Is the DEA Lying About iMessage Security?

First time accepted submitter snobody writes "Recently, an article was posted on Slashdot about the claim that law enforcement made about being frustrated by their inability to decrypt messages using Apple's iMessage. However, this article on Techdirt suggests that the DEA may be spewing out disinformation. As the Techdirt article says, if you switch to a new iDevice, you still are able to access your old iMessages, suggesting that Apple has the key somewhere in the cloud. Thus, if law enforcement goes directly to Apple, they should be able to get the key."

Are you kidding?

[IonOtter]

The mere fact that you even have to ASK such a question means the answer is "Yes."

Re:

[BlkRb0t]

Betteridge says NO though.

Re:Are you kidding?

[russotto]

Betteridge is probably right. The messages are likely technically interceptable but not through the means the DEA tried; they didn't ask the right people the right questions.

Re:Are you kidding?

[blackraven14250]

Getting the key from Apple isn't really "technically interceptible" anyway. The problem, from their end, is likely that they need to subpoena the information from Apple (both past messages and the key for future use), rather than intercept it easily.

Re:Are you kidding?

[Gr8Apes]

This is probably the crux of their complaint - they can't intercept the messages without going through proper procedures, getting a warrant, and leaving a paper trail. This is precisely how things should work.

Re:Are you kidding?

[sjames]

Exactly. The problem (as far as the DEA is concerned) is that they might be forced to actually obey the law themselves for a change. They much prefer tapping what they want with no oversight.

Re:Are you kidding?

[mysidia]

Getting the key from Apple isn't really "technically interceptible" anyway. The problem, from their end, is likely that they need to subpoena the information from Apple (both past messages and the key for future use),

This assumes a certain architecture. If the cryptosystem is strong, there is probably a frequent key rotation schedule, in which, the same key that encrypted past messages will potentially be replaced in the future by the time any new messages are exchanged.

It would be ideal, if some portion of this key were secured by the password, e.g. a SCRPT, BCRYPT or PBKDF2 hash of the password, is part of the secret material required to decrypt the key on the client, and any change of the user's password results in key rotation.

It is conceivable that Apple could design a system, in which, the keys would be available on multiple of your devices (because you knew an additional secret), but not available to Apple, to extract or find out what the key is (because Apple denies themselves access to the secret)

Do I think it's designed that way? No... it would not happen by coincidence, for sure.

Could they have designed it that way? Yes

Re:

[b4upoo]

Bcrypt is a wonderful tool but it is not strong encryption. PGP now yields to decoding. It could be really interesting to search old transmissions and decode them. Statutes of Limitation may not hold as the evidence of crimes was hidden until now. So the guy that put up a lot of kiddie porn years ago or downloaded such material could be in for a real shock. Politicians and lawyers and the like might also need to squirm a bit. If I got it right PGP can now be decoded in real time. Yesterdays m

Re:Are you kidding?

[ceoyoyo]

I'm pretty sure you're wrong. PGP uses RSA and IDEA. If RSA was breakable, particularly in realtime, there would be a lot more screaming. Some older versions of PGP had some bugs that were theoretically exploitable, but I don't think any of them have actually been exploited, never mind reliably or in real time. There have been several incidents over the years suggesting that authorities cannot decrypt PGP encrypted data.

It's possible that some early RSA encrypted messages using very short keys are technically decryptable, but you'd have to be a highly motivated government agency to do so, and you still wouldn't be doing it in anything close to realtime.

Yesterday's munitions are... pretty much unchanged today, except that you can be extra paranoid and use longer keys now.

Re:

[mysidia]

There have been several incidents over the years suggesting that authorities cannot decrypt PGP encrypted data.

I think it's that authorities can't always decrypt PGP encrypted data.

In some earlier versions of PGP, or on some certain OS versions, the entropy producing functions of the OS (secure random number generator), were broken, in such a way, that one or more of the asymmetric keys protecting an encrypted document would be a weak keypair, OR one of the symmetric keys protecting an encrypted

Re:

[ceoyoyo]

The authorities are more likely to break the recipient (or the sender). Which is the approach they've been taking: in one of those incidents I mentioned somebody went to jail for nine months for not decrypting the message for the court.

As someone else pointed out, if the NSA or whoever could break RSA it would only make the drug dealers' messages more secure. They wouldn't want foreign governments and international baddies to stop using it because Joe Random got convicted for dealing after his computer wa

Re:

[mysidia]

Bcrypt is a wonderful tool but it is not strong encryption. PGP now yields to decoding.

That's not true... BCrypt for a specified number of rounds (adaptation of the blowfish cipher) is stronger than PBKDF2; that is, more resistant against dictionary/brute force attacks using GPUs and other embedded hardware.

Furthermore, these have nothing to do with PGP.

All 3 are key derivation functions, which are used to generate an encryption key from a password, and may be salted; such that the key generated is

Re:

[Fuzzums]

What question? Oh! I see what you're doing here.
That question that is followed by the "or else..."

Re:Are you kidding?

