I don't want to link in the URL so that people don't read it thinking that is the content of the message, but this.
This blog post outlines how the government could reasonably decrypt the contents of the phone without involving Apple at all. As far as I read this, it seems correct. If you have an encryption key that is a wrapping key, all you need is a copy of the wrapping key and the storage in some way. After that, brute force does not require an EFI signed OS in the slightest to brute force the ciphertext, and at 10000 combinations even at the slowest of hashing speeds, this is meaningless as it would probably will take roughly 2 hours on modern laptops to crack an algorithm with that few combinations in something like bcrypt, multi-rounds, or other slow hashing algorithms.
This is supposed to be the smoking gun that the FBI is misleading the public and should lose the case, which is half true and half false. This is definitely proof that the FBI is misleading the public in regards to their capabilities, they absolutely can. However, this is not the smoking gun that will prove Apple to be in the legal right, but it instead is the exact evidence the FBI needs to win the case.
For those unaware, almost all digital law is based on physical law, including surveillance and encryption. Encryption has been mostly ruled by case law involving safes and safe cracking.
The previous stance and enforcement of the usage of safes is that if there is a key that can be picked involving the safe, then the citizen must hand over the key because it will take up government resources and waste taxpayer money to actually perform the act of the picking or tracking down a universal key that works with your safe. Sometimes they just have it handy and use it, other times they don't and the judge will demand you turn it over. If you do not, you are held in contempt of court.
This later extended into digital codes. If you have a digital code on a safe, that is considered something in your head that cannot be searched by the government (your mind cannot be searched legally, and you cannot incriminate yourself). They then found a way to extend the previous law to cover certain digital code based safes. How? If they can prove that the safe is in fact crackable (you can drill in a certain way if you subscribe to safecracking magazine, for instance), they can reasonably assume that they can force themselves into the safe and then it again becomes a waste of taxpayer dollars for them to perform the task, purchase the drills, etc.
Honestly, I understand the logic of this debate and it isn't actually all that terrible. They reasonably can crack the safe, and they will by using up taxpayer dollars, so why would you put the burden of a warranted search on the taxpayers.
How these laws have extended into digital law is that anything that you physically can possess that unlocks a computer (say a smart device or a password that can be bypassed if you aren't encrypting your device), then they can compel you to give up the device or password involved (or at least force you to unlock it, passwords are considered not something they have the authority to directly request, but they can force you to type it in). If the password is an encryption key, you are essentially safe because they are attempting to force you to incriminate yourself.
The FBI/Apple case now is entirely different from all of this. Yes the device is encrypted, but it is encrypted in a way that is easily decryptable (Apple relied mostly on EFI and tamper-proofing to protect the devices, which is smart, but not enough). The reason this is the case is that people don't like having passwords with enough entropy (8-10 random digits or word phrases, etc) and a 4 digit pin number is very very easy to crack even with the slowest of hashing algorithms. Apple does this for your own personal usability, as most people don't want to remember or type out a long passphrase on their phone or tablet. It's actually smart thinking, as only insane people like myself use properly long encryption passwords on their phones (I have to protect all of those cheapo freemium games!).
Anyway, to tie this all together, how does this screw Apple? Apple and the ACLU have definitively proven that the device can be broken into by the FBI since the chips can be removed and copied if done carefully and correctly. This, however, costs quite a bit of money to make sure the tamper proofing is bypassed correctly and the chips containing the wrapping keys are frozen and copied before they are erased. To verify 100% certainty, it would cost a lot of money to do which proves undue burden on the taxpayers of the country, meaning they can use previous digital and safe case law to completely screw Apple over.
Don't shoot the messenger, I'm in favor of Apple winning this case, but I see no way for them to win given how encryption law has been enforced in the past. There's essentially direct previous case law on this issue and people are a bit too emotionally charged to realize that we have been losing the encryption debate for the last 15-20 years, and in most cases have already lost. When we technologists were screaming about the importance of encryption laws and cases decades ago, nobody cared. Now it's too late for you to care, though it's cute that you think Apple will win.
