Hacker News new | comments | show | ask | jobs | submit login
The US Government has no credibility to compel anybody to weaken security (easydns.org)
313 points by StuntPope on Feb 22, 2016 | hide | past | web | favorite | 147 comments



This is exactly how I feel about this. There would be an actual interesting debate to be had about the powers of the state versus corporations versus the rights of individuals to perfect end-to-end encryption if the state hadn't been using warrantless wiretaps and National Security Letters for the last 15 years. As it is, the state has shown it can't be trusted with that power.


It's an old debate, and I think it can be summed up in a single sentence:

Government would be awesome if it worked right

I would give the FBI everything if I trusted them. A monarchy/dictatorship would be most efficient if there were a way to guarantee a good monarch/benevolent dictator.


Madison said it best:

> If men were angels, no government would be necessary. If angels were to govern men, neither external nor internal controls on government would be necessary.


People are bad, therefore we need a government made up of people are bad...


Well, yes. If you are bad, you want what's best for yourself. But if you know that the other guy is bad, then you know he wants what's best for himself. So you set up the rules of the game to ensure that he can't get what he wants without you also getting what you want.

See the prisoner's dilemma. If both people are bad, they will have the worst outcome. If either of them thinks the other is bad, then they will also be bad in order to protect themselves. So the best outcome (you are bad, and they are good) is impossible, because they know you're bad and will be bad themselves.

So two bad people have a good reason to write a law preventing them both from being bad, because that's the best outcome they can get for themselves.


That is assuming rational self interested actors and equal cost/benefit. We don't need to look very hard to find examples of irrationality and imbalanced incentives. Also, how many times have you been exhorted to act against your own interests and think of the children? The road to hell is paved with good intentions.


If these objections that you are raising were wrong, then we would live in a utopia. You're right that people fall short, but I think the point still stands that checks and balances can help overcome human unreliability, even if every human involved is unreliable. Just look at democratic institutions without checks and balances.


I'm actually a big fan of the competing interests concept, it is a very eloquent solution. Where it goes off the rails though is the combination of that concept and the involuntary surrender of individual sovereignty to the very same people with whom your interests compete.


people are not perfect and that is why we need a government made up of people accountable to all people.


So that they can imperfectly be held accountable by all imperfect people. Now let us find a nice foundation of sand to build a castle on.


If you're going to debate this, at least read Federalist 51.

The whole point of checks and balances is to get good results from imperfect people. You can use the ambitions of one individual or group to hold the ambitions of another group in check.

I feel like you're just trying to be snarky and or gratuitously negative though.


Oh I remember my highschool civics lessons, but I then went on to study game theory. Consider the incentive imbalance: if it costs me 10k hours to legislatively get one penny from every citizen, and the same number of hours are required to frustrate my attempt - guess who has the greater incentive.


Checks and balances are fine in theory. In practice, the executive and judiciary are overpowered. Judicial review quickly becomes judicial activism. Executive orders are a unilateral get-out-of-checks-and-balances-free card in many cases, lamentations of scholars notwithstanding. Additionally, there is no proper "federalism" so to speak of. It's a marble cake federalism of various entangled relationships and procurements between federal, state and private institutions with disparate enforcement and contractual obligations.

Americans have deified their Founding Fathers to such an absurd extent that they seem to be unable to think critically. That maybe Hamilton and Madison were engaging in wishful thinking. That maybe the anti-federalists were right. That maybe Henry Clay's American System and his antecedent in Hamilton largely botched the ideal separation-of-powers republic from the beginning.


<quote> Executive orders are a unilateral get-out-of-checks-and-balances-free card in many cases</quote> If congress wants to, they can overturn most of the executive orders by passing a law. It's not like those are magical powers.


Assuming they can get past the veto-2/3 majority dance. It also strongly depends on the nature of the EO. Major economic restructurings have been struck down before, though usually by judicial review. Military deployments, most infamously WWII-era internment, are less likely to be challenged - especially if they're perceived as "ephemeral" irrespective of consequences.


And congress isn't overpowered because it just makes laws and authorizes spending?


Reasonable results that allowed most people to go about their lives unmolested from imperfect people. I don't think they imagined "good results".


> The whole point of checks and balances is to get good results from imperfect people.

Granted, it uses an imperfect system of consensus to "do" this right now.


Well, better throw that Von Neumann architecture in the TRASH then.


I could rip a piece of paper with my bare hands. Give me 300 million pieces of paper sandwiched together and I couldn't.


But they burn quite good.


Actually stacks, sheets, or bindings of paper are extremely difficult to burn compared to individual sheets.


Stacks burn, but not as energetically as a single sheet with a high surface area to volume ratio. The stack might just smolder for 229 years, because the flame resistant treatment turned out to only be flame retardant. Something something Alien and Sedition Acts... this metaphor cannot be tortured any further.



Unfortunately all we have is sand.


By that logic, politicians need to be the worst of all people; compulsively lying, corrupt, scheming, psychopathic, sociopathic paedophiles.

Oh wait....


It's not just trusting the organisation as a single unit - but every single hire they ever have or will make.

Pissed off FBI agent taps his wife's cellphone? Probably has happened and will again


Happened with the NSA, it's appropriately called, "LOVEINT":

https://www.washingtonpost.com/news/the-switch/wp/2013/08/24...

Note that most of the instances that the NSA 'found" were self-reported.


It's actually amazing to me how fast the abuses happened, and how many of them.

I figured it would be a typical program, starting out with good intentions, but slowly deteriorating as people who care are replaced.

But no, any capability they were given was abused almost immediately.