[Daniel Dvorkin]

Contrary to Betteridge, the answer to almost any question of the form "is the DEA lying" is yes. They're a worse propaganda machine than every other alphabet-soup agency put together, which is saying something.

The DEA

[fyngyrz]

The DEA lies about everything else. Why would this be any different? The very fact that the DEA exists is an affront to personal liberty; We have decades of detailed records of them spreading falsehoods, destroying families, in general doing far more harm than drugs ever did or ever could.

DEA Informers: They lie about who they are, what they do, what their intent is -- and just about anything else they're asked. This is who they are. Liars. But that's not all they are. They're also as dangerous as any government agent you can imagine, wholly without concern for anyone but themselves.

DEA agents: They lie about where the danger comes from; they lie about toxicity; they lie about addictiveness. They lie about consequences (they ARE the primary consequences), and they have been known to attempt to trade your personal honor for your freedom if you fall into their hands. They created the violence underlying the black market drug trade; they created the black market itself. They're not shy of interfering with other sovereign countries, nor of playing fast and loose with our own "justice" system.

So when a DEA "anything" tells you something, you're best off assuming they're lying. It's what they do. Aside from destroying families, that is. If they're not lying, they're likely trying to hurt you some other way. Get away and stay away. Nothing truly good can ever come of contact with people so bereft of personal honor -- or so outright stupid -- that they would work for the DEA.

To heck with them. And the laws they rode in on. And those who made the laws. And those in the general population who thought, and perhaps still think, agencies like the DEA were ever a good idea.

The drug war: It's a war on you and your family and your friends.

Re:

[fyngyrz]

Really? How so?

Good grief. Ok, here's the obvious example: You can sell, or smoke, a joint - a light intoxicant which does far less harm (probably none at all in most cases) than alcohol - and go to jail for years for these acts. After which, you are often considered a felon, which pretty well puts paid to your future. I'm sure you know this and you're just being disingenuous.

You're confusing your uninformed state with the idea that my statements are unfounded.

Go spend some time with Google. The DEA's acti

Re:

[djl4570]

Go spend some time with Google.

I don't disagree with you, but digging up citations to support your argument is your job, not the readers.

Re:

[Moral Judgement]

I am very sorry about your wife and your experiences. Many people may have adverse reactions to recreational drugs, which is why some form of quality control and minimum age policies will have to be instituted to make legalization work. However, alcohol abuse can and does lead to mental health problems, at a much higher rate among the general population than marijuana. While it's true that your wife may have been more susceptible to marijuana, that is not the case with the population as a whole, for wh

Re:The DEA

[TheRaven64]

something that would be unlikely to happen with alcohol

It's also unlikely to happen with marijuana. It's even unlikely to happen with LSD, although probably more likely. Unfortunately, unlike tobacco and alcohol, there is no requirement to put warning labels on marijuana when it's sold. It is also difficult to do detailed studies on the effects of the drug, and it is not possible to go to a doctor and be tested for the latent conditions that can be triggered by certain chemicals, if those chemicals happen to be illegal.

Re:

[mjr167]

Actually, it can happen with sever alcoholism. I'm sorry for what happened to your family, but alcohol can have the exact same impact on a family. There are plenty of ways for people to destroy themselves and hurt the people they are supposed to love. Sometimes it isn't even their fault (inability to deal with a traumatic experience for example).

Some people take Tylonal and die. Most don't, but some do. We don't ban Tylonal. Instead we sell it over the counter to anyone who asks because we recognize t

Re:The DEA

[fyngyrz]

Having seen my wife turn into a paranoid schizophrenic by smoking joints

This is not a reasonable argument against pot. There are people out there who can't drink milk; who can't eat bread; who can't take aspirin, etc. The correct response to that reality is not to make milk and bread and aspirin illegal, and then to escalate such that someone who sells milk or bread or aspirin, or consumes them, goes to prison, etc.

There are people who will have severe reactions if they see flashing lights. Should we therefore make flashing lights illegal? What about peanuts? I like peanuts on my sundaes; but they will really hose some people. Should we outlaw peanut butter and all other peanut products? And then go shooting people on sight if they grow or sell peanuts?

It is an unreasonable argument to assert that these things are bad because some small percentage of the population has trouble with them. The reasonable conclusion, in fact, is that there's something unusual about that small percentage, and that is certainly worth looking at. But that's darned difficult to do when the whole thing is massively illegal and has its own ultra-violent specialized military to enforce that illegality.

Of course, that doesn't necessarily mean going to jail is the answer, but pretending that smoking joints is harmless really doesn't help.

It's harmless for the vast majority. We're quite sure of that, because the number of people who have indulged is extremely large. Pretending that your wife's experience, even if correctly attributed to marijuana use, is sufficient to categorize marijuana as generally harmful is very poor procedure. It is exactly the same kind of cognitive error that would categorize peanut butter as generally harmful because occasionally someone is found to have an adverse reaction to peanuts.

Re:

[fyngyrz]

So is what you're saying that Rosa Parks should have stayed at the back of the bus? Because she was "saying "Fuck you" to the whole democratic system and was just BEGGING the judge to put her in jail"?