The only way that we can get real change in this country is for any major corporation to pull out and stop selling to the United States. Apple should do this, but I don't see their shareholders approving this decision. I also don't see any other company doing this as it would be infeasible to sustain their expenses.
Welcome to the new age of technology. We've been here for decades you just weren't paying attention.
Your analysis is incorrect. All well and good. however: Using the "key" analogy, you're arguing that the courts can compel Apple, the safe manufacturer, to make a key to a customer's safe. That's hardly the same thing as providing an existing key. More than that: Apple is arguing that the "key" that the FBI is requesting renders all future safes useless. That's a pretty potent restraint of trade issue. Particularly as a third of Apple's iPhone business is in China: Strong encryption to prevent a known authoritarian government from spying on its dissidents is the sort of sales feature that stands up pretty strongly in court. The blog post you link demonstrates that the FBI can get into the phone, it's just going to be a costly pain in the ass. Apple admits that they can get into the phone, but it won't just be a costly pain in the ass, it'll be a body blow to the security of their products. Au contraire. Apple won just last week. understanding of the AWA's function as a source of residual authority to issue orders that are "agreeable to the usages and principles of law," 28 U.S.C. § 1651(a), the relief the government seeks is unavailable because Congress has considered legislation that would achieve the same result but has not adopted it. In addition, applicable case law requires me to consider three factors in deciding whether to issue an order under the AWA: the closeness of Apple's relationship to the underlying criminal conduct and government investigation; the burden the requested order would impose on Apple; and the necessity of imposing such a burden on Apple. As explained below, after reviewing the facts in the record and the parties' arguments, I conclude that none of those factors justifies imposing on Apple the obligation to assist the government's investigation against its will. I therefore deny the motion. Not saying this is cut'n'dried. But the ACLU has the right of it: The FBI can get into the phone without Apple's help, which increases exponentially the likelihood that the FBI must get into the phone without Apple's help because of the substantial injury possible through compelling Apple to participate.The previous stance and enforcement of the usage of safes is that if there is a key that can be picked involving the safe, then the citizen must hand over the key because it will take up government resources and waste taxpayer money to actually perform the act of the picking or tracking down a universal key that works with your safe. Sometimes they just have it handy and use it, other times they don't and the judge will demand you turn it over. If you do not, you are held in contempt of court.
Specifically, the FBI wants us to make a new version of the iPhone operating system, circumventing several important security features, and install it on an iPhone recovered during the investigation. In the wrong hands, this software — which does not exist today — would have the potential to unlock any iPhone in someone’s physical possession.
The government suggests this tool could only be used once, on one phone. But that’s simply not true. Once created, the technique could be used over and over again, on any number of devices. In the physical world, it would be the equivalent of a master key, capable of opening hundreds of millions of locks — from restaurants and banks to stores and homes. No reasonable person would find that acceptable.
There's essentially direct previous case law on this issue and people are a bit too emotionally charged to realize that we have been losing the encryption debate for the last 15-20 years, and in most cases have already lost.