It's not whether the people care. It's whether they're willing to abuse power. And the people the program started with are just as likely to be willing to abuse power as the ones who replace them are.


>>> sing warrantless wiretaps and National Security Letters for the last 15 years.

15 years? It was going on long long before 9/11. Google "echalon". If you want to get really oldschool, Google "cabinet noir".


I am of course aware of Echelon. But it was designed around the limitations imposed by law. You've got to admit that the implementation of such eavesdropping since 9/11 is a huge difference.


This is the debate that needs to take place. How do we restore trust? Checks and balances are meant to prevent abuse of power, but they have been removed from the equation. Oversight by the judicial branch has been perverted with "top-secret" courts and the ability of the legislative branch to correct the abuse has been scuttled by the lack of transparency.


I generally advocate for a citizen's veto amendment, where any citizen can initiate a petition to veto legislation that will trigger a second and binding referendum if there are enough preliminary signatures.

It's one thing to vote for the right people, it's something else to expect representatives to do what you want when everyone in Washington is brought there by the money and power of someone else.


> I generally advocate for a citizen's veto amendment, where any citizen can initiate a petition to veto legislation that will trigger a second and binding referendum if there are enough preliminary signatures.

Many US states have this kind of referendum provision (notably, given the disproportionate Silicon Valley representation on HN, California.) I don't detect substantially greater trust for government in the states with it then is the case elsewhere or with the federal government, and it is, itself, a frequent influence point for special interest money.


If the State's power is derived from the consent of the governed, then a lack of political participation on the part of the governed should be considered a vote of no confidence. This would solve the problem of imbalanced lobbying incentive, government overreach following tragedy, etc. Most importantly it would solve the moral problem that Thomas Jefferson pointed out: "The question whether one generation of men has a right to bind another..."

As it stands now, we have a garbage collected memory allocator with no reclamation function.


This is the key issue in this entire debate:

    [T]he Government has ... violated the trust of the American people [and] broken
    the law themselves by already conducting wholesale surveillance of the citizenry
    ...
    Thus, the number one issue, the issue that should preempt all other issues,
    is how the government regains it's credibility and re-establishes trust.
Far too many people - even here on HN - are taking about the government's order to Apple in isolation. The common arguments by the government and its supporters are based on the assumption that any action taken would be limited to the current situation.

Except this isn't an isolated situation. The government has been fighting against the free use of encryption for decades. Saying the order given to Apple is limited to this single case is practically admitting ignorance (willful or not) about:

* The investigation of Phil Zimmermann and the export of PGP as a a "munition"

* Bernstein v. United States

* The Clipper Chip (Skipjack) and other key escrow systems of the fist crypto war

* "Total Information Awareness" (w/ John Poindexter of the Iran–Contra affair)

* The beam splitter in room 641A of AT&T's facility at 611 Folsom St.

* The illegalities brought to light by Daniel Ellsberg, William Binney, Thomas Drake, Edward Snowden, and other patriots that kept their oath to defend the constitution.

* How many public security standards were ruined as part of BULLRUN and related programs.

* The recently-discovered use of "Stingray" devices ("IMSI-catchers") by the FBI.

* (I'll just stop the here - there are many other examples that should be included)

These actions clearly show a pattern of trying to gain backdoor access or other surveillance capabilities. Yet some people suggest - usually without any evidence - that the government should be trusted. What, specifically, has the government been doing in the area of communication security that has justified any amount of trust? Actions are more important than promises.

It would be nice if this wasn't such an adversarial relationship. Unfortunately, this cold civil war we are in where the government treating everyone as a potential criminal by default doesn't leave us with a lot of options. Until we see real actions that regain some amount of the public's trust, the rational approach has to be to not trust the government at all. To do otherwise is either ignorance of history or blind faith that the government never lies.


Don't forget CALEA[1], which is done in plain sight: Telcos don't have the ability to build infrastructure that could frustrate law enforcement's attempts to listen. They were so used to the state of affairs where they could listen to conversations that it was legally mandated that technology cater to their tastes at the expense of privacy and security.

[1]: https://en.wikipedia.org/wiki/Communications_Assistance_for_...


The government absolutely should not be trusted. That's why Apple shouldn't give them a skeleton key to get into any phone, just the legally compelled access for this specific phone. Apple can make that happen trivially. If the government was telling Apple to make an actual backdoor for any phone, this would be different.

Nobody (except the most unreasonable) has any problem with the FBI searching property when they have a legal warrant. That's what is happening here. It's the equivalent of asking a manager to open a storage unit. This specific case is not anything like any of the examples you gave.


One of the many problems with the way the FBI is asking for Apple to get into the phone is they are asking for a tool (an instrument) to be built, not for Apple to just give them the data.

The FBI could have filed for Apple to get them the data by brute forcing the pin code. They didn't ask for that, they asked for Apple to make a tool that could be used by the FBI to brute force the pin code themselves. This is a huge difference when you are talking about the legal system.

Jonathan A. Zdziarski, who has a little bit of experience with forensic tools and expert testimony, has written a post about this specific issue: http://www.zdziarski.com/blog/?p=5645

In the end, forcing Apple to build a tool to be used at trial, it would end up forcing them to release the code to many different people for 3rd party verification that the tool works properly for forensic purposes.

This lawsuit (using a law from the late 1700's, remember we became a country in 1776) is completely political and absolutely has nothing to do with getting into this specific device. It is about forcing a legal precedent and to force Apple into doing something they want without going through Congress.


>The government absolutely should not be trusted. That's why Apple shouldn't give them a skeleton key to get into any phone, just the legally compelled access for this specific phone.