What you're completely missing here is that the law can be wrong. The whole system can be wrong. It can fail to respond to corrective forces, such as information or awareness of side effects, or to take civil rights into account. Even when there are large, organized groups of people carefully organizing the da

Re:The DEA

[anagama]

I don't know about the spreading of falsehood part, but destroying families and doing far more harm than good -- that's fact.

Glenn Greenwald debated GWB's drug czar on the question of whether the US should legalize all drugs. http://vimeo.com/32110912 [vimeo.com] Greenwald identified the following costs, all of which we pay due to the drug war, all of which would go away if reason prevailed, and challenges prohibitionists to address why these costs are worth it. Listen closely to Portugal's experience with decriminalizing all drugs (evaporation of the following costs, slight increase in usage rates of some drugs (but less of an increase than neighbor countries during the same time period), a DROP in usage rates of drugs among young people, reduction in the spread of HIV etc, returning people who use drugs to the productive economy rather than making them burdensomely unemployable, acceptance of the police as a helpful organization rather than an enemy, which leads to the police being able to actually investigate real crime).

If you are unable to address those costs with evidence based information, we will know your opinion is based on mere personal dislike for drugs and drug users, i.e., moralizing, fear mongering, and prejudice:

1. The US is the world's largest prison state on a per capita basis AND on an absolute basis. We hold 25% of the world's prisoners despite having only 5% of the world's population.

2. The War on Drugs is undeniably racist. All ethnic groups use drugs at essentially equal levels, but certain minorities comprise the greatest number by far of those convicted.

3. Economic costs in the 100s of billions and yet no reduction in drug use.

4. Drug war has spawned the privatised prison industry.

5. The erosion of civil liberties experienced in the last 40 years has been rooted in the drug war.

6. Militarization of the police force which turns it from an organization community members will trust for help, into one which is feared and deemed an enemy. This hinders solving crime.

7. International resentment to the US based on US demands that other countries criminalize their population and take on what are seen as unnecessary social and economic costs.

8. Extreme violence due to the fact that in a black market, only criminals will participate and criminals use violence to secure market share ("you don't see Budweiser and Heinken shooting each other over territory").

9. Drug war breeds contempt for the law, because millions of people use drugs, even frequently, without any consequences at all (depending on one's demographic profile).

10. The drug war destroys the lives of the very individuals the government claims it wishes to help because as felons, they become unemployable. So while imprisoned and after release, such people are unable to provide for their families and being separated from families is highly corrosive to families.

Re:

[b4upoo]

I rode motorcycles for over 45 years. The dangers of motorcycles are many and only a fool would argue that motorcycles are not dangerous.
So what, you may say. Well I have seen more drug addicts in life and death emergencies on the streets and sidewalks than I ever seen seen motorcyclists in critical condition. In other words even forgetting disease and subtle losses it is obvious that the use of drugs is far more dangerous that

Re:

[account_deleted]

Comment removed based on user account deletion

Re:The DEA

[anagama]

Oh boy, what rubbish. Let's address some of your points:

1. You failed to show a correlation between drug prohibition and incarceration. Do we have substantially more people in jail *because* of the war on drugs? If so, prove it.

2. It doesn't matter that everyone consumes drugs at the same level (to be proven, where is your source?). What matters is who deals and distributors said drugs. I highly doubt that as many white people distribute drugs as other ethnic groups and it makes perfect sense to dish out longer jail time to distributors than users. So what are you really complaining about here?

3. There is a reduction (on a gross-level, not net), but the population is increasing and drug distributors are better funded than people enforcing the law. Are you implying that ineffective drug enforcement means we should give up altogether? Sex trade and child labor is on the rise too, should we stop trying to curb those crimes too?

4. I'm not going to argue for/against this.

5. I'm sure terrorism had nothing to do with it. The world is changing my friend, drugs are only part of the problem.

6. I'm not sure what you're referring to here. The DEA and main police force are separate beats. I trust my local police force just fine, thank you very much.

7. Last time I checked, drug use was illegal (and enforced as such) in most countries around the world, so I have no idea what you're referring to.

8. Poor logic. Again, should we legalize all form of criminal acts for fear of what the black market will do? Laws exist for morale reasons. Selling drugs is like selling Alcohol to a known Alcoholic. It is highly addictive and prays on people's weakness.

9. Many people experiment, but most move on and hold nothing but respect for law enforcement. Most people don't smoke pot and do crack through the rest of their life.

10. That's a problem that affects all felons. Where do you draw the line? Shouldn't we try to improve the life of *all* felons? Why the focus on drug felons alone?

Obviously you failed to watch the debate.

