
headgasket
In the article: "In a report covering the first six months of 2015, Apple said
it had received nearly 11,000 requests from government agencies worldwide for
information on roughly 60,000 devices, and it provided some data in roughly
7,100 instances."

So an icloud backup negates the need to force apple to unlock?

Any way to backup an ios device online on a 3rd party, encrypted using a
public key?

~~~
BinaryIdiot
> Any way to backup an ios device online on a 3rd party, encrypted using a
> public key?

Not as seamless as the iCloud backup. Essentially you need to back up each
service itself and restore it all manually when you need to.

Not that Android is any better in this regard; it works pretty much the same.

It's unfortunate as there has been a huge focus on device security, mostly for
the payment capability but the actual data on the thing? Easily backed up and
extracted via government request.

------
splatcollision
9 more phones this week. 12 next week, 20 the following...

------
nickfromseattle
Between this and the on-going case with Microsoft Ireland, would anyone like
to speculate on the impact to US tech companies ability to compete
internationally if the US Justice Department wins?

There may not be a foreign equivalent for US companies working on complex or
enterprise problems.

Europe is often times the second highest revenue generating region outside of
the US for US tech companies. Do European businesses care about this? Would
this cause them to adopt a lesser alternative? Does this comply with EU Model
Clauses that govern regulated verticals like defense, finance, academia,
healthcare, etc?

I am not a lawyer, but I can't imagine the EU Model Clauses would allow for
something like this.

~~~
stormbuilder
Well, after the Snowden reveals, everyone was talking about it every day for
more than an year.

Did that actually lead to companies choose EU providers over USA ones? Not
sure, but it certainly was a factor that many considered.

Especially in areas where client data is very sensitive (like healthcare), EU
companies are extremely paranoid about it.

------
rrggrr
State, county and municipal governments are next.

~~~
macspoofing
Divorce lawyers after that.

~~~
tajen
Couple investigators after that, then divorce presales.

------
FrankyHollywood
I still like BGs argument (and do consider myself a hacker haha)

"It is no different than [the question of] should anybody ever have been able
to tell the phone company to get information, should anybody be able to get at
bank records. Let’s say the bank had tied a ribbon round the disk drive and
said ‘don’t make me cut this ribbon because you’ll make me cut it many
times’.“

([https://www.yahoo.com/tech/bill-gates-says-apple-
unlock-0451...](https://www.yahoo.com/tech/bill-gates-says-apple-
unlock-045152332.html))

~~~
shkkmo
That is a ridiculous and misleading argument and Bill Gates should be ashamed
of having made it.

The difference is that ribbon isn't hard to cut and so the bank wouldn't have
to develop a whole new type of scissors to cut it and doing so doesn't weaken
the security of a bunch of other bank records secured with similar ribbon.

~~~
FrankyHollywood
so if a phone can be cracked in 1 hour it is allowed, but if it takes a month
the government can't?

this discussion is not about complexity!

~~~
studentrob
Apple isn't an arm of military intelligence. They shouldn't be compelled to
act as one, particularly when the task would take a month, yes.

It's not just about time. Part of Apple's product is security. The DOJ is
asking them to weaken their product. This could cost Apple their business in
the long run as foreign companies enter the fray and offer a secure product
that Apple is no longer allowed to produce.

Keep in mind that there's a black market where hacks and exploits for various
systems are sold by hackers and bought by intelligence agencies. If this
software is created by Apple, there's a chance it could get out there and end
up in the wrong hands.

~~~
FrankyHollywood
We live a western society, not China. If more than 50% of the population wants
the phone to be cracked it should be done. That's what we all agreed on living
in a democracy. Law is formed by the wishes of majority.

I'm not a lawyer. Is the FBI asking something from Apple which is not legal?
Than go to court.

~~~
studentrob
> We live a western society, not China

Exactly. So why are we asking Apple to do something which Obama rebuked China
for doing last year? [1]

> If more than 50% of the population wants the phone to be cracked it should
> be done

This isn't up to the public, it's up to the courts, who've been asked by the
DOJ to consider the issue.

The public only comes into play around election time when there's a chance to
vote in a new President. And, it's likely this decision will be made before
Obama leaves office.

> Law is formed by the wishes of majority

No.. Law is created by elected officials who are tasked with studying the law
more closely than the general public

[1] [http://www.reuters.com/article/us-usa-obama-china-
idUSKBN0LY...](http://www.reuters.com/article/us-usa-obama-china-
idUSKBN0LY2H520150302)

~~~
FrankyHollywood
I can't imagine a country where 80% of the population is against abortion, and
it still would be legal. In some indirect way law reflects what a population
wants. Even the constitution can be changed with enough votes in parlement (at
least in The Netherlands, US I don't know).