You are still trusting that the legally compelled access is all good and valid, ignoring rubber stamping by courts. Allowing access to this phone due to a court order, when combined with a history of abuse by the courts, is as good as any other skeleton key.


Not at all. If they had a real skeleton key, they wouldn't need to get a warrant.

Rubber stamping is a separate issue. If that's what people were worried about, why would it be this case in particular getting everyones hackles raised? Every warrant to search a house or a car should be questioned, but this case isn't special.


The government does not need a warrant to gain access to your information, easily evidenced by mass surveillance of the world for the past 15 years. If they really want something you have, they will just take it mobster style and tell you to go fuck yourself. They don't have to charge you with a crime, they can charge your property with a crime and force you to deal with a kafkaesque process where your property is guilty until proven innocent by the people who issued the very order to seize it. Information + Encryption is one of the only things regular people have that is resistant to this process.

They do need a warrant for any information to not get laughed out a US court though. This is the main reason they are going after the data this way, because they want what they found and know wouldn't survive discovery to eventually be admissible as legally obtained evidence. That and it will set a nice precedent for them to deputize private persons and corporation into being law enforcement when they just can't be asked to not fuck up one simple thing.

This is also not-coincidently a case likely to polarize people against Apple with the old faithful terrorists are coming to get you rhetoric. A most slippery slope indeed, nearly guaranteeing that everyone who is supposed to be checking the executive branch for overreach will just go along with them wholesale.


To use it as evidence, they will need to obtain it lawfully.

That doesn't prevent them from acting upon information received from Apple outside of the court system.

There is a reason parallel construction is a thing.


> just the legally compelled access for this specific phone.

You're trusting the government to not acquire the signing key from Apple.


Yes, I am trusting that. So are you. If they had the signing key they wouldn't need to ask Apple for anything.


> Yes, I am trusting that.

> The government absolutely should not be trusted.

You're contradicting yourself.

> So are you.

No I'm not. The keys will be acquired when necessary, if they haven't already.

> If they had the signing key they wouldn't need to ask Apple for anything.

That would be true if the goal was to gather forensic data from a single phone. As I stated above, it's foolish to look at this situation in isolation. The FBI's (and other government agencies) history of trying to restrict encryption and gain access to communication technologies says the government has other goals.

You might have noticed that there has been a propaganda campaign going for a while now that has been framing encryption as a "terrorist tool" that is causing law enforcement's investigations to "go dark". The goal isn't the phone; this is about framing Apple (and Silicon Valley in general) as impediments to public safety.


> You're contradicting yourself.

No, you appear to be purposely taking my words out of context.

I said the government should not be trusted with a carte blanch skeleton key to access any phone.

Then you said I'm trusting the government not to get access to Apple's signing keys. Which of course I trust, and which you do too. If the government could get Apple's keys, they could just make their own firmware change, sign it, and install it on any phone they want. They wouldn't need this case.

> No I'm not. The keys will be acquired when necessary, if they haven't already.

Now that is some tin foil hattery. That would be reason for outcry. It's a big leap from where we are now.

If this case sets a precedent in either direction (pro or anti privacy), then the battle is already lost because nobody understands what's going on. This is in no way the same as the government circumventing privacy. If people don't understand that, then they're not going to understand a more principled argument of a company impeding a perfectly legal request to get access to the data on a phone.

Is your problem that you don't like the ability of the government to get and execute a search warrant against a person? You don't think they should be able to? If they can search your property, and they can demand for example that your landlord grant physical access, then I see no problem with this request. The responsibility is Apple's to make it so the phone can't be unlocked by Apple.


> No, you appear to be purposely taking my words out of context.

Purposely? You didn't provide much context. Apparently you include some large exceptions whee you do trust the government.

> you do too.

I've already told you I don't, because the government has a pattern of behavior that suggests otherwise. What is the basis for your trust that they wouldn't go after Apple's signing key? (or any other key)

Did you forget that the government forced Lavabit to turn over their private key?

> they could make their own firmware change

I've already addressed that, but I'll add that they could still take that route in the future.

> Now that is some tin foil hattery

Insults like that do not help your argument.

> It's a big leap from where we are now.

Perhaps. I don't think it's a very big leap at all to suggest that the government might repeat tactics they've used in the past.

> Is your problem that you don't like the ability of the government to get and execute a search warrant against a person?

Of course not, that's stupid. I have no problem with most warrants. I do have a problem with the general warrants being used by the FISA court, which were the reason we have the 4th Amendment.

> they can demand for example that your landlord grant physical access,

That's correct. However, this case isn't about Apple simply granting access to some of the property they own.

> make it so the phone can't be unlocked by Apple.

In the future, that would be a good solution (zero-knowledge techniques are always a good idea.


> Apple can make that happen trivially.

Trivial to whom? Apple certainly does not view the act of complying with this order as trivial.


From a PR perspective, sure. They don't want to look bad. Their reputation should already be damaged though, to anybody paying attention. Because they clearly made a piece of software with a backdoor. I don't put much weight in their letter to customers claiming it's so bad though. It's full of exaggerations and half truths, which to me implies they are trying to save face for something like creating a poorly secured device.


No critique of these programs is fair without taking into account the benefits, like all the terrorits they caught:

https://www.newamerica.org/international-security/do-nsas-bu...