Under a more appropriate
I agree with you here, it's definitely true that the difference here is that instead of compelling a living owner of the safe/phone, the compelling is occurring against the manufacturer. I just did about two hours worth of case law search and I can't find a single precedent that even brings the safe manufacturer in the court room (I am not a lawyer, and I didn't search every case ever existing and am not the best at it, but I did many searches and read many cases just now). That means this case is very unique and very new to courts. I still think that at the very minimum the amount of effort and expenses required for the FBI to perform this task is going to end up brought up and possibly be a strong swaying part of the court discussion. There are other unrelated laws that allow the government to pay industry standard rates for things (I can't think of examples other that Eminent Domain laws, which are completely unrelated to this), so it could be argued that if Apple can do it for $X, and the FBI would require $X+$Y dollars to perform the task, the undue burden could be resolved simply through the $X industry standard payment. It is definitely easier for Apple to do this (they just have to use their existing EFI key to sign the code the FBI wants which is just a simple integer change rather than the FBI disassembling and reading the chip by hand). Your argument at least gives me some hope in the case, but I'm still skeptical that Apple will win. The FBI would likely have wanted to do such things for many years and have probably prepared an extensive case for themselves, and laws can always be misinterpreted to mean whatever you feel like since there are so many of them and they are so wordy instead of clear and straightforward like they should be. As I understand it (correct me if I'm wrong), this actually doesn't render future safes useless. I was under the impression (obviously I have no evidence to support this claim) that the newest iPhone has mitigated this threat already. That being said, from a security design perspective I can't imagine how they could have developed a new system that does that. Because everyone uses PIN codes that are 4 digits as I was saying, their entire encryption model is massively flawed. This isn't likely to change, either, as not very many people are willing to use strong enough secrets. I do find it strange that the FBI has focused way too much on the fact that the EFI key is so heavily buried in the chip, because that key is meaningless if they have the ciphertext and the algorithms used, so perhaps it was a good thing that the ACLU showed an alternate method because the FBI keeps focusing on this one thing. -- I hadn't read the document you gave until after I wrote the above, so this is kind of separate. I went out and dug for the actual full document, which is available here (40 page ruling): https://epic.org/amicus/crypto/apple/Orenstein-Order-Apple-iPhone-02292016.pdf So this case could be strikingly different on first look, since the case involves a defendent that actually plead guilty. So this case in particular is the government v. an individual, where the individual is on trial. In the FBI v. Apple case, it's much different. I don't know what that means in regards to to case specifically, but it's worth noting that they weren't attempting to determine guilt. In both cases, the government is trying to determine potential co-conspirators, though. Just a note, as the comments the judge makes on the laws themselves are definitely transcendent to any structure of any case. Most of the judge's argument here is that the all writ's act itself fails to comply with existing law based on how it is worded (pg 11): 1. issuance of the writ must be "in aid of" the issuing court's jurisdiction; 2. the type of writ requested must be "necessary or appropriate" to provide such aid to the issuing court's jurisdiction; and 3. the issuance of the writ must be "agreeable to the usages and principles of law" The part he claims it doesn't satisfy is #3, the first two apparently hold. He then drags it into CALEA as the law that it is in conflict with (pg 17): CALEA: (A) information services; or (B) equipment, facilities, or services that support the transport or switching of communications for private networks or for the sole purpose of interconnecting telecommunications carriers. Apple's argument: I'm going completely off topic now as I think this particular set of arguments is way more important than the iPhone case now. If you think about the CALEA usage in the past, while it was used by the NSA to compel AT&T/Verizon/etc (although it sounded like they didn't need much convincing), it was also used to compel information service providers (Google/Facebook/PRISM stuff). If this argument is in fact upheld (I assume that the FBI is bringing this case up to the Supreme Court, I doubt they'd just accept a loss), this actually is a major thing. This means that only telecommunications providers can be compelled through CALEA. Think about Lavabit. CALEA was used IIRC to compel him to deliver his private SSL key to the FBI. It's been kind of used as a bullying tactic for information service providers since none have sufficiently combatted this tactic to have a proper ruling. I think if someone actually did do this, we could actually prevent this sort of tactic being used. Even more off-topic: If you think Lavar Levinson is some sort of hero, think again. He screwed the American people in that case by representing himself and not knowing the procedures of the circuit court he appealed to, and essentially entered a null argument for his own case when the circuit court was not legally allowed to look at his previous ruling. DO NOT EVER REPRESENT YOURSELF IN COURT!!! Bringing it back on the topic of the iPhone case, I also want to mention that this particular case is also a drug related offense and not a national security ruling. Many laws end up get interpreted (4th and 5th amendments included) to have "exceptions" for national security much like the first amendment has exceptions to free speech for yelling "fire" in a movie theater. It's so strange and really unnerving since the 4th and 5th amendments were clearly written for the purposes of national security since the American Revolution was clearly about the british soldiers searching, setting up shop in houses, etc, during wartimes. Just some thoughts, I guess I have no clear-cut opinion on this anymore just wanted to respond with some information I found. Only opinion I firmly have is that being a lawyer or judge would suck because most of this stuff is weirdly chained together between law to law to facet of another law, opinion here, no opinion here, etc.Using the "key" analogy, you're arguing that the courts can compel Apple, the safe manufacturer, to make a key to a customer's safe. That's hardly the same thing as providing an existing key. More than that:
Apple is arguing that the "key" that the FBI is requesting renders all future safes useless.