1. 50% of the Federal inmates, 25% of state inmates for drug offenses: http://www.drugwarfacts.org/cms/Prisons_and_Drugs [drugwarfacts.org]

2. You're just being racist.
http://healthland.time.com/2011/11/07/study-whites-more-likely-to-abuse-drugs-than-blacks/ [time.com]
http://www.hrw.org/news/2009/06/19/race-drugs-and-law-enforcement-united-states#_Part_I:_Race [hrw.org]

A recent study in Seattle is illustrative. Although the majority of those who shared, sold, or transferred serious drugs[17] in Seattle are white (indeed seventy percent of the general Seattle population is white), almost two-thirds (64.2%) of drug arrestees are black.

3. I don't even understand you're point in the first sentence. It's totally incoherent. The second, about the sex trade, completely misses the point because the number of people who use prostitutes is vastly smaller than those who use drugs. The drug war is like outlawing french fries -- sure, they make you fat but so many people use them, it's pointless to push against the tide. The same cannot be said about prostitution. If we ever get to the point that is the case, then we can address that -- right now, it's just off topic. A diversion.

5. As Greenwald pointed out in his debate, the egregious civil liberties violations of the last decade, first took root in the drug war.

6. Google "drug war militarization of the police force" and pick an article: https://www.google.com/search?q=drug+war+militarization+of+the+police+force [google.com]

7. Again, you totally didn't watch the debate

Re:

[pantaril]

The mere fact that you even have to ASK such a question means the answer is "Yes."

IMO the very fact that slashdot suggested totaly closed and 3rd party controlled device to be used for safe communication [slashdot.org] speaks that this website has fallen. There is no news for nerds anymore, no knowledgable operators/moderators. Trully nerdy/inovative/liberating technologies (like bitcoin) are shuned and rejected here based on FUD. The majority of good users have moved elsewhere (reddit for example). Clueless apple fanboys and similar are the only ones left.

It's American company so the answer is obvious

[thetoadwarrior]

If you're using software created in the US by a commercial company you can bet the government has access to it. Who would believe any different?

Re:

[the eric conspiracy]

Lots of people believe different because some US companies supply software based on stuff like openssh and truecrypt.

Here's the fundamental problem with this sort of theory - if the US can decode something, chances are other people can too.

Open source

[DrYak]

Who would believe any different?

If the source is open, it's actually possible to check if the data safety is sane.

Exemple: Mozilla's Sync.
It *does* store web passwords on the server.

Data sent and received from the server is always encrypted. (the server never has access to the clear text, only to the encrypted form)
Without the password that the user keeps for him/herself, all the rest is useless.

Three-letter agencies could subpoena all that they want, there simply isn't a technical way to extract the data. All that they can get is only a

Yes and no

[Anonymous Coward]

I think one of the main problems law enforcement has with iMessages is that it is ridiculously easy to get a pen register from a telco for a phone number. This is a list of the calls made to/from that number and a list of SMS/MMS to/from that number. iMessage bypasses SMS/MMS if both the origin and destination device are iMessage capable, so those interactions do not show in a pen register. The same could be said for many other text/chat services, but iMessage is the default texting client for a large number of people and does not require the user to do anything special to message others without the telco knowing, unlike many other services.

iMessage isn't that special, the memo could just as easily been talking about FaceBook messages, which also won't appear in a pen register.

Erdos+Bacon=Pen register results in probable cause

[girlinatrainingbra]

And getting a pen register dataset can mean enough linkages can be shown to a "known drug dealer" or a "known felon" that they will then have probable cause to get a warrant, even if the number of linkages is so high that you're not the "friend of a drug dealer" or even the "friend of a friend of a drug dealer" but even "(friend of a)^5 of a drug dealer".
.
When you get links that are that long, you can ensnare everyone in the world, whether or not they are truly guilty of anything, just from guilt by association. See the comment [slashdot.org] about 6-degrees-of-Kevin-Bacon or the one about [slashdot.org] Bacon numbers and Erd''os Numbers.

Key in cloud != Key accessible by Apple

[kc9jud]

Just because your messages are accessible on a new device, it does not necessarily mean that your messages are readable or key is accessible by Apple. For instance, if the decryption key for iMessage were encrypted with your Apple ID password, then your key could be transferred around between devices, but Apple or the DEA would still have to brute-force/social engineer/whatever to get your password and decrypt the key. Whether or not it's actually set up that way...

Re:

[Anonymous Coward]

Yes, that COULD be. In reality there are password reset methods and no company will ever tell a customer that they have just lost all their messages, photos, etc. because they forgot their password. Wake the fuck up.

Re:Key in cloud != Key accessible by Apple

[MyFirstNameIsPaul]

BlackBerry phones are encrypted as OP suggests, so when a user forgets a password, then there is nothing BlackBerry can do to help the user.

Re:

[gnasher719]

Yes, that COULD be. In reality there are password reset methods and no company will ever tell a customer that they have just lost all their messages, photos, etc. because they forgot their password. Wake the fuck up.

Actually, if you turn on two factor authentication then that is exactly what Apple will do. For authentication, there are three items that can be used: Your password, a 16 digit key that you should stash away in a secret place, and a device (iOS or Mac) that you registered with Apple. Any two of these, and you can do anything. With only one thing, there is nothing you can do, and nothing that Apple can do to help you.