And these [explicit] trying to use excuses like it's for our children or if there wasn't encryption this shooting world have never occurred etc to further surveillance makes me furiuos. What makes me even more angry is these [explicit] getting away with lying to congress, courts with absolutely no action against them. Democracy is for the people by the people and of the people. I understand the need for secrecy in some matters of the govt. But the courts not having the ability to oversee them without having to resort to secret court system is govt abusing it's power. They have been using NSLs to keep their BS under the covers. That gotta change. There had to be punishment for those in power lying and misleading public.

They have also tried using Paris attacks to justify backdoors and surveillance telling us they would have been able to stop it if there was no encryption. Now those who hears it will support spying without knowing that Paris attackers didn't actually use encryption to his their communication. And NSA still didn't get a clue and warn them. Paris is not even their responsibility anyway. They have French govt to take care of their affairs. Those massive amount of tax dollars and resources can either be used to make a better world or to make an orwellian world. What's it going to be people? It depends on you.


Great post.

The government doesn't have our trust because the government does not deserve our trust.


To me, the more important aspect is the U.S.'s failures to maintain their own data integrity.

* The OPM breach is a big part of this.

* Government domains without SPF or requiring TLS (for instance email)

* Social Security Numbers significantly insecure

* Secretary of State (GA) losing identities


This is a significantly under appreciated point. Let's assume that the software to unlock an iPhone exists only on one non-networked laptop. Even if it couldn't be remotely hacked, is it too much to expect that the US government - which couldn't even keep the atomic bomb designs from being stolen by the Soviets - is going to keep that information safe and secure forever?


* Storing NSA documents without proper (air-gaped) compartmentalization such that it was even possible for one person to access them in bulk.


In the future, add the proper number of p's into "gapped." The term "air-gaped" activates the neurons that cannot unsee goatse guy.


Boom. Headshot.

Nice point.


Maybe Apple should have just stated that its impossible to create a backdoor (the way actual encryption should be). But since we all know that its possible to create one, the fact that there is an option will always spur debate.

The most important thing that the author mentions though is "How can the government regain the trust of the people?".


>The most important thing that the author mentions though is "How can the government regain the trust of the people?".

Why should it? And do the people even distrust the government?

Just look at the Presidential candidates. All the Republicans left are totally in favor of mass surveillance, and Hillary, the choice of mainstream Democrats, of course is a big fan of ubiquitous surveillance. Face it, most of the American public, except maybe the Millenials and Gen-Z, love the idea of having the government spy on them all the time "for their safety".


> Face it, most of the American public, except maybe the Millenials and Gen-Z, love the idea of having the government spy on them all the time "for their safety".

John Oliver did a show on this. It isn't that they are in favor of it, it is that they don't understand the implications. They think the spying is limited to just terrorist, not realizing that everything they do is being spied on.


That was a great episode - no one cared about Snowden or privacy until he explained to them that it meant government officials could see every dick picture they had sent or received.


Does anyone have a link to that episode?


https://www.youtube.com/watch?v=XEVlyP4_11M

I assume this is the same episode everyone was talking about but it's the Snowden one and the street interviews are pretty sad (as they always are).


Yeah, this.

My feeling is that most people would be against mass surevillance and anti-encryption posturing if they truly understood what was happening and what the imnplications were.

Unfortunately most people do not have a reason to learn about basic infosec during their daily lives and remain blissfully ignorant about it.


> Face it, most of the American public, except maybe the Millenials and Gen-Z, love the idea of having the government spy on them all the time "for their safety".

citation needed


Um, I already did: Bernie's the only candidate really against spying, and it's mainly young liberal people who like him. Everyone else, plus conservatives, loves all the other candidates, who are all in favor of spying. Hence, the people want to be spied on. If they didn't, they wouldn't be fans of these candidates.


You are going through so many logical fallacies I don't even know where to start. But that's not how logic works. None of that is how logic works.


> Um, I already did: Bernie's the only candidate really against spying, and it's mainly young liberal people who like him.

Most of the exit polling breakouts I've seen have shown that (among Democratic primary/caucus participants) he does better among the young, among white voters, among people who have not participated in Democratic primaries/caucuses before, and among people who do not describe themselves as liberal, with Hillary doing better among the opposite groups.


Read up on how democratic candidates are selected. Hillary is the establishment candidate. The people have nothing to do with her appointment (assuming she wins).


Hillary is going to be... appointed? Um, no.

And yes, I know how democratic candidates are selected. The people are going to have plenty to do with it (that's what all those primary elections are about).

I agree that Hillary is the establishment candidate. That's pretty hard to argue with. But if she doesn't win, it will be because people didn't vote for her.


So you should know then that the DNC doesn't use popular vote to decide it's candidates. The only reason Hillary is in the lead is because the only votes that have counted up until this point have been establishment votes.

You can't sit here and say "The public doesn't care. Look at Hillary" when Sanders is actually the popular candidate and he is a proponent of stronger privacy laws.


I know that the DNC doesn't exclusively use the popular vote to decide its candidates, yes. There's the "superdelegates". They make up, what, 15% of the delegates? So, yes, they can swing the election if the primaries break 60/40. It's not the most democratic system, I'll admit. But the people are not locked out. Their voice will be heard, and can easily swamp the voice of the superdelegates.


> You can't sit here and say "The public doesn't care. Look at Hillary" when Sanders is actually the popular candidate and he is a proponent of stronger privacy laws.

While Sanders has swung to near parity (slightly ahead in some) in national polls, he's finished just behind Hillary in both Iowa and Nevada caucuses (but well ahead in the NH primary). He's won slightly fewer votes overall, and the two candidates have about the same number of pledged delegates (I've seen different sources claiming 52/51 Hillary and an even 51/51 current split.) This is based on actual votes of actual voters, not skewed to establishment figures. Neither candidate is, either on the actual votes or the national polls, substantially more popular.