The plain text of the statute thus confers on all federal courts the authority to issue orders where three requirements are satisfied:
Information services; private networks and interconnection services and facilities. The requirements of subsection (a) of this section do not apply to –
Under CALEA "information services" means the "offering of a capability for generating, acquiring, storing, transforming, processing, retrieving, utilizing, or making available information via telecommunications," and "includes a service that permits a customer to retrieve stored information from, or file information for storage in, information storage facilities; electronic publishing; and electronic messaging services." [47 U.S.C.] § 1001(6).
Apple is substantially engaged in developing and offering products that provide such capabilities. For example, Apple’s iTunes service allows customers to purchase, store, and access music, movies, television shows, games and apps via an Internet-connected Apple device, such as an iPhone[.] iTunes thus constitutes an "information service" under CALEA by providing "a capability for ... acquiring, storing ... [and] retrieving . . . information via telecommunications." Id. Similarly, iMessage allows Apple customers (connected over the Internet) to communicate by messages sent and received via their iPhone[.]
I think it comes down to this: The FBI will get into the phone. That's never really been at issue. The question at hand is how easily they will get into the phone, and what that means for device manufacturers moving forward. the FBI is arguing that they can compel Apple to cripple encryption after the fact. Apple is arguing they can't. It's a hell of a precedent to set, and most manufacturers have been trying hard not to set it. American manufacturers are already hindered by laws against strong encryption in the United States; it doesn't effectively keep Americans from using them, but it does keep American manufacturers from selling them, giving European and Asian vendors a leg up. Aside from issues of civil liberties (which I in no way mean to discount), giving American law enforcement agencies the precedent of cracking into any American device however they want whenever they want because they decide they should is likely to have a chilling global effect on American technology companies. And the thing of it is, weak encryption is adequate for most people. They're not looking to protect their information from the NSA, they're trying to keep their credit card info safe from their children. They want to know that if they drop their phone on the street, they have a few hours to wipe it remotely before someone hooks up a dongle to it to brute-force the combo. The type of encryption and the methods of decrypting it aren't really at issue. It comes down to the government wanting the legal right to compel companies to disable their security features whenever the government says so and Apple, in this case, arguing that complying with the government would be bad for their customers and bad for their bottom line. And I suspect that Apple will win.
True only because if you're a criminal attacking the encryption is the stupid way to get at someone's data. A dictionary attack on stupid passwords, or phishing, or some other sort of social engineering is much better. Getting at the data though the user is almost always going to be easier than through the machine. But strong encryption is still important because it creates trust. "Even the resources of a nation-state would be insufficient to crack this" engenders trust; "only thieves willing to shell out for some FPGAs can crack this" does not.And the thing of it is, weak encryption is adequate for most people. They're not looking to protect their information from the NSA, they're trying to keep their credit card info safe from their children. They want to know that if they drop their phone on the street, they have a few hours to wipe it remotely before someone hooks up a dongle to it to brute-force the combo. The type of encryption and the methods of decrypting it aren't really at issue.
