
Apple VP: The FBI wants to roll back safeguards that keep us ahead of criminals - ropiku
https://www.washingtonpost.com/opinions/apple-vp-the-fbi-wants-to-roll-back-safeguards-that-keep-us-a-step-ahead-of-criminals/2016/03/06/cceb0622-e3d1-11e5-a6f3-21ccdbc5f74e_story.html
======
rdtsc
This is what good PR looks like.

In cases like this it is always FBI and the govt. which usually have the PR
upper hand. They wait to find a most abhorent crime that nobody sane would
want to defend (terrorism seems to work well today) and use that as an
example. "Oh look everyone, Apple doesn't want to fight terrorism. We are
keeping people safe and what side are they on?". It is almost too easy.

Fighting that is an uphill battle. One can present the technical details
("They could have cracked that particular model themselves") or appeal to more
general ideals of freedom and privacy etc. Those typically are not as
effective in convincing the average joe out there when the other side uses the
"T" word.

But here they are playing the same card as FBI -- using a crime that most
people can fear -- their phone getting stolen, their identity used. Everyone
has heard stories, has friends at least who this happened to and so on. So it
works well. Terrorism is more scary, but this is more real. Great work.

~~~
studentrob
Good PR, and also grounded in truth. If the DOJ understood the technology and
implications of what they were requesting then they would not ask for it.
Literally every person who speaks out against Apple begins with "I'm not a
tech expert, but I know our world is going to be different if we can't get
warranted access to criminals' phones". They completely fail to see how the
private tech sector has fought for public safety. Comey said,

 _They [Apple] sell phones, they don 't sell civil liberties, they don't sell
public safety, that's our business to worry about._ [1]

[https://youtu.be/g1GgnbN9oNw?t=3h16m18s](https://youtu.be/g1GgnbN9oNw?t=3h16m18s)

~~~
empressplay
Their "truth" is a little sketchy. Their argument is essentially "you can't
trust us to protect this software if we make it, and if we failed to keep it
out of criminals hands you could be harmed by it". Phrased that way it doesn't
really sound all that great.

~~~
studentrob
That is FBI director Comey's statement, not Apple's. Comey says,

 _Apple is highly professional in protecting its own innovation, its own
information_ [1]

Comey even articulates Apple's position clearly,

 _Apple 's argument, I think will be, that's not reasonable because there are
risks around that. Even though we're good at this, it could still get away
from us. And the judge will have to figure that out_ [1]

So Comey claims Apple is very good at technical stuff and so they must have a
way to keep this software secure. Yet at the same time he claims we should not
believe Apple when Apple says this backdoor would weaken everyone's security.
On one hand he is saying we should believe in Apple's technology expertise,
and on the other hand he is saying we should not. Well, given that Comey is
self-admittedly not knowledgeable about technology, and given that many other
tech companies and independent tech experts have stood up to support Apple,
it's clear to me who to trust on this issue about tech security.

Apple has demonstrated their commitment to safety by improving the iPhone's
security with successive iterations of software and hardware. The FBI has
demonstrated their deep desire to gain guaranteed backdoor entry to devices
for over a year, yet claim this case is only about one phone. Apple's track
record and rhetoric are much more consistent and trustworthy than the FBI's.

[1]
[https://youtu.be/g1GgnbN9oNw?t=2h44m](https://youtu.be/g1GgnbN9oNw?t=2h44m)

------
clhodapp
What do we think the likelihood is that at least some of the three-letter
agencies already have the capability to get into a locked iPhone (likely their
method would be based on some sort of baseband vulnerability) and this whole
thing is simply a bid to gain the ability to _openly_ unlock these phones?

~~~
542458
Baseband vuln seems likely. Additionally, I've always wondered if the NSA or
the like could just decap and read out data (IE: the passcode hash) from the
chips. Then again, I'm not a computer engineer and don't really know anything
about the physics of all this!

EDIT: This paper [1] seems to document such an attack, decapping the chip and
reading the memory cells using lasers (although the details are over my head).

[1]:
[https://www.cl.cam.ac.uk/~rja14/Papers/SISW02.pdf](https://www.cl.cam.ac.uk/~rja14/Papers/SISW02.pdf)

~~~
matt_wulfeck
I think most of us are fine with the government being able to decap our phones
and steal data, or at least try. I'm fine with that because It cost money and
time and would be difficult for them to do in a massive, dragnet style
operation.

The idea is once they have the phone they can do whatever they want with it,
but they can't go to a manufacturer and force them to weaken the security of
_all_ phones because they don't want to do any work.

~~~
542458
Yeah, I'm completely fine with that as well - I'm happy to see the NSA do
computer-security stuff that isn't this dystopian "monitor everybody all the
time" nonsense.

------
kriro
It seems Apple is committed. As strange as it may sound, I wonder how that
will influence recruiting. Apple was never really on my radar as an employer
(silly as it may be I still categorize them in the "hipster and annoying apple
store" bin). Their recent "hardline" regarding privacy has made them a nudge
more attractive. And that's despite me usually favoring non-proprietary stuff
for everything if possible.