So the question is still open, is there any legal ground in what the FBI is
asking from Apple?

And if there is, should the cooperate? And what would be the alternative,
leave America?

------
neximo4
America is ruled by corporations. It is unjust but can you imagine Apple, an
american company, having fines or being rendered such that it was
disadvantaged to sales in China/India or setting off its decline.

The only time the exception was ever made was to prevent monopoly about a
hundred or so years ago.

Otherwise its perfectly ok to be an American corporate citizen and challenge
the law.

------
ericfrederich
How about making a phone where there isn't a backdoor?

The fact that Apple has the ability to update a phone while it is locked is a
backdoor.

------
ck2
Wow so the FBI lied. Imagine that.

Guess law enforcement thinks telling the truth is not something "good guys"
are required to do.

------
skc
Silly question, but what would you suppose Apple would do if this were a
branch of the Chinese govt asking for this?

~~~
studentrob
China did try to draft a law to compel companies to create this kind of back
door for their government.

President Obama told President Xi that China would not be able to do that if
they wanted to do business with the US [1]

As far as I know, the iPhone still sells in China, so that law never made it
through. If the US allows this to happen, you can bet China will demand the
same.

[1] [http://www.reuters.com/article/us-usa-obama-china-
idUSKBN0LY...](http://www.reuters.com/article/us-usa-obama-china-
idUSKBN0LY2H520150302)

------
Shivetya
Well the spin game is guaranteed to ramp up. Sycophants are already laying the
ground that Apple and Cook would have to accept some of the blame in any
upcoming terrorist attacks. I am amazed they haven't tried the kiddie porn
route yet.

Still another issue is, if they were compelled to create it they could be
compelled to surrender it too. With that its a matter of weeks or months
before it gets leaked to a criminal organization or country.

My long term concern is, would we ever know if they got compelled to change
iOS to insert a backdoor that gets pushed to our phones. Even if we do how
long before carriers are required to lock users out for not updating?

~~~
abruzzi
This is pure hypothetical, but I've wondered what would happen if apple were
to lose in court, then make this custom iOS signed to work only on the
specific phone in question, and provide the installer to the FBI with a bill
for $5 million in development time. Then destroy all source on this special
version, stating that they don't feel comfortable having that in their source
tree since a rogue employee might leak it. Then the next time there is a phone
to crack, they build the custom version again, an provide it to the FBI with
another $5 million bill for services rendered since all development would have
to be done from scratch. That would at least provide a bar that law
enforcement would have to pay, rather than simply thinking once the cost is
born once, future versions are cheap like $10k.

~~~
Piskvorrr
Well. "Hello, Mr. X and Mr. Y, we hear that you're the ones who built the
previous version. We'll taking you on a vacation to Gitmo, so you can build us
another one. You're welcome."

~~~
Sacho
Too bad they can't - the code is probably trivial to write, but they wouldn't
have access to Apple's signing keys in order to install their update.

------
FrankyHollywood
The discussion about encryption is getting completely out of context, like
'encryption' is something magical.

We're talking about cracking a 4 digit access code of a phone, which is
extremely easy. Apple knows this, that's why they set a digital booby trap
which fires after 10 tries.

So the real discussion should be, "Can the government force a company who
placed a booby trap, to remove that same trap if needed?"

Whether this is a digital trap, of a bomb placed on a doorknob is not
important.

~~~
Piskvorrr
What is encryption? It's a method of denying access without the correct key
(for as long as it takes for the data to become worthless - not necessarily
forever). Actually destroying the data is one of the ways to deny access.

NB: if it _were_ so easy, we wouldn't be having this discussion. So,
apparently there are some _mitigation_ techniques which help in case of weak
passphrases, and make it not-so-easy, no?

~~~
FrankyHollywood
Yes, but for Apple it is easy. Just change 1 line of code, recompile and patch
the phones firmware. Than some FBI intern can try 10000 lockscreen codes and
they're in. No big deal.

My whole point is, this is not a technical issue. It is easy. It is a legal
issue. Can the government force a company to do such a thing? Especially when
the impact on society is zero. The firmware upgrade is not released outside of
Apple, no other phones get it.