Re:

[viperidaenz]

That means means Apple won't help you. They could, but they would compromise the added benefit of the two factor service. It's not a technical limitation.
Apple have your registered device ID's. Apple have that 16 digit key they gave you that you stash away. The only thing they may not have is your password. But they might, you don't know that.

Re:

[gnasher719]

That means means Apple won't help you. They could, but they would compromise the added benefit of the two factor service. It's not a technical limitation. Apple have your registered device ID's. Apple have that 16 digit key they gave you that you stash away. The only thing they may not have is your password. But they might, you don't know that.

Apple wouldn't need the 16 digit key. Obviously they _might_ have it since they sent it to you in the first place. Apple has enough info to send things to your registered devices, but that doesn't necessarily mean they actually have the code that your registered device is going to display. Again, they _might_ have it.

The website about two factor authentication says that Apple _cannot_ help you when you lose two of your three items. Not "won't", but "cannot". If they "won't" help you, then they would prob

Re:

[viperidaenz]

Your definition of cannot is wrong.
They cannot help you because they have not built a system for their support staff to help you in that situation.
The term should in no way imply the architecture of the system. It defines only the services they will provide you as a customer.

Re:

[Anubis IV]

Actually, that's exactly what Apple does. The password he's talking about would only be being used to encrypt the user's backup of their device. As such, even if the user resets their password, the iDevice would still have a local copy of the data that it could encrypt with the new password and then backup like normal. Whether the user has the same password or not doesn't particularly matter, since the old backup is going to get replaced either way. It just means that if you got a new iDevice, you'd have to

Re:

[fuzzyfuzzyfungus]

That would be saner than just storing the key; but I suspect that virtually everybody's password is substantially less entropic than all but the most horrible and obsolete cryptographic keys...

Re:

[Forever Wondering]

Even if were set up that way, we already know Apple wipes [malicious] apps without user intervention/approval. It's not much of a stretch to assume they could [already have the capability to] surreptitiously download and run an app that snoops your private keys, since these keys must be in the clear on the user's iWhatever for iMessage to work in the first place.

Re:

[viperidaenz]

They can already blacklist apps on your iPhone.
https://iphone-services.apple.com/clbl/unauthorizedApps [apple.com]
They just haven't added any to the list yet.

Re:

[Anubis IV]

I'd actually be curious if you could cite any examples of them having done this. I have several apps on my iPhone that were later pulled by Apple from the iTunes Store (including an app that purports to be a simple flashlight but actually allows the user to use the iPhone as a mobile hotspot without having to have pay for a tethering plan with their carrier), but I'm not aware of any that were pulled from user's devices. I'll readily agree that they do have the ability, but I can't recall them ever having e

Re:

[GizmoToy]

You're correct. We know they have the ability, but they've never done it. They're not stupid. They know people are watching and that doing so will create a huge uproar. It would have to be something that's a serious threat to either Apple or their customers before they'd pull the trigger on it. Something they can hold up and say "We took extraordinary measures to protect our customers from this very serious threat," rather than something that would end up in the news like "Apple unilaterally removes pu

Re:

[phantomcircuit]

Except apple stores passwords for iTunes in plaintext.

I received an email from apple reminding me that i had $10 in iTunes funds availalble.

Only problem is where my username should have been was my password in plaintext.

Re:

[cdrudge]

Perhaps you shouldn't use your username as your password too. ;)

Re:

[RussR42]

Don't worry about that, it's an old feature. Here [bash.org] is an explanation of how it works.

Re:

[phantomcircuit]

In all fairness the password was "notapassword," but still.

Re:

[bloodhawk]

As a user does not lose access to all their old stuff after a password reset then I think it is safe to say that while they "could" do that, they definitely DO NOT.

Re:

[viperidaenz]

Your messages are readable and accessible by Apple.
They're probably also stored in plain-text too.
How do you think they deliver the message in a readable, plain-text format to the recipient?
How do you think they store in while the recipient is off-line?

The message is sent over an encrypted channel though. That's the only thing the DEA are complaining about, they can't easily intercept the message without the knowledge/co-operation of another party (you, Apple or the recipient in this case).

Re:

[Fuzzums]

If it's done, it could be something like this:
Encrypt message with key.
Encrypt key with password.
Encrypt key with FBI password.
Store both encrypted keys and the encrypted message.

Guess who has access to your message. No brute force required.

Re:

[Anubis IV]

Spot-on. Though I should point out that iMessages are definitely not encrypted using the password at the time that they're sent, though they are later on in the process you described.

I'm too lazy to look up links right now, but there was an issue a few months (years?) back, where stolen iPhones had iMessages going to them still, even though the victims had received new phones and changed their passwords. If the password alone was the key, that wouldn't have been happening. That said, the backups that are st

Probably talking about two different things...

[fuzzyfuzzyfungus]

Unless the DEA is actively 'leaking' in order to attempt to move people into a vulnerable channel with a false sense of security(not impossible; but I'm inclined to suspect that the higher level drug runners take their paranoia seriously, or they wouldn't have lasted long enough to level up, and the lower level ones are probably more often foiled by the fact that they need to solicit customers, any one of which could be a plant), I'd be inclined to a more prosaic explanation.