Hillary is far ahead in terms of informal commitments by unpledged delegates (superdelegates) who are mostly incumbent party officeholders, but those aren't votes, and while some media outlets report them as if they were the same as pledged delegates, they aren't. Superdelegates can and do switch allegiance over the course of the campaign, the same way as other public endorsements do.


Hillary has 100,000 popular votes, and 52 democratically elected pledged delegates to Sanders' 51. The "establishment votes" are not cast until the convention.


Oh please. Yes, Hillary is the establishment candidate, I'll agree, however there's no evidence yet that she's going to be "appointed". The only way that'll happen is if Bernie wins enough primaries/caucauses to get the Dem nomination, but the DNC gives it to Hillary anyway (probably because of the superdelegates), in a non-democratic process. From what I've read, this has never actually happened before; the Democratic candidates are selected by voters in primaries.


> do the people even distrust the government?

http://www.gallup.com/poll/5392/trust-government.aspx

> Just look at the Presidential candidates.

The Republican frontrunner is popular mostly because he has nothing to do with the government, and has no respect for most of the government.

Anyway, looking at presidential candidates is not that useful, because I think a huge amount of voters would say something like "I don't trust the government at all, that's why I'm voting for <x>".


> most of the American public ... love the idea of having the government spy on them ...

I suspect you're confusing "loving the idea" with "feeling trapped, unable to see any alternative".

https://www.asc.upenn.edu/news-events/publications/tradeoff-...


Um, there is an alternative: Bernie. But while I like him, I can't say that a majority of Americans are big fans of him. So far, the majority of Americans appear to be fans of pro-spying candidates, so I think it's safe to assume that the majority of Americans support spying. And it's not just that one issue; most of those other candidates are also in favor of policies to benefit the moneyed elite, not the common voter. But Americans have convinced themselves, by and large, that they're all temporarily embarrassed millionaires and happily vote against their own interests in every election.


I wonder if it's a matter of apathy or if they genuinely like that idea. Most people I talk to about this say "I don't even want to know" or "who cares". They just find the whole thing difficult or painful to even consider as they're so attached to the technology as it is. They don't want to do anything differently when it comes to privacy.


[deleted]


Did you miss GCHQ's JTRIG department targeting muslims for harassment? Inside the UK?

https://media.ccc.de/v/32c3-7443-the_price_of_dissent

Or the NSA's domestic actions for their "customers" (their words) at the FBI and DEA?

https://en.wikipedia.org/wiki/Parallel_construction

Using the "nothing to hide" fallacy is bad enough (general warrants are still unconstitutional), but if you think the intelligence agencies only investigate "a large scale serious crime operation" then you should really do more research on what those agencies have been doing over the last decade.


"...you should really do more research on what those agencies have been doing over the last decade."

Can you point somewhere out that shows what they have been doing, as I would be genuinely interested?

I doubt I do anything interesting enough for the government to bother about. But I do hold non-mainstream / controversial opinions about certain things, and I am careful about who I actually discuss them with, I certainly don't post them on Facebook or send them in emails. I wonder if I should be more worried than I am.


I know there is incredible dislike for Rush by many in this community, however his transcript today concerned the issue at hand and was very good. The reason its important is because his audience is large and he actually did a good job with the issue. Normally at the noon hour I simply turn off the radio but when I heard the discussion that came up it was so engrossing that I listened to the whole show.

tl;dr no matter what is claimed, if Apple writes this for this one phone it will get out.

http://www.rushlimbaugh.com/daily/2016/02/22/how_the_governm...


Pretty good read. I wish more people in the media would learn a bit about this stuff. He did a great job of keeping the callers in check when they through BS elementary arguments at him like "well why don't they just hack it!"


If I was the NSA, the Chinese Government or a hacker group, I would be working really hard right now to get a foothold on the internal Apple network. To be able to grab any and all data (code, emails, files, etc) from anywhere on the network to try and capture the work that would be required to fulfill the request of this court order.

Even if we could trust the US government, we shouldn't be forcing Apple to create this 'master key' anyway. The problem is that anything that has been created digitally cannot be destroyed after it is used. Once the tool is created, we cannot put that genie back in the bottle.


It's recently been shown that this action is purely political, there is nothing material that the FBI stands to gain in their investigation.

The entire point is to let the genie out of the bottle.


It's been covered a couple of times, but Apple is being asked to make a tool that would check that the device ID is the same as the warranted device. That's the essential part.

By having a device ID check (combined with digital signage), Apple could publicly release the tool without fear of anything happening on any other phone. Plus people couldn't modify it because that would break the signature.


Did you miss the bit where the DoJ has already declared it has hundreds of other phones it will want cracked if Apple is willing to comply to this?

Also, if you think having a device ID check is going to do anything, you might want to have a look at the cracks scene and what they do with your pitiful attempts at DRM...


If Apple can do something that will unencrypt the phone, then obviously the vulnerability is already present. How about Apple hacks the phone, then fixes the vulnerability so they can't do it again in the future?


Apple can't decrypt the phone. All they can do is make it easier to brute-force the password. If the firmware is cooperating and not introducing artificial delays, you can try one password every 80 ms. In later versions of the phone, the hardware enforces a 5-second delay which you might not be able to work around even with cooperative firmware.


The analysis I have read from those that understand the technicalities behind it better than I do is that it is because the phone in question is a 5C.

e.g. Apple has already fixed the holes in the 6/6S; the concern here is the use of all writs to compel them to unlock the 5C, and the Pandora's box that doing so would open up.