Strange to catch yourself in these thoughts but the narrative seems to work.

~~~
bryanrasmussen
I wonder if people declared they would rather quit than work on the backdoor
project if that would be an undue burden on the company.

~~~
studentrob
That's a scary possibility, but very far in the future. There will be appeals
regardless of how the district-court judge rules.

An attorney for the ACLU says, "The absolute earliest the case could reach the
Supreme Court would be at least _two years_." [1]

[1] [http://www.usnews.com/news/articles/2016-03-04/apple-and-
the...](http://www.usnews.com/news/articles/2016-03-04/apple-and-the-fbi-what-
happens-next)

------
jkyle
While I find security fascinating I would not consider myself expert in the
low level implementation details or hard limitations of these specific
systems.

Perhaps someone more knowledgable could clarify, but....

Isn't the entire point of good security that I don't have to "trust" Apple to
do the right thing? Shouldn't it be impossible for them to do the wrong thing?

For example, if I encrypt my phone with my key and set it to secure delete
after so many failures how could Apple circumvent this in a truly secure
system? Shouldn't they not be able to push an update without my permission?
Permission that can't be given because the phone can't be unencrypted?

So the fact that Apple _can_ circumvent the encryption of they want is an
indication of a vulnerable system?

~~~
predakanga
You're right in that the system is vulnerable, but this doesn't mean that it's
not "secure" in practical terms.

One could argue that the phone is secure because even Apple has no way of
recovering your passcode, nor do they have a master key that might give access
to your data. That's fairly secure.

On the other hand, the system is insecure because it can have updates applied
(which is what the FBI wants Apple to do) without requiring user consent, only
physical access.

Imagine that updates required a user to put in their passcode, or otherwise
wiped all the encrypted data; it would be _more_ secure, but is that enough?
Theoretically, there are still ways of getting at the data - someone might
find a bug in the software, or they might physically crack open the CPU to get
at a piece of needed data.

Security is always a balance - we want to trust Apple as little as possible,
but I know of no way to create an invulnerable system.

~~~
greggman
I'm probably just not remembering it correctly but I know of no way to apply
updates to a locked iPhone. Even when unlocked if you plug it into a new
computer the phone will ask if you trust the new computer. Is there some
method of updating the phone when it's locked I'm unaware of?

~~~
nicky0
I think it's some kind of device recovery mode designed to recover from
"bricked device" situations. It's not the same method that you use when
updating via iTunes.

~~~
predakanga
Aye, it's called Device Firmware Upgrade (or DFU) mode, and it's specifically
mentioned in the FBI's request:

> "The SIF will be loaded via Device Firmware Upgrade (“DFU”) mode, recovery
> mode, or other applicable mode available to the FBI."

------
mirimir
Are the FBI "criminals", when they're breaking the law?

~~~
niels_olson
Officers of the government can absolutely be charged with crimes.

~~~
mirimir
Sure. But that doesn't happen very often. Or often enough to make much
difference, anyway.

Sometimes the NSA feeds information to the FBI, DEA, etc, etc. Recipients do
parallel construction. And then lie to courts about it. Which is perjury. How
often does that get revealed?

Have any prosecutions resulted from widely practiced perjury about obfuscated
stingray use? That behavior is common knowledge, no?

~~~
st3v3r
"Sometimes the NSA feeds information to the FBI, DEA, etc, etc. Recipients do
parallel construction. And then lie to courts about it. Which is perjury. How
often does that get revealed?"

Well, first you'd have to have evidence that such a thing happened.

~~~
pdkl95
[https://www.documentcloud.org/documents/1011382-responsive-d...](https://www.documentcloud.org/documents/1011382-responsive-
documents.html)

That evidence is widely available. If you want more, just search for it. This
training manual should get you started.

~~~
mirimir
Thanks. I remember reading that. Pretty plainly stated.

------
valine
"They have suggested that the safeguards of iOS 7 were good enough and that we
should simply go back to the security standards of 2013." This is interesting.
Perhaps instead of requesting a custom version of iOS with specific
vulnerabilities, the FBI should simply request a signed version of iOS 7.0.
They could use existing vulnerabilities to gain access to the phone, without
placing an undue burden on Apple.

~~~
msbarnett
No. Among other things, the order the FBI sought requires Apple to build a
_RAM only_ version of iOS.

Anything that requires reflashing the phone, or that writes log files at boot
or alters as much as a single bit on the phone is a no-go from an evidentiary
standpoint.