You are right about nearly everything in your statements, I don't really want to respond to all of it I just want to respond and make clear one thing here that I think you are already aware of. I feel weird that I have to add this disclaimer since generally when I read people quote a single part of an statement and comment on just that it looks like they are trying to take down the whole factual platform of the other guy off one thing, which I'm not. It's weird how quotations and discussions that are civil can even look confrontational when they are direct responses back and forth between two users. Anyway, I just wanted to point out: Technically they aren't crippling encryption after the fact, it was poorly designed from the beginning and they instead relied on tamper-proofing the device itself to protect the data on the phone. It's not actually possible to cripple encryption after the fact without solving a new research problem on the algorithms themselves. It happens from time to time, but would be remarkable on some of the most well researched algorithms like AES and RSA that the NSA can't even get around. PRISM and many other programs wouldn't need to exist if they could break AES or RSA (keep in mind the usage of "or" and not "and" there, if they break one the other naturally fails in hybrid encryption like SSL/TLS for instance). I'm actually unaware of this, could you talk about which laws you are referring to? I know of no strong encryption laws on the books, as basically every project that calls SSL (basically everything) is using strong cryptography. Every phone or other device manufacturer simply by installing OpenSSL have packaged in strong crypto and regularly use it.the FBI is arguing that they can compel Apple to cripple encryption after the fact. Apple is arguing they can't. It's a hell of a precedent to set, and most manufacturers have been trying hard not to set it.
American manufacturers are already hindered by laws against strong encryption in the United States
See, I'm not sure that distinction matters. It's like this: - the device shipped with mediocre encryption, protected by tamper-proofing - stronger encryption is currently available - the FBI wants an end-run around the tamper-proofing So whether the FBI wants to cripple "encryption" or "security" is a legal point, to be sure, but the precedent set is all about the after-the-fact part. They want to be able to compel a company to crack open something that was secure. That makes everything that is secure potentially insecure whenever the government can shove a writ through. You're right - strong encryption will protect you. But there's also the pain-in-the-ass factor: if most people are using weak encryption, then using weak encryption is a great way to blend into the crowd. If everyone uses strong encryption, then using strong encryption becomes anonymous. In the NSA/FBI/CIA/TLA's horror world, everyone shifts to strong encryption, meaning that they can't single people out just by what encryption they're using. And then, they're sure going to want to be able to compel Apple into cracking that strong encryption, rather than just weak encryption. https://en.wikipedia.org/wiki/Export_of_cryptography_from_the_United_StatesTechnically they aren't crippling encryption after the fact, it was poorly designed from the beginning and they instead relied on tamper-proofing the device itself to protect the data on the phone.
I'm actually unaware of this, could you talk about which laws you are referring to? I know of no strong encryption laws on the books, as basically every project that calls SSL (basically everything) is using strong cryptography.
No. It's for foreign markets to stop buying American goods because the FBI/NSA/Illuminati/MolePeople has infiltrated them all, and if Angela Merkel uses an iPhone, it's basically giving the (insert three-letter agency) access to everything she does. When American products get banned/banished/dumped from foreign markets, you are going to see BIG changes in the US government. The government is bought and paid for by the big corps, and the big corps will not put up with this shit. Fun Fact: The NSA routinely intercepts shipments of networking hardware. They snarf up the package, unbox it, make hardware/firmware changes to the device, repackage it, and insert it back into FedEx (or whoever's) stream of packages, and it gets delivered to the customer. "Why the hell has my package been in Memphis for two days?!? Jeezus, get it on a plane and get it here!" This is not a "common" practice, but it isn't rare, either. I have seen devices with the manufacturer's tamper-proof labels unbroken, and when you get inside, you find extra hardware, chips that never shipped in that product, etc. The NSA remotely controls those products across the network, and it lets them snoop on any traffic within a company. (They really like to do this to routers and ADCs, since so much traffic goes through them.) Get into a single iPhone? Psh. They already have gotten in there. This is all a stunt to push a political agenda. The only way that we can get real change in this country is for any major corporation to pull out and stop selling to the United States.