
Signaling Post-Snowden Era, New iPhone Locks Out N.S.A - resdirector
http://www.nytimes.com/2014/09/27/technology/iphone-locks-out-the-nsa-signaling-a-post-snowden-era-.html?google_editors_picks=true&_r=0
======
silentOpen
FTA:

    
    
      At a news conference on Thursday devoted largely to
      combating terror threats from the Islamic State,
      Mr. Comey said, “What concerns me about this is companies
      marketing something expressly to allow people to hold
      themselves beyond the law.”
    

The state and the law are separate entities, Mr. Comey. It concerns me that,
in your mind, you have conflated the power of the state with the normativity
of the law.

In the twentieth century, the modern state gained the power to destroy all
life on Earth. In the twenty-first century, the modern state _and_ the modern
citizen gained the power of private machine-assisted telepathy, memory, and
computation. The state and its avatars must recognize that it cannot and must
not have the ability to exercise absolute power over citizen's thoughts,
computations, and communications if it wishes to foster a healthy and free
society.

~~~
hahainternet
> The state and its avatars must recognize that it cannot and must not have
> the ability to exercise absolute power over citizen's thoughts,
> computations, and communications if it wishes to foster a healthy and free
> society

This sounds lovely, except it's just absolute nonsense. For many thousands of
years states have maintained the power to restrict citizens communications and
almost since the invention of the telegraph they have been able to be
monitored in some form. Despite this we are freer than ever.

Healthy and free societies are not built upon a base of unlimited freedom,
that is all but anarchy.

~~~
Zigurd
We are not freer than ever. The ability to make fundamental change in our
political systems is more contained to a narrow and doomed range near the
status quo than ever.

"Anarchy." You keep using that word. You are equating the potential for
absolute privacy in communication with "anarchy." Do you have an explanation
for how that is the vanguard of anarchy?

Freedom: Supposedly enlightened places like the US are governed under a system
where the rights of individuals are assumed to be open-ended and expanding as
new technologies enable more freedom travel, communicate, etc., and the powers
of government are fenced-in until the people consent to extend those powers.

~~~
scarmig
It is an interesting and revealing quirk, though, to equate privacy with the
abolishment of the State.

------
huhtenberg
The most important takeaway of the "post-Snowden Era" is that both companies
and the government lie.

Apple now is in the damage control mode, trying to undo the massive
credibility hit dealt by Snowden revelations. But since they were in bed with
the NSA for several years prior, I _really_ doubt they have an option of
divorce. If they were strong-armed into cooperation before, it'd be foolish to
assume that they can get out of it on such a flimsy technicality as a in-
device encryption. So what's likely to be happening is that Apple started
encrypting, the state started saying "Oh, noes! It's unbreakable. Buy American
again." and behind the scenes they still cooperate in a less in-your-face
fashion. Something as simple as initializing PRNG on the device in a
predictable manner - piece of cake to do, very hard to detect, but exploitable
on the spot with a bit of foreknowledge. Where there's a will, there's a way.
And the will _is_ there.

~~~
lukeqsee
> both companies and the government lie

And it's impossible for a 'normal' citizen to have an idea if and when they
are. We simply have no clue or expertise to possibly pick apart statements
made and then verify them—as you said in regards to initializing PRNGs. For
example, most in the technical communities have no idea how PRNGs work, let
alone how to test if they are true. I know I don't.

------
praptak
Well dudes, you screwed it up for yourselves with illegal wiretapping, the
perhaps legal but still outrageous secret court orders and the attitude you
presented when all this came to light. Fuck you.

~~~
Ntrails
_" I'd hate to have people look at me and say, 'Well how come you can't save
this kid?' 'How come you can't do this thing?'" said Mr Comey in a briefing._
[1]

A separate article on the same sort of thing. But, I can't help but laugh at
how the instant canned response from the FBI was "WON'T SOMEONE THINK OF THE
CHILDREN".

It's pathetic, even more so because it keeps working.

[1]
[http://www.bbc.co.uk/news/technology-29378172](http://www.bbc.co.uk/news/technology-29378172)

~~~
mcintyre1994
> “Apple will become the phone of choice for the pedophile,” said John J.
> Escalante, chief of detectives for Chicago’s police department. “The average
> pedophile at this point is probably thinking, I’ve got to get an Apple
> phone.”

[http://www.washingtonpost.com/business/technology/2014/09/25...](http://www.washingtonpost.com/business/technology/2014/09/25/68c4e08e-4344-11e4-9a15-137aa0153527_story.html)

This one's even more pathetically blatant.

~~~
hahainternet
You mean accurate right, because it's accurate.