With SMS, architectural security during transmission is somewhere between pitiful and nonexistent and the entity that handles the messages during their voyage is the phone company, which has substantial legal incentives to, and a long history of, supine cooperation with the authorities.

With iMessage, it looks pretty much like SMS on the handset; but it's all just data to the telco, and Apple presumably included some SSL/TLS or similar implementation that isn't totally broken, meaning that going through the telco is totally useless(this would also be why the leaked memo specifically mentioned that iMessages sent to non-Apple devices, which would be crunched into SMS at some stage, were still often recoverable).

The fact that Apple can, apparently, retrieve your iMessage history for you suggests that, indeed, a subpoena of Apple would leave you in the open; but I imagine that the DEA is much more familiar with, and pleased by, the 'service-oriented' attitudes of the phone companies, who are extremely forthcoming with customer information, with very low bars to clear, and minimal pesky judicial process.

Certainly not a good idea to trust anything that the service operator can 'recover' or 'restore' for you to be secure(since it can't possibly be); but the DEA jackboots probably do encounter significantly greater hassle with a message that is never available to the notoriously friendly telcos. You are still up shit creek if they are building a case against you specifically(or if Apple caves and starts providing bulk access at some future time); but casual fishing is likely to be more difficult.

Re:

[amiga3D]

Right. They're lazy and want to have it delivered on a platter. With this method they have to get off their asses and do work.

Re:

[fuzzyfuzzyfungus]

Laziness is the optimistic option... The pessimistic possibility is that they are currently doing a nontrivial amount of surveillance that meets the (somewhere between low and nonexistent, depending on how you ask) standard of evidence for pen registers and similar; but would not meet the standards that would apply if they had to ask a judge to let them demand the goods from Apple.

PGP

[SigmundFloyd]

I've been wondering the same thing about older news stories, on how the FBI was unable to crack PGP encryption. That too might be disinformacija.

Re:PGP

[Arancaytar]

If they were the only ones who said so, I'd be inclined to distrust it too. However, RSA has been around for 36 years now with no serious challenges, so either there is a world-wide conspiracy that controls every single mathematician (or several that between them control all the mathematicians), or it's unbroken.

It's also possible that there are a few mathematicians decades ahead of current research that all work for various governments, but considering how much of mathematical work is derivative now, it seems far too unlikely that some unaffiliated researcher wouldn't have stumbled across the discovery independently.

(Well, or the NSA has a working quantum computer that can do work on a useful scale, which goes back to "decades ahead of current research".)

Re:PGP

[femtobyte]

Suppose the darkest inner circles of government intelligence agencies actually can crack widely-used and trusted encryption like PGP. If you're merely an international drug dealer and child slave trader (or peaceful anti-war protestor, whichever the FBI loathes more), the tiny cabal of people within the FBI who have the clearance to know about the PGP crack aren't going to do anything that remotely risks leaking such information. Your secrets are perfectly safe with them, because they've got more important targets (like all the Top-Secret-equivalent info from foreign governments and corporations) that they'd lose covert access to if even a vaguely credible hint of a PGP crack leaked to lower levels of government law enforcement (and from there to other countries' intelligence operatives). A PGP crack would simply be too important an asset for covert intelligence to risk exposing on whatever mildly nefarious plots your encrypted emails are hiding.

don't know about imessage

[Trailer Trash]

But they've never lied about the effects of drug usage, right?

Right?

Um, right?

The drug war is suckled on lies

[mbone]

Every government statistic or statement on the drug war is not to be believed. There might be some truth in some of it, but after 80+ years of lies, it's not the way to bet.

The DEA is not the NSA.

[__aaltlg1547]

They're quite knowledgeable about DRUG TRAFFICKING. Expertise in other areas relevant to law enforcement should not be assumed. Apple either has a copy of your key or can crack their own encryption when they need to. The NSA could probably crack it too, but why would the DEA go to the NSA and why should the NSA concern itself with helping the DEA crack cases? That's not their job.

DEA can't TAP it

[mabhatter654]

The issue is not that the DEA cannot lawfully acquire the messages... It's that THEY HAVE TO ASK , EVERY TIME.

Most taps are just "wide open" until the warrant expires and the telco turns the tap off... There is very little oversight. Many online services give law enforcement more of an "open ticket" to keep coming back for email or Facebook as often as they need. While the line isn't "tapped" LEOs can refresh every twenty minutes if they want.

They are attepting to bully Apple into allowing a MITM or wide open ticket to people's accounts. The first post on this very carefully NEGLECTED to mention that Apple COMPLIES with lawful requests. Which they most certainly would. The issue is that Apple won't open a giant backdoors and look the other way while LEOs look up their ex-girlfriends, or people with fancy cars to pick on. Apple is probably making them request transcripts with dates and times... And then APPLE SENDS it to them.

Re:

[ninetyninebottles]

Well, according to Apple's own (scanty) information on iMessage and on third party analysis, it looks like it is some sort of end to end encryption with Apple serving as the cert authority. it may well be that Apple cannot intercept the messages as the system is currently designed and can only reissue a certificate by killing the old one (and thus alerting the user because their iMessage stops working). That is by no means certain, but if it is not the case then Apple might have a false advertising lawsuit

Re:

[fustakrakich]

The issue is that Apple won't open a giant backdoors and look the other way...

Why not? I mean, aside from the possibility of getting caught...

Re:

[mabhatter654]

Like getting caught stopped AT&T?? Didn't they make what the NSA asked for legal after-the-fact AT&T got caught?

There is a technical issue that Apple doesn't support redirecting messages...although they could allow the DEA to have an additional iMessage device. Apple probably "could" do it.

The REAL issue is that there is NO LEGAL MANDATE for Apple to do so. Aple running a chat program is legally no different than YOU running a chat program. Apple is not a telecommunications provider or an ISP, nor d

Re:

[fustakrakich]

The REAL issue is that there is NO LEGAL MANDATE for Apple to do so.

Actually we don't know that. Secret laws and all. There could be a gag order to keep them from mentioning it, like a national security letter. With all this secrecy, we don't have a clue of who knows what, leaving us to assume the worse, which is the recommended way of dealing with any of this.

Well color me surprised.

[Arancaytar]

Because who could have possibly seen THAT coming. Seriously, this is my shocked face.

So, post m4ssages on pubic bulletin boards

[ivi]

'looking like a "Lawnmower for Sale" but with message
encrypted into tel.# & eMail address

Better, encrypted into photos for an apartment / house
ad (on a free-ad web site)

Dump your eDevice(s)

QED

Obscurity

[dutchwhizzman]

Your messages would be just as easily for them to read once they know how you embedded them. Encrypt them with a decent algorithm implemented properly. Then use a channel that they might not discover, at least for a while. Don't use the same channel too long and use encrypted messages to inform the recipient of a change in channel. Use PKI, so you don't have to change keys when someone can no longer be trusted. Use PKI, so others can't pretend to be your without stealing your private key. Using steganograph

Do it yourself

[chowdahhead]

It may not be the most elegant solution, but hosting your own Mumble server works pretty well for secure private IM and voice chat. There's a really slick Android client called Plumble, and I believe iOS has a basic one as well. The built-in authentication and encryption is sufficient, and the newer builds support the OPUS codec.

Without a Warrant

[whisper_jeff]

If they go to Apple _WITH_ a warrant, Apple can surely provide them with the information (well, I'd be shocked if they couldn't comply with a warrant).

That's not what the DEA wants, however - they want to be able to read the messages _WITHOUT_ a warrant. I imagine that is where they are having difficulties intercepting and reading iMessages.

What about Blackberry?

[shking]

Remember the fuss just a year ago when India and other gov'ts complained about Blackberry? How is this different?

What could happen...

[gnasher719]

It is of course quite possible as some people mentioned that it is harder, but not impossible, for the police to get access to iMessage messages than they like, and they interpret this as "we can't read iMessage" (whenever we like). It is also quite possible that they are just lying and want all the drug dealers to use iMessage because they have complete access.

It is also possible that Apple has absolutely no way to read your iMessages. I would think that making iMessage safe against hacker attacks would

probably just bending the truth

[stenvar]

They can probably not decrypt iMessage traffic without some other information or hooks; but they almost certainly have that.

oh well

[smash]

Back to SMS with Android huh?

Same crap with Google Talk

[spacefight]

I keep hitting the "off the record" option on Google Talk chats. However, I log in from e.g. an Android device and voila - the chat is back there with the chat log.

So much about off the record.

These companies lie to us.

I am sure they are...

[DarkOx]

and that is the real problem. I think a better broader question to be asking is should a "free and democratic society with government by the people and for the people" have agencies spreading disinformation to the people?

I ask this because there is already large portion of the population that has a very cynical mistrustful view of government (myself included). When officials are known to provide inaccurate information to the public it harms societies ability to trust any other information from government.

One of the assumptions in the article is flawed.

[Andy Dodd]

If the encryption key is derived from the users' password, and it's hashed differently than whatever algorithm Apple uses for login (one example might be PBKDF2 for encryption and crypt() for login) - it's very easy to store encrypted "blobs" of data that can only be accessed by the user (with their password). I believe this is how Blackberry operates - their servers store encrypted data, but BB is never in possession of the key.

That said, if you read the DEA's memo more carefully, all it pretty much says

wait a second

[milkmage]

FTA "An internal Drug Enforcement Administration document seen by CNET discusses a February 2013 criminal investigation and warns that because of the use of encryption, "it is impossible to intercept iMessages between two Apple devices" even with a court order approved by a federal judge. ...the key word is INTERCEPT.

I'm not a security or network expert, but isn't "intercept" different than "decrypt messages stored on a server"?

couldn't it be difficult to intercept (whereas reading messages stored somewhere

Re: Who cares

[MrMarket]

Political dissidents, whistle blowers... and FREEDOM LOVERS.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[Bobakitoo]

John Lennon - yes, the dead Beetle - was watched by the FBI for - God forbid! - preaching peace!