Edit: but anyway, iOS 7 has no understanding of the encrypted format
introduced in iOS 8

~~~
astrange
File encryption was introduced with iOS 3.0.

[https://support.apple.com/en-us/HT202064](https://support.apple.com/en-
us/HT202064)

------
malandrew
Simply put "The FBI and other law enforcement agents want to make it easier
for many criminals to commit many new crimes for the sake of solving a few
crimes already committed"

Basically, the FBI's actions are tantamount to being accomplish to every crime
they enable if they succeed in forcing us to make the iPhone knowingly
vulnerable to law enforcement and criminals alike.

------
merpnderp
Would be funny (by funny I mean sad) if Apple gives them the new hacked ios
build and the password turns out to be something like
'NYOEC"T80BkLYExMU7JYWaz&P}dtMBR', ie they can't ever brute force it.

------
lucio
if you can access it, a determined criminal with a $5 wrench can too.

[https://xkcd.com/538/](https://xkcd.com/538/)

~~~
matt_wulfeck
Not when they're dead, which is the case of syed farook.

~~~
venomsnake
Well Tim Cook is alive and well and has Apple signing keys.

------
geographomics
The backdoor is already present, through Apple's design. The FBI are just
requesting to use it.

~~~
legulere
If I get it right you're calling update functionality a backdoor?

~~~
geographomics
The way it is currently implemented, by which Apple can - if in physical
possession of the device - unilaterally force new firmware onto it without the
consent of the user, yes.

------
matt_wulfeck
> The encryption technology built into today’s iPhone represents the best data
> security available to consumers.

I appreciate Apple's willingness to fight, but this article could have
benefited from less bragging PR talk and a little more humility. If the issue
really is larger than Apple (and they are claiming it is) then we don't need
this kind of messaging.

The message is that being forced to create a backdoor is bad for everyone, and
they're doing it to Apple today but they'll do it for everyone else tomorrow.

~~~
shawn-furyan
I don't agree with the complaint.

I would be much happier if more companies actually tried on security, competed
on that vector and then bragged to high heaven about their successes. Usually
when you hear a company touting it's security, it's snake oil. The companies
who are actually putting forth a solid effort to compete on security, and I
think Apple has a reasonable claim that they are one of these companies (even
if there are nits to pick), have my blessing to brag as much as they can about
it. I'm talking multimillion dollar ad campaigns touting their (actual)
security advantages versus competitors. Have at it. Donald Trump style. Go
wild!

edit: grammar

~~~
Swannie
Sadly, humans are flawed.

Any company that "bragged to high heaven about their successes" with security
are setting themselves up to fail. As the old saying goes, "pride comes before
a fall".

Not saying that Apple aren't doing a good job. Just saying, bragging and
actively trying to differentiate, followed by a major security flaw, is a good
way to lose trust.

------
jgalt212
There's gotta be a way for Apple to deliver the FBI the data they want without
compromising every iPhone user.

And if Apple doesn't find a way, you can sure bet the NSA will work harder on
its efforts to break the iPhone in the general case.

~~~
SeanBoocock
They can. The arguments are over whether the FBI has the legal standing to
compel Apple to create code to do that, and what precedent, legal or
otherwise, it sets for similar cases.

~~~
jgalt212
Can the FBI compel a bank to open a safe deposit box? Can a bank be compelled
to identify the names on a numbered account?

If they can, then Apple can be compelled to deliver the goods on these
terrorists. If not, then no.

I really don't see this issue as all that complex.

~~~
calgoo
Its more like: Can the FBI compel a safe deposit box maker to add a master key
to all boxes so that they can open one when they need too.

~~~
lern_too_spel
It's more like if the safe deposit maker already has a master key that is
harder to use than a normal key but can still open the safe in a day, can a
judge compel the safe deposit maker to use that key on the FBI's behalf?

~~~
lygaret
Even that example's not quite right; it's the judge compelling the safe
deposit maker to _give_ the key to the FBI, such that they can use it in
perpetuity.

~~~
empressplay
The order explicitly states Apple will keep possession of the modified
software at all times. Nobody would be "giving the key" to the FBI.

------
empressplay
I have sympathy for Apple's position but when they resort to hyperbole they
seriously undermine that goodwill.

The "if we make this software, criminals will get their hands on it" argument
is absurd. Does Apple have no faith in their own security? The FBI has at no
point suggested the modified firmware would ever leave Apple's possession.

Does Apple have a problem with theft of internal code that I am not aware of?

Further, I'm just waiting for someone to transpose the argument, for example:
"Apple says guns shouldn't be manufactured for any reason because they could
kill someone" or "Apple says cars are unsafe and should be banned because
people are killed in accidents."

 _facepalm_

EDIT: Behaving like a bad actor even if you believe your cause is just still
makes you a bad actor, albeit one with good intentions. If they want to win
the argument they should stick to realistic positions and leave the manure
shovelling to "those other people".

~~~
Tempest1981
> Does Apple have a problem with theft of internal code that I am not aware
> of?

It only takes one disgruntled employee, or one security slip, and 100-500
million users are compromised. Not a risk I'm comfortable with.

You're requiring them to be perfect. But humans are involved.

~~~
tomschlick
Yeah for this level of a crack, you're talking about the CIA/NSA (not to
mention other countries) embedding people as spies inside of Apple to
'acquire' the hacked version. Illegal as shit but they would do it anyway.

~~~
TillE
No, it only requires finding one current employee willing to take a bribe, or
perhaps be blackmailed.