~~~
hahainternet
> It is as if the communication couldn't be monitored. It's not like the phone
> conjures the images from thin air

You just contradicted yourself. If the communication can't be monitored, then
the phone may as well be conjuring images from the air as you have no way to
know what they are, where they come from, where they are being sent.

------
krija
This makes me extraordinarily happy, perhaps this is the first major step in
the struggle against government spying on innocent citizens?

On another note, is anyone disturbed by how even the idea of people being able
to store their private data securely being seen as inherently criminal by high
level officials? What does that say about these people in power, they
literally view your right to privacy as dangerous. Sickening.

~~~
hahainternet
> What does that say about these people in power, they literally view your
> right to privacy as dangerous. Sickening

Your right to privacy is dangerous. Imagine trying to investigate a murder
with unlimited privacy. Unless someone saw the killer kill, you've no chance.

~~~
vermontdevil
Yeah we have always caught killers over the years solely on the basis on
electronic spying. Forget about all the other tools of detective work that has
been used.

~~~
hahainternet
That's a complete strawman you've pulled on me there. I never said anything
like that.

------
kaffeinecoma

      The new security in iOS 8 protects information stored on 
      the device itself, but not data stored on iCloud, Apple’s 
      cloud service. So Apple will still be able to obtain some 
      customer information stored on iCloud in response to 
      government requests.
    

Some? I think the importance of this qualification has been overlooked
everywhere it's been reported.

~~~
mhurron
It has been reported everywhere I've seen it. It's pretty clear that it means
Apple will be able to give information that you have let them give by storing
it on iCloud.

~~~
tombrossman
The message seems to be that Apple are 'locking out the NSA' which is nonsense
of course, but both may be counting on the fact that a typical consumer won't
really look too closely at the claim. Their takeaway is that Apple's phones
are perceived to be safer.

Apple gets to sell more phones due to this perception, the FBI get to continue
hoovering (no pun intended) up iPhone user's data, and everyone goes home
happy. It seems to be a manufactured controversy, with Apple & the FBI both
playing their parts and knowing full well the rules of the game haven't
changed one bit.

------
flavor8
> Breaking the code, according to an Apple technical guide, could take “more
> than 5 1/2 years to try all combinations of a six-character alphanumeric
> passcode with lowercase letters and numbers.” (Computer security experts
> question that figure, because Apple does not fully realize how quickly the
> N.S.A. supercomputers can crack codes.)

Uh, what? Surely the journalist has missed an important technical detail here,
right?

[https://www.grc.com/haystack.htm](https://www.grc.com/haystack.htm)

~~~
sopooneo
I had the same thought. If we allow upper, lower, and digits, that's 26+26+10
= 62 possible characters per space. With six spaces, that gives 62^6 =
56,800,235,584 possible passwords.

Now if we take their figure of 5.5 years to crack a phone's files and divide,
we get 327 seconds (more than _5 minutes_ ) per password they check.

Something is off, though perhaps it's my math so please do double check it for
me.

Edit: Argggg. Good corrections. My main problem is that I did my final
division in the wrong direction. Fix that by taking a reciprocal: 1/327 =
0.003 seconds. And then correct that by a factor of 2 to assume they get each
password in half possible time: 0.003 * 2 = 0.006 or roughly 6 milliseconds.
Thanks for the quick check folks.

~~~
lozf
6 randomly selected characters out of the 62 available gives less than 36 bits
of entropy, which anyone with even a passing interest in any kind of
cryptography will instantly recognise as pretty poor.

This issue is compounded by the fact that humans are notoriously bad at
randomness. I really don't think many users will be typing the 22 random
characters required for just over 128 bits of entropy every time they want to
use their phone.

But maybe the 5.5 year figure includes the incrementally increasing delay that
Apple insert between tries after x wrong guesses -- assuming a manual brute
force, which is pretty much _not_ how it would play out in reality.

~~~
XorNot
In reality they lift your prints from the phone, fool the lock sensor, then
clone it to a new, bugged phone, and monitor all your communications.

But frankly, such scenarios are _not_ privacy concerns unless you're actually
trying to carry out crimes because at that point you've got a half-dozen or
more government agents assigned to personally follow you.

------
SnacksOnAPlane
If I were the NSA, I would publicly ream Apple about the fact that I can't
access the encrypted data on iPhones.

I would privately thank them for putting in another backdoor that actually
lets me read all the data I want from them.