No, the devices with secure enclave (like 6/6S) are just as exploitable by the phonemaker.

https://www.techdirt.com/articles/20160218/10371233643/yes-b...


Ugh, if Rob Graham and Bruce Schnier can't be used as a good source...

Sounds like Apple needs to update Secure Enclave so that updating wipes the keys.


Yep, exactly. If they did that, and the government was trying to somehow make that illegal, or demand a real backdoor, then it would be time to get up in arms. But that time is not yet.


Something much worse is possible.

What if the NSA/CIA/whoever can already decrypt that phone if they want? What if they're very publicly showing limitations of their abilities that aren't real, so that bad guys use it as a manual ("follow these steps and the NSA can't spy on us", except they actually can)? What if they're doing this so that bad guys (as defined by them) continue to use and trust vulnerable systems, rather than looking for secure alternatives?

If that scenario is right, if all this is just theater, then Apple will eventually win this fight, and along the way, there will be pretty clear guidelines established about what the NSA currently can and cannot break. Only you can't trust that what gets revealed is accurate...


Ah, the ol' COINTEL conspiracy (I use that word without its usual negative connotation).

I'm always surprised by people's ability to assume "the Government isn't corrupt this time!" after time and time and time and time (and time and time)... and time... and time... and time again, the Government was "that corrupt that time". While it should never be assumed that they for certain are, it should always remain a possibility until reasonably argued against.

Of course, one can't prove a negative - so the line of where it has been "reasonably argued against" is a very gray area. It's easy to cross the line into "full-blown looney conspiracist".

Which, going along the COINTEL mindset, is exactly what a Government would want: The general population dismissing anyone critical of the government as being a looney nutcase...because the Government couldn't possibly be corrupt.

As someone who has read too much into COINTEL operations and literature (and at one point wanted to right a book about various COINTEL tactics) - it's really hard to dismiss ideas like the one you bring up - even on grounds of "there's no evidence for that".


How does this fix the issue? NY alone has said they will request Apple unlock roughly 200 phones they already have, so please explain how this is a solution.


>NY alone has said they will request Apple unlock roughly 200 phones they already have, so please explain how this is a solution

Why is this a problem? As long as the government has the legal right to search the phone, isn't it good that they can now search it?

Remember this would only apply to phones the government has physical control over and in cases where Apple is compelled by a court.


> Remember this would only apply to phones the government has physical control over and in cases where Apple is compelled by a court.

I'm curious how we can be certain of that. Granted, this is the 'slippery slope' argument.

A lot of people, myself included, don't think the government is interested in ONLY decrypting phones in this class. They want to decrypt ALL of them, en masse, at will.

The hell of it is, as I typed the above, I think of how I would have felt reading those words typed by someone else, 15 years ago. I'd assume they were some kind of conspiracy nut.


Agree, as stated, 15 years ago someone would have thought "nut job" - funny (read crazy) thing is now that the general public switched from believing this was crazy to it making sense.


How else would the FBI compel Apple to do it? If there is some other way, why does doing it the legal way make the illegal way more likely?


That's the point, they legally can't make Apple do it.


> As long as the government has the legal right to search the phone, isn't it good that they can now search it?

(1) Government has legal powers, not rights, but more importantly,

(2) No, just because a legal power of government exists does not mean that it is better for it to be exercised in every case where it might be.


> As long as the government has the legal right to search the phone, isn't it good that they can now search it?

The President has the legal right to order an assassination, so all assassinations ordered are good, and even more are better? I don't follow your reasoning at all.


You are subtly changing "legal searches of suspects with prerequisite probable cause" to "legal assassination" of a bunch of unstated people. That should change the reasoning involved. So I believe you are using a faulty analogy.

First, there is a huge difference in consequences. If you search a phone and nothing is there then the person isn't significantly harmed. Killing someone is a huge consequence and it's irreparable.

Second, the court proceedings insure we are only searching people who deserve it. You leave that out in your assassination hypo. The standards for deserving a search are lower than deserving to get killed, at least they should be. So you can't compare the two. But assuming the president ordered the assassinations of people we knew deserved it--known terrorists, spies, genociders, etc--I'd still say "what's the problem"

Finally, you are substituting in something that most people consider inherently immoral. I think it's pretty clear a search of a phone to recover evidence is not inherently immoral. But many would say that there is never a reason to assassinate someone.


>legal searches of suspects with prerequisite probable cause

We've seen the court abuse that whole 'probably cause' to the point of being meaningless.

>First, there is a huge difference in consequences. If you search a phone and nothing is there then the person isn't significantly harmed. Killing someone is a huge consequence and it's irreparable.

So because the harm isn't as immediate, certain human rights don't matter as much?

>Second, the court proceedings insure we are only searching people who deserve it.

Because the court says so... which is as good as the President saying the target deserved the assassination. The court is still part of the government that can't be trusted.

>So you can't compare the two.

You can always compare different things. In fact, any comparison of real life topics is being made of two different things.

>But assuming the president ordered the assassinations of people we knew deserved it

Who deserved it according to the President, who we don't trust because they are a member of a government which we are talking about not having trust in.

>I'd still say "what's the problem"

Those pesky human rights...

>Finally, you are substituting in something that most people consider inherently immoral.

I'm only using an example that is an easier violation of human rights to understand. It is far easier to explain to people why violating the right to life is wrong than it is why violating the right to be secure against searches and seizures.

>I think it's pretty clear a search of a phone to recover evidence is not inherently immoral.