It feels almost like a publicity stunt to me. Apple being the underdog in the
fight against the big evil government.

If they don't want to cooperate and there is no legal basis for doing so, than
don't cooperate.

~~~
Piskvorrr
"The firmware upgrade is not released outside of Apple, no other phones get
it." \- that's the non-obviously _haaaard_ part. The one that _would_ fail,
sooner or later.

------
known
Why can't Justice dept ask www.iphoneasyunlock.com

------
briankwest
I thought it was 12, now its 9? Are they using new math?

~~~
brians
Octal. Aaaand they dropped one.

------
known
Does Apple own the iPhone after it's sold?

------
bpd1069
fascism

------
mc808
Let's end drug prohibition first, and then discuss whether to hack the
remaining phones, if any. This whole fiasco has nothing to do with terrorism.

Alternatively, introduce a restriction that this form of forced labor can only
be compelled in terrorism cases where lives are in imminent danger. How many
phones will be left to hack?

~~~
bmelton
> Alternatively, introduce a restriction that this form of forced labor can
> only be compelled in terrorism cases

That would simply spur a lot more manufactured "high profile terrorism cases"
hitting the news.

~~~
mc808
That or they will move on to the next narrative, cyber crime or human
trafficking or any number of crimes that would be sooo much easier to solve if
we gutted the Constitution a little bit more.

------
gravypod
I'm confused. From what I understand apple has been doing this for some time.
I even remember someone saying that apple did this many times before. Even if
apple isn't the one doing this, there are also plenty of people who are
familiar with low level vulnerabilities of iPhones that can essentially do the
same tasks.

~~~
bmelton
Apple has not done "this" before. Apple may have unlocked phones for older
models (with less security), but with the upgrades to iOS for versions 5 and
6, this is a much different ask.

The FBI is hoping to have Apple develop a new iOS that does not automatically
wipe the device after <x> invalid password attempts, then use their signing
keys to push a deployment of that operating system onto this specific phone.

Nobody else has access to Apple's signing keys, ergo nobody has the ability to
do this on Apple's behalf.

~~~
gravypod
Yes but they have unlocked phones before and they will conceivably continue to
do it. It's not about the difficulty of the task, it is about the principle.

I haven't heard of the FBI asking to get apple's keys before, but that is
crazy.

~~~
bmelton
Ostensibly, they made the security increases in iOS to prevent from being able
to comply with these types of requests, ensuring that their software was as
secure as possible.

Aside from that, a fourth amendment search or seizure cannot generally compel
someone to open a door. The usual logic is that it allows agents entry; the
trade-off of letting them in is that you don't have to replace your door
after.

This isn't a matter of standing aside while the agents effect the search, it's
a whole different thing. Put into (what will assuredly be a bad) analogy,
whereas a physical property search involves opening a door, or standing aside
while the cops break down the door, this scenario is more akin to demanding
that Apple build an entirely new house, one without doors, then removing the
old building and installing the new building in its place so that the cops can
enter.

------
arca_vorago
Here is my take on the recent apple vs justice saga:

Being the cynical fuck I am, a former action arm of the darkside, I have been
telling friends and family for years that they should assume anything with a
cellular modem in it is potentially comprimised by a nation state or above
actor (yes, "above" nation state exists... Its called the deep state you
fool).

I automatically assume that such publicity is actually closer to a honeypot to
entice foolish mid level criminals into thinking iBrain devices are "secure",
when I think they probably have miltiple backdoor avenues in place.

Of course, I'm just the hn resident conspiracy theorist, so it's probably just
me being paranoid...

~~~
jMyles
> Its called the deep state you fool

You... that's where you lost me.

~~~
arca_vorago
Sorry for the verbal carelessness, was a bit on the inebriated side last
night. Here is a great author to get you started on the deep state.

[http://www.amazon.com/American-Deep-State-Democracy-
Library/...](http://www.amazon.com/American-Deep-State-Democracy-
Library/dp/1442214244/ref=la_B001IGJXJO_1_1/180-3986548-9014321?s=books&ie=UTF8&qid=1456329836&sr=1-1)

------
nickysielicki
I think it's important to dispel this fiction that Apple will be "unlocking"
anything.

To use the word "unlock" seriously blurs the lines of what's going on here.
They're merely asked to flash it with software that removes a delay in
submitting passcodes and removes the wiping function after ten failures.

That's not unlocking it.

If Apple complies with the order, the FBI will still be getting an encrypted
iPhone back, and they'll still have to sit around and try to decrypt it.