It's a win-win. Apple gets to look like a privacy crusader. The NSA gets
access to all phones. And best of all, iPhone users get to believe that their
phone is unhackable, so they won't take the same precautions to hide their
illegal activities.

~~~
13throwaway
How about the FBI? [http://www.huffingtonpost.com/2014/09/25/james-comey-
apple-e...](http://www.huffingtonpost.com/2014/09/25/james-comey-apple-
encryption_n_5882874.html)

------
payne92
Using technology to protect constitutionally guaranteed liberties is hardly
"holding themselves beyond the law".

------
chernevik
James Comey, head of the FBI:

"The notion that someone would market a closet that could never be opened —
even if it involves a case involving a child kidnapper and a court order — to
me does not make any sense."

The whole point of our system is that this guy can be as ignorant and
disrespectful of our liberties as he likes, without actually endangering our
society.

Which isn't to say that attitudes like his won't do damage. Really we ought to
have officers -- in ALL stations of government -- with a far better
understanding than this. Who, exactly, appointed this guy?

~~~
rohansingh
The hilarious part about all this is that companies do market and sell closets
that cannot be forcibly opened. This product is commonly known as a safe.

~~~
XorNot
If you think a safe can't be opened by...practically any law enforcement
agency quickly, then I don't know what to tell you.

I could talk about safe-cracking as an art, but I'd direct you to go look up a
YouTube video a plasma cutter going through steel. The reality is most safes
you buy commercially can be broken in under 30 minutes by an experience
locksmith without such tools.

~~~
dTal
Safecracking aside, I imagine trying to forcibly compromise a decent safe
stands a decent chance of killing a child locked inside, particularly if you
reach straight for your plasma cutter.

------
droptableusers
You would have to be very gullible to believe this show, I would not be
surprised if this is done in cooperation with the government. They want you to
use propitiatory software and own personal surveillance devices such as phones
and Apple wants to sell your their product. They both would win from such a
scenario. I do not buy it, the least I can do for Snowden is to be very
skeptical.

~~~
dobbsbob
Police did the same dance with BlackBerry, they claimed to the media it was
impossible for them to spy on calls and texts but we all know now that was a
ruse to encourage criminals to use them. UK riots they had no problems handing
over decrypted messages to the police. The Datalocking company, who ran their
own BB Enterprise servers and peddled "unbreakable encryption" were remotely
accessed by the FBI and keys pulled, with the help of Blackberry themselves of
course. Any customs agent in the western world can plug a locked BB into a
little device they have that unlocks the screen immediately. Finspy/mobile
malware let's the police monitor communications in real time too (and iOS).

Samsung Android phones the proprietary modem can r,w /sdcard and /data unless
you either install Replicant or use some kind of permission controls like
SEAndroid to lock out modem.img access to everything. Apple likely has a
similar proprietary baseband with full remote control over the whole
application OS they can offer the FBI to quietly activate targeted spying.

------
0x0
Or is it a plot to fool users into thinking their secrets are safe on a phone
now?

~~~
unknownBits
Plot or not, it is naive to think your personal data is safe at a super
commercial company like Apple. I see it as the typical 'Apple' way of selling
things; pretending what they make is better, faster, more secure bla bla bla.
Apple targets a huge market of people not understanding technicalities, this
is a typical example.

------
kordless
> Mr. Comey said, “What concerns me about this is companies marketing
> something expressly to allow people to hold themselves beyond the law.”

This is a huge blanket blaming statement. Our intent can be protecting
someone's privacy without ever addressing their intent to do harm to another.
And, given the propensity of people who don't wish harm on others, I'm totally
OK in supporting and pushing for these types of protections in consumer goods.

If anyone has tried to go beyond the law here, it's the NSA.

------
csandreasen
I think the big issue here isn't that Apple is now encrypting iPhones. In
general, being able to secure the data on your phone is a huge benefit for the
average consumer. People lose their phones all of the time, and you have no
idea who is going to find your lost phone and what they're going to do with
the data on it. Given the amount of sensitive data people throw on their
phones without thinking, Apple is probably doing more to prevent petty crime
and identify theft by encrypting the data on iPhones.

The big issue as I see it, though, is that Apple isn't advertising this as a
means of protecting yourself from criminals. Instead, they advertised it as a
means of preventing Apple from complying with warrants. Warrants constitute an
violation of a person's privacy which is explicitly allowed in the
constitution. There's a good reason we have them, and a process that's been in
place for a few centuries to limit their abuse. More often than not, the bad
guy is not the federal government, and the public is served by allowing the
police to investigate specific individuals under reasonable suspicion with
specific limitations as authorized by the courts. If people have a problem
with the way warrants are issued or how the police carry out investigations,
they should seek to change that process, not try to circumvent them.

This isn't going to keep out the NSA. It only affects that data physically
residing on your phone, and when was the last time the NSA had your phone
physically in its possession? This likely isn't going to stop actual law
enforcement officials from getting access to the data on your phone. Unless
you're typing in a strong password every time you pull your phone out of your
pocket, the FBI will likely be able to brute force your phone to gather
evidence with little difficulty, providing the courts allow them to do so. On
that front, the only thing this has really accomplished is allowing Apple to
give the middle finger to the feds in an attempt to appease a customer base
who thinks the government is out to get them.

~~~
Zigurd
If you look at all the links on this thread to the moral panic various cops
have been goaded into spewing, it's not like they aren't doing their part to
make Apple's point.

~~~
csandreasen
The cops have a point. I don't think the actual encryption is as big a deal
now as people are making it out to be, but Apple is setting a precedent when
they say "we're doing this so we don't have to comply with warrants" instead
of saying "we're doing this to make our customers safer". Apple just sparked a
debate (as much as I hate that term). If the cops don't make a stink out of it
now and point out the necessity of warrants, things may likely get out of hand
somewhere down the road.

~~~
Zigurd
A few things about that:

1\. Warrants have never been a guarantee of a search producing evidence.

2\. It isn't Apple's data to hand over when a warrant is presented.

3\. Making strong and deniable encryption illegal for some classes of users
will make it highly desirable contraband.

4\. Producing cyphertext complies with a warrant if that is all you can
access.

------
downandout
It's the government's fault that this is a feature that companies would a)
build and b) market as a key feature. The public finds this attractive because
of their nefarious activities. We reap what we sow.

The benefits of being able to crack phones quickly in the few cases where it
is in the public interest to do so do not outweigh the harm that would be done
to the public if it were possible. Further, the types of people that really
want to harm us are using third party or custom tools that encrypt everything
anyway.

The feds and local police will lose a few more low-level drug cases, and maybe
a few insider trading cases, due to Apple's security enhancements. I'm OK with
that.

------
ipsin
So what are the actual rate limits on unlock code discovery?

If you're typing in passwords, it might take a while.

If you've disassembled and imaged the storage device, and have physical access
to the hardware security module (HSM), does that improve your rate or ability
to parallelize?

I've been a little annoyed at how the FBI (for itself and again as proxy for
the NSA) is playing helpless, as if the Director of the NSA or FBI is going to
be stuck tapping unlock codes into a suspect's phone while the countdown timer
on a 100 mega-pedophile nuke ticks down, somewhere in The City.

------
chmaynard
Apple's position here is that my private iPhone data belongs to me. If the
government suspects me of criminal behavior, the search warrant should be
directed at me, not Apple. I'm not a lawyer, but I think this makes perfect
sense.

The next logical step is for Apple to encrypt my private iCloud data as well,
and protect it from anyone except me (not sure if the technology exists to do
this yet.)

------
Fundlab
Locking out intrusion is a huge value proposal for cellular manufacturers. I
wonder why encrypted conversations are not already norm.

~~~
privong
> Locking out intrusion is a huge value proposal for cellular manufacturers.

Is it though? The implementation can be tricky to get right, building it in
takes resources, and (perhaps until recently) most consumers do not seem to
value that kind of safeguard for their communications. Enabling encryptoed
encrypted increases the cost to the manufacturer, all for something that most
people did not think was important (before there was strong evidence that
there was a lot of warrantless wiretapping going on).

------
PeterBarrett
A 6 letter alphanumeric password, do they think people use old laptops to
generate the possible passwords?! It should be at least 128 or 256 if they're
being serious about security and preferably much much longer than that.

~~~
ionwake
Is it possible to brute force this? Using quantum computers?

~~~
higherpurpose
I don't think you need quantum computers to bruteforce a 6-letter password.

------
rgrieselhuber
This is just theatre.

------
spacefight
Yea right, PRISM has been forgotten already...

------
conover
"even legal surveillance"

------
1457389
>“We’re using a locker that actually has a combination on it, and if you don’t
know the combination, then you can’t get inside. Unless you take a
sledgehammer to the locker, there’s no way we get to the files.” ~Jonathan
Zdziarski, a security researcher who has taught forensics courses to law
enforcement agencies on collecting data from iPhones,

These people literally think on the level of schoolyard bullies.

~~~
ghshephard
Are you referring to Apple who is locking investigators out of phones, or
Investigators for trying to track down evidence of crimes?

"These people literally think on the level of schoolyard bullies." \- That
statement could go either way.

~~~
adam12
It sounds like he/she is referring the the investigators who are saying that
the only way to unlock the phones is to beat the hell out of the person who
knows the password.

~~~
csandreasen
He said beat the hell out of the _locker_ , not the person. In this case I'd
interpret his analogy to be a reference to brute force decryption.