If your morality is one that allows an abusive government to violate human rights then that isn't a morality we share.


They have that ability because they (and only they) can update the OS. So, "fixing that vulnerability" prevents them from ever updating the OS again. You're better off security-wise accepting their updates.


Why? If one can only upgrade the OS with a package signed by Apple, why couldn't it check for a second signature, generated from the user's password? Then you could upgrade the OS, you'd just need the user's password.


The debate is fairly pointless, govt will do whatever they want anyway.

The vast majority of people just vote down predestined party lines, and swing voters aren't all the bright educated people we like to think they are. It's just a fact that half of all people are of below average intelligence.

Politicians should be a better than average cohort for intelligence, but judging by the incomprehensible jabber they espouse on tech matters I doubt it'll change anytime soon. They seem to spend most of their time trying to dick each other over and make themselves look good rather than actually get shit done.


Saying the government will do what it wants is a vast oversimplification of how the government works. The government doesn't speak with a single voice. The FBI can want one thing, the judge in this case another, a different judge something else, and each and every member of congress something different altogether. Even within the executive branch in the US there are differences in opinion: Tor, for instance, is partially funded by the US Department of State and the National Science Foundation (according to their donor page: https://www.torproject.org/about/sponsors.html.en) while it has been opposed by law enforcement and the NSA.

The importance of a debate like this is it allows the various parts of our governments (and their bosses: us) to state their positions and work out a solution. What that solution is is not a foregone conclusion in the least (cf. the Clipper Chip, https://en.wikipedia.org/wiki/Clipper_chip)


> The debate is fairly pointless, govt will do whatever they want anyway.

Clearly they never had problem with that. The problem they have is that it takes NSA up to 8 months to crack a key for one single iPhone, and the list of crack-awaiting devices grows every day.

That's is what they are truly complaining about and as others pointed - they try to use this case of supposedly pro-terrorist Apple to force them to give out the key that would open any and all other I-devices.

I bet a bottom dollar if Apple asks to hand the device and they will retrieve info off of it, FBI would come up to every possible excuse -- including the one that the cannot trust Apple employees -- not to hand it over. They want the KEY, not any other way around!


How do you figure the government has the ability to "do what they want" in this case?


I don't think it's a surprise that it has often been the case that some Elements in the gvmt are able to rationalize some objectives they have can trump the 'laws' and other rules ordinary citizens would be held accountable to. For example, The Patriot Act and other measures can be broad enough in scope to allow interpretation which would have some elements think they are invested with the power of spying on their own citizens living within the borders of their country. That's just one example. Iran Contra is also another one, and the list goes on ... The impetus for this type of rogue action will always be present in the circles of power, to allow them to keep their positions.


I don't understand. If the government could do the programming to do it, they would. That's what I'm asking: can the government really be doing "whatever it wants" in this case? They seem a bit stymied by the whole PIN wipe thing.


They can pass laws requiring software to be backdoored without allowing the company to notify the public (similar to what happened to Lavabit), or can use three letter agencies to backdoor most software anyway (similar to what happened with Dual_EC_DRBG).


Those laws won't be passed in secret.


Declare that the phone is a banana and therefore not entitled to expectation of privacy.


I totally agree the US government shouldn't compel anyone to weaken security generally. So Apple shouldn't be forced to build in a backdoor into products that are released for sale.

But this apple request is just exploiting a weakness that already exists. And it would only be doing it on a single phone. And it would be do it pursuant to a legal order by a US court.

Also, the US government only has zero credibility in the minds of hardcore activists or extremists. The bulk of the America public trust the FBI to investigate ISIS.


I agree - this is the type of vulnerability that, assuming Apple is extremely careful about protecting their signing key, is only exploitable by court order or similar state request. This crypto implementation on iPhones and the like isn't really designed to protect against that, it's really more to prevent the common criminal from accessing your personal data. Apple already comply with law enforcement requests to access iCloud backups and other such data, so assisting with this passcode crack isn't really much of a stretch.


> I agree - this is the type of vulnerability that, assuming Apple is extremely careful about protecting their signing key, is only exploitable by court order or similar state request.

Apple has been trying to prevent jailbreaking for years - they've always failed, so I'm skeptical about this "only exploitable by court order" bit. Determined people will find ways around the protections. Heck, it is even possible that someone (think nation-states) has already found a way to circumvent the passcode lock. This will only lower the barrier of entry.


Jailbreaks address a different type of vulnerability - that of incorrectly written code or poorly designed systems, that can lead to a privilege escalation.

The vulnerability that the FBI are using is the ability of Apple to update the iPhone with arbitrary code, provided it has been signed with their secret key. It's an important feature, of course, but still a security vulnerability - albeit an irrelevant one for the vast majority of iPhone users.


The most important bit is that Apple can (and in fact, was asked to) make the change only work on a single phone. As in, there is no fear of it "falling into the wrong hands" as the FUD goes. If you believe in the security of cryptography, then you believe they can make this change cryptographically device locked.


Then once that happens: they have both precedent and legal case law on their side to compel Apple, or Microsoft, or Cisco, or Google, etc. to do the same for another secure product.


> Then once that happens: they have both precedent and legal case law

"Precedent" and "case law" are the same thing (and "legal case law" is just a silly construction), so it doesn't really add anything to say you have both of those, instead of one or the other.


All this case law talk is irrelevant. If Apple actually just voluntarily did this one time it wouldn't really set a legal precedent. Fighting it will probably set a legal precedent. And they are doing it on a case that maximizes the FBI's argument that this is needed for national security.