We are a God fearing Christian Nation! We can't have those wackoes preaching Peace!

Preaching peace in time of war is clear and present danger to the government's recruitment efforts. It is LITERALLY like shouting fire in a crowded theatre [wikipedia.org].

This is why it is important to defend the free speech right to shout fire in a crowded theatre. Worst that could happen is everyone walking out calmly and in order. Just because someone think there is a fire doesn't give him the right to push, stomp or strike anyone that stand in his way. If peoples act like ass-holes during emergencies then this is what

Re: Who cares

[flimflammer]

I was with you until you said this:

Worst that could happen is everyone walking out calmly and in order.

That is far from the worst that can happen. That is in fact the best case scenario outside of no one believing them and there truly not being a fire. Provoking people into violent acts of desperation by instilling the immediate fear of death into them, such that their rationality is severely compromised is outright negligent. This is why we have things like temporary insanity and heat of passion defenses.

I feel that you should be perfectly free to shout "Fire!" in a theater. However I also feel that if you end up causing a situation where someone is injured, you should be held liable for your negligent actions. Freedom of speech should not mean freedom from responsibility of that speech.

What if you told a blind person that the light at an intersection was green and there was no traffic, causing them to walk into the street and get run over? Would you push the free speech argument? You didn't kill him; the guy behind the wheel of the car did. That doesn't mean you weren't immensely negligent as a result of what you said.

As a closer example to the theater, what if in that same situation you screamed in front of a blind man "Everyone get out of the way! A car is heading straight for us!" causing him to jump out of the way and into actual traffic? Would you still feel like you were completely free of the burden of responsibility?

Re:

[Sabriel]

Dear Anonymous Troll. It's not about being blind or handicapped. It's about trust. We are indeed responsible for our actions - and that includes the act of speech.

Re:

[ceoyoyo]

It is LITERALLY like shouting fire in a crowded theatre [wikipedia.org].

I think you don't understand what "literally" means. Your post gets sillier from there.

Re:

[camperdave]

What better proof do you need that your nation fears God, than FBI surveillance of people who preach peace.

Re: Who cares

[viperidaenz]

We are a God fearing Christian Nation

I thought church and state were separate?

Re:

[bigtrike]

Nope, God still gives us our rulers through divine right. Voting is simply a test of faith.

Re:

[sjames]

I'm pretty sure they're doing their best to figure out what Jesus would do and then do the opposite...

Re:

[demonlapin]

You can think that all you like, but the reality is that Americans have an immensely negative view of atheists. Here [gallup.com], observe that Americans consider atheists more objectionable than blacks, women, Catholics, Hispanics, Jews, Mormons, gays, or Muslims for political office. And that study does not discriminate about which political party you're discussing!

Re:

[ceoyoyo]

At first your list sounds horrifying. On closer examination, over 90% of Americans said they wouldn't have a problem voting for a black, female, catholic, hispanic or jewish candidate. The others ranked... lower. It's still pretty bad, but not quite as horrifying as at first glance.

Re:

[yusing]

Und if you are schmart, you schut kip thinking zat.

google glass for everyone

[dadelbunts]

We should just give everyone google glass with a direct feed to all the government agencies. Who would care except drug dealers and terrorists anyway.

Re:Who cares

[Opportunist]

Everyone should. Not because they're breaking a law, but because laws are changing. And rapidly so. What is very legal today may be illegal tomorrow. And then try to prove that you stopped the behaviour just because it became illegal. What is that you say? They have to prove that you still did it after it became illegal? You think you'd be the first to be in jail because there is "strong evidence" (read: someone hinted at it) that you did again what you did before?

Re:

[Spiked_Three]

So by that argument, closed classified encryption, used for DoD communication, is not secure?

Re:

[Anonymous Coward]

Correct. As long as I cannot verify the encryption, then I cannot say it is secure; secure being relative to my needs and concerns. As the U.S. government is one party I would want to keep my encrypted information from, the DOD or any other agency having potential access means that their encryption cannot be considered seriously for my interests.

Re:

[moderators_are_w*nke]

Really? Is it? Could you tell by looking at some pgp source whether it has been compromised or not? Maybe you could but the majority of people reading this could not and if that's true of slashdot what hope does the rest of the wold have?

Re:

[viperidaenz]

Just because software is closed and proprietary doesn't mean you don't have access to the source code. It just means that access may be covered by a license.
If you're going to pay security experts to analyse the entirety of the code, the price of that license is probably insignificant.

Re:

[gnoshi]

True, but it does provide an avenue to check for external keys.
I don't have an iThing so I can't check, but if you can activate a new device and receive your iMessage messages while the previous device on which those messages were held is switched off, then at best the messages are protected by a password. It may be the passphrase for an encryption key, but it is still just a password. If you can get Apple to reset the password, and then activate a new device and receive your iMessage with your old device b