~~~
halter73
A distinction without a difference. The FBI wouldn't ask for the modified
software if it wouldn't allow them to easily unlock the phone.

~~~
nickysielicki
Today FBI has the resources to desolder the chip and put it into all sorts of
controllers where they can prod and poke at the encrypted data.

What if this guy used a long passcode? They're still going to try to get in,
and the only difference is that they'll move the heavy lifting off of the
iPhone and try to crack it with beefy computer. And to do that, they'll have
to lift the chip off the SoC anyway.

My point is that when people say Apple will "unlock" the phone, it insinuates
that the only thing standing between FBI and the data is Apple. And that isn't
true. Even if Apple complies, they're they're not guaranteed to get in.
Furthermore, Apple could comply and they still might find themselves pursuing
an angle that they're already capable of. FBI are going through all these
court hearings and process all for the sake of trying 0000-9999.

In other words, this is obviously bullshit on the side of the FBI. The
question is why they're doing that. I suggest that it's not about legal
precedent, because newer iPhones can't be undermined like this and the All
Writs Act can't compell Apple to stop producing such devices, it can only
(arguably) compell them to undermine devices if it's within their reach.
(IANAL so please call me out if I'm wrong about that.)

I suspect it's about PR, because when they lose they can throw their hands up
and the news pundits will scream about terrorists winning in our courts.
Washington will then push their backdoor legislation that they've been asking
for over the past few months.

Legal precedent isn't what they're after, IMHO. The legal precedent that would
be set wouldn't be applicable to where things are headed. They're looking for
public appeal.

------
jondubois
What's wrong with the letting the government get access to the phones of a few
potential criminals/terrorists?! I don't get what all the fuss is about.

I don't fully trust the government, but I trust it far more than I trust
Apple.

Sometimes I feel like the whole Snowden thing is just an excuse for big
corporations to keep all their data and analytics practices to themselves
outside of the scrutiny of the government. Since when did the government
become the enemy? There is something really twisted happening behind the
scenes here.

Big corporations are manipulating us into thinking that the government is not
to be trusted. But think about it; the government doesn't care about making a
profit.

Without the government, the masses have no voice. I would gladly help society
and let the government look through my phone if it will help prosecute a
criminal.

~~~
froo
It's not about the government getting access to a tool like this, Apple
specifically doesn't want to create a tool that can easily defeat its own
security, to then hand over to the FBI. The government has, on numerous
occasions, shown it has some pretty horrible practises in securing
information, and this kind of tool being let out into the wild is bad for For
everyone (not just Apple).

Why risk opening that Pandora's box? If the tool doesn't exist, it can't be
exploited by bad actors

~~~
jondubois
What tool? Apple can just give the government the private key for that
specific phone. Done.

Everyone else is still safe. Safer, I might add. So long as there is a clear
process for the government to get access to specific keys for specific phones.

If Apple is CAPABLE of building such a tool (and use it for themselves), then
I think the government should have access to it too.

~~~
snowwrestler
Apple does not have the key for that phone. No one does.

What the FBI is asking Apple to do is write software that will turn off the
"wipe after 10 wrong passcodes" feature of iOS, so that the passcode can be
brute-forced.

Setting aside the government's interest in such a tool, imagine the interest
from hackers.

Consider that in 2011, someone hacked into RSA to steal info about their
tokens, _just so that they could then hack in Lockheed to steal top-secet
info._

Now imagine someone hacks into Apple (very possible to happen) and steals the
security-defeating software code to install on other iPhones.

~~~
jondubois
If what you say is true, then I agree with you.

Though I find it hard to believe that Apple doesn't already keep some sort
key(s) to unlock individual phones or to turn off this "wipe after 10 wrong
passcodes" feature.

Facebook (and pretty much every other internet company on earth) keeps
password hashes and salts in their databases - So in theory, the government
could already brute force the vast majority of our personal data from these
websites.

At least with a phone, the government has to physically get a hold of it in
order to brute force the phone and read the data.

~~~
snowwrestler
No need to brute force Facebook or most other hosted services, because very
few of them store user data encrypted at rest.

Passwords control access to features of the web application, but employees of
the company can just go around that and get the data off the server directly.

iPhones running iOS 8 or higher are different--they _do_ encrypt data at rest,
and create the key by combining device-specific info with the passcode that
the user creates. So without that passcode, no chance to decrypt without brute
forcing.