But sure, Apple will end up having to do this for a lot of phones the FBI has. But why is that a problem?


> And it would only be doing it on a single phone.

No, it would not. New custom software has to be developed. Software that can then fall into the wrong hands, from crooks with stolen phones, to nation states.

Seriously, it boggles the mind that they are asking for the security to be weakened, because terrorists. But they are not concerned that said terrorists will then be able to use the same software to crack their phones. Or Russia, or China. Maybe they are counting on the fact that it (for now) requires physical access?


>No, it would not. New custom software has to be developed. Software that can then fall into the wrong hands, from crooks with stolen phones, to nation states.

Only if Apple stupidly wrote a generic firmware that could run on any iPhone and then lost it. That risk is essentially zero.

If Apple reasonably complied with the order, it would be as dangerous as any other Apple update, which is to say not dangerous at all.

>Seriously, it boggles the mind that they are asking for the security to be weakened, because terrorists.

In this case, there is no weakening.


> Only if Apple stupidly wrote a generic firmware that could run on any iPhone and then lost it. That risk is essentially zero.

The updates they write now are generic and run on any iPhone. So theoretically any new code, by default, would be as well. They may not even have a way to limit firmware to specific devices without many man hours more of work on top of creating the modifications already being requested.


> They may not even have a way to limit firmware to specific devices

They do. The new firmware may not be distributed, but it should be easy enough to make it such that if it was distributed, it wouldn't change security at all on phones other than the target.

For example:

    function handleWrongPassword() {
      if (deviceId = 1234) {
        return;
      }
      //do the normal phone stuff, like a delay or wipe
    }
Since the firmware is signed, no phone will run the firmware if you change the hard coded 1234.


> if (deviceId = 1234) {

... Is that a backdoor within a backdoor? :)


I don't know what you mean... but it's pseudocode for what the FBI asked Apple to do. It's a backdoor that only applies to a single device. Since it must by signed by Apple, it can't itself be backdoored by the FBI or a hacker or anyone else without Apple's consent.

Edit: oh, I see what you mean. The single =. But it's pseudocode. That happens to look a lot like Javascript with a bug :)


> Ben Franklin's observation that "those who would trade liberty for security deserve neither"

It is an opinion, not an observation ('deserve' in particular is not an observation). Just because someone famous said a thing doesn't make it true, or even true-ish. If you want to be such a purist about Franklin's comment, then abolish the police altogether; you'll rapidly see that Franklin's comment is not meant to be read in such a purist way. Or to put it another way: where do you draw the line with Franklin's comment?

The article then goes on to talk about gun rights for some reason, with the usual canards thrown in, plus a bit of good ol' selective reporting: "gun deaths are down by half in the past 25 years!", neatly ignoring that they're measuring from the peak, not from the previous baseline. And the US homicide rate is still nearly four times higher than most other western democracies...


> > Ben Franklin's observation that "those who would trade liberty for security deserve neither"

> It is an opinion, not an observation* ('deserve' in particular is not an observation).

And the quote is both butchered here (the original is: "Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety") and -- as it usually is -- applied poorly considering its original context. [0]

[0] http://www.npr.org/2015/03/02/390245038/ben-franklins-famous...


Ah, thanks for that. I've seen the shortened version so often I'd come to believe that was the actual quote. The longer version makes much more sense and is far less absolutist.


I don't like this line of reasoning because it allows for a pro-surveillance outcome if you change the statistics. At what threshold do you switch sides? Ben Franklin is pretty clear and so is the constitution. We don't need to argue on the government agency's terms because we win this argument hands down on principal alone. Please don't weaken the argument.


Here's the thing. Governmental credibility should not be a factor. Particularly in light of how things have and will continue to shift over time.

Clinton tried to push the Clippet chip through and failed. We can't just say thing got better and now we should help weaken crypto because bad guys and now the government has more credibility. Obviously, things swung back in the opposite direction.

So the only safe solution is to build strong crypto always.


The government having credibility now wouldn't guarantee that this would be a good idea forever going into the future.

But the fact that the government already doesn't have any credibility on privacy and data protection is a factor. It means that this is already a bad idea as of right now.


No governments around the world have any credibility defending the liberty of its people.


Who's Tim Cooke?


CEO of apple.


That would be Tim Cook...


I think what's being lost in the shuffle is Apple has no credibility in claiming its protecting your privacy and security.

http://money.cnn.com/2014/09/18/technology/security/apple-pr...


At the center of it all, everybody's scuffling to be the all-seeing eye of the internet. Google/Apple/Facebook/ad networks/etc all want to know everything, to be able to sell & exploit that information. They don't want that precious IP to be diluted and lose value, so they must defend their freedom and autonomy to do what they'd call "evil" if others did it.


That doesn't really seem to be related here.

One of the reasons I gave up on Slashdot was how people used any story as a tangent to flog their unrelated hatred of some company. Please don't turn HN into Slashdot.


I'm sorry I gave you the impression I hate Apple, thats certainly not what I intended.

One of the implicit ideas underlying Apple's arguments is that they are more trustworthy than the government.

But theres a lot of evidence that they are not as strong on privacy as they should be. Casting Apple, and private industry in general as privacy heros does a disservice to those very valid concerns.

Heres an article from earlier this month:

http://www.theguardian.com/money/2016/feb/05/error-53-apple-... http://www.forbes.com/sites/gordonkelly/2015/09/16/apple-rel...


None of this gives me the impression that I should trust the government at all, so why bother making the argument against Apple here? It doesn't effectively rebut the article. It just comes off as axe-grinding.




Applications are open for YC Winter 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: