I don't want to link in the URL so that people don't read it thinking that is the content of the message, but this.

This blog post outlines how the government could reasonably decrypt the contents of the phone without involving Apple at all. As far as I read this, it seems correct. If you have an encryption key that is a wrapping key, all you need is a copy of the wrapping key and the storage in some way. After that, brute force does not require an EFI signed OS in the slightest to brute force the ciphertext, and at 10000 combinations even at the slowest of hashing speeds, this is meaningless as it would probably will take roughly 2 hours on modern laptops to crack an algorithm with that few combinations in something like bcrypt, multi-rounds, or other slow hashing algorithms.

This is supposed to be the smoking gun that the FBI is misleading the public and should lose the case, which is half true and half false. This is definitely proof that the FBI is misleading the public in regards to their capabilities, they absolutely can. However, this is not the smoking gun that will prove Apple to be in the legal right, but it instead is the exact evidence the FBI needs to win the case.

For those unaware, almost all digital law is based on physical law, including surveillance and encryption. Encryption has been mostly ruled by case law involving safes and safe cracking.

The previous stance and enforcement of the usage of safes is that if there is a key that can be picked involving the safe, then the citizen must hand over the key because it will take up government resources and waste taxpayer money to actually perform the act of the picking or tracking down a universal key that works with your safe. Sometimes they just have it handy and use it, other times they don't and the judge will demand you turn it over. If you do not, you are held in contempt of court.

This later extended into digital codes. If you have a digital code on a safe, that is considered something in your head that cannot be searched by the government (your mind cannot be searched legally, and you cannot incriminate yourself). They then found a way to extend the previous law to cover certain digital code based safes. How? If they can prove that the safe is in fact crackable (you can drill in a certain way if you subscribe to safecracking magazine, for instance), they can reasonably assume that they can force themselves into the safe and then it again becomes a waste of taxpayer dollars for them to perform the task, purchase the drills, etc.

Honestly, I understand the logic of this debate and it isn't actually all that terrible. They reasonably can crack the safe, and they will by using up taxpayer dollars, so why would you put the burden of a warranted search on the taxpayers.

How these laws have extended into digital law is that anything that you physically can possess that unlocks a computer (say a smart device or a password that can be bypassed if you aren't encrypting your device), then they can compel you to give up the device or password involved (or at least force you to unlock it, passwords are considered not something they have the authority to directly request, but they can force you to type it in). If the password is an encryption key, you are essentially safe because they are attempting to force you to incriminate yourself.

The FBI/Apple case now is entirely different from all of this. Yes the device is encrypted, but it is encrypted in a way that is easily decryptable (Apple relied mostly on EFI and tamper-proofing to protect the devices, which is smart, but not enough). The reason this is the case is that people don't like having passwords with enough entropy (8-10 random digits or word phrases, etc) and a 4 digit pin number is very very easy to crack even with the slowest of hashing algorithms. Apple does this for your own personal usability, as most people don't want to remember or type out a long passphrase on their phone or tablet. It's actually smart thinking, as only insane people like myself use properly long encryption passwords on their phones (I have to protect all of those cheapo freemium games!).

Anyway, to tie this all together, how does this screw Apple? Apple and the ACLU have definitively proven that the device can be broken into by the FBI since the chips can be removed and copied if done carefully and correctly. This, however, costs quite a bit of money to make sure the tamper proofing is bypassed correctly and the chips containing the wrapping keys are frozen and copied before they are erased. To verify 100% certainty, it would cost a lot of money to do which proves undue burden on the taxpayers of the country, meaning they can use previous digital and safe case law to completely screw Apple over.

Don't shoot the messenger, I'm in favor of Apple winning this case, but I see no way for them to win given how encryption law has been enforced in the past. There's essentially direct previous case law on this issue and people are a bit too emotionally charged to realize that we have been losing the encryption debate for the last 15-20 years, and in most cases have already lost. When we technologists were screaming about the importance of encryption laws and cases decades ago, nobody cared. Now it's too late for you to care, though it's cute that you think Apple will win.

The only way that we can get real change in this country is for any major corporation to pull out and stop selling to the United States. Apple should do this, but I don't see their shareholders approving this decision. I also don't see any other company doing this as it would be infeasible to sustain their expenses.

Welcome to the new age of technology. We've been here for decades you just weren't paying attention.


kleinbl00:

Your analysis is incorrect.

    The previous stance and enforcement of the usage of safes is that if there is a key that can be picked involving the safe, then the citizen must hand over the key because it will take up government resources and waste taxpayer money to actually perform the act of the picking or tracking down a universal key that works with your safe. Sometimes they just have it handy and use it, other times they don't and the judge will demand you turn it over. If you do not, you are held in contempt of court.

All well and good. however:

    Specifically, the FBI wants us to make a new version of the iPhone operating system, circumventing several important security features, and install it on an iPhone recovered during the investigation. In the wrong hands, this software — which does not exist today — would have the potential to unlock any iPhone in someone’s physical possession.

Using the "key" analogy, you're arguing that the courts can compel Apple, the safe manufacturer, to make a key to a customer's safe. That's hardly the same thing as providing an existing key. More than that:

    The government suggests this tool could only be used once, on one phone. But that’s simply not true. Once created, the technique could be used over and over again, on any number of devices. In the physical world, it would be the equivalent of a master key, capable of opening hundreds of millions of locks — from restaurants and banks to stores and homes. No reasonable person would find that acceptable.

Apple is arguing that the "key" that the FBI is requesting renders all future safes useless. That's a pretty potent restraint of trade issue. Particularly as a third of Apple's iPhone business is in China:

Strong encryption to prevent a known authoritarian government from spying on its dissidents is the sort of sales feature that stands up pretty strongly in court. The blog post you link demonstrates that the FBI can get into the phone, it's just going to be a costly pain in the ass. Apple admits that they can get into the phone, but it won't just be a costly pain in the ass, it'll be a body blow to the security of their products.

    There's essentially direct previous case law on this issue and people are a bit too emotionally charged to realize that we have been losing the encryption debate for the last 15-20 years, and in most cases have already lost.

Au contraire. Apple won just last week.

    Under a more appropriate

    understanding of the AWA's function as a source of residual authority to issue orders that are

    "agreeable to the usages and principles of law," 28 U.S.C. § 1651(a), the relief the government seeks is

    unavailable because Congress has considered legislation that would achieve the same result but has not

    adopted it. In addition, applicable case law requires me to consider three factors in deciding whether to

    issue an order under the AWA: the closeness of Apple's relationship to the underlying criminal

    conduct and government investigation; the burden the requested order would impose on Apple; and

    the necessity of imposing such a burden on Apple. As explained below, after reviewing the facts in the

    record and the parties' arguments, I conclude that none of those factors justifies imposing on Apple

    the obligation to assist the government's investigation against its will. I therefore deny the motion.

Not saying this is cut'n'dried. But the ACLU has the right of it: The FBI can get into the phone without Apple's help, which increases exponentially the likelihood that the FBI must get into the phone without Apple's help because of the substantial injury possible through compelling Apple to participate.


posted by user-inactivated: 953 days ago