Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. ×
Cloud Iphone Privacy Security United States News Your Rights Online Apple Technology

FBI May Be Opening A Security Hole To Federal Agencies (computerworld.com) 152

Lucas123 writes: In its rush to gather information, the FBI blew its chance to retrieve data from the iPhone of one of the San Bernardino terrorists when it ordered his iCloud passcode to be reset shortly after the attacks. Now in its fervor to force Apple to create software that can break its own encryption algorithm, the FBI may be opening a security hole to federal agencies. Over the past four years, the federal government has largely shifted its use of mobile devices from Blackberry to iPhones. One major reason for that is -- you guessed it -- the strong native security. If Apple creates an iPhone skeleton key, it not only threatens the public's privacy, but the security of the federal government as well.
This discussion has been archived. No new comments can be posted.

FBI May Be Opening A Security Hole To Federal Agencies

Comments Filter:
  • by turkeydance ( 1266624 ) on Wednesday March 02, 2016 @09:15PM (#51626073)
    how's that Hope thing working out?
    • by Anonymous Coward

      Pretty well. Those that were buying into Hope And Change are still hoping. They got eight years of hope out of it, that's pretty good and hoping feels so much better than changing/doing anyway.

      • Easy to enact change when the oppostion party says "We aren't going to do our jobs, we are just going to oppose EVERYTHING!"

        • Hard to enact any of that change when one side fails to propose any of their changes beyond "We need immigration reform!"

          You blame the republicans for failing to come up with bills for the president to veto, while the president completely fails to propose anything to them to pass or not.

          You are also talking about the president that refused to negotiate when negotiation was the only way to get what he wanted.

        • The Republicans didn't always control the Congress. What about before then?
          • Filibustered their asses off, and the still controlled key committees

            • Gosh, how'd they retain control of key committees if they weren't the majority party?

              Golly. I bet the Democrats eliminated the ability to filibuster, first chance they got, right?

      • In the US, it takes Congress to pass legislation which is the part that creates change. The person at the top sets the vision, but Congress makes it happen or in this case keeps it from happening. So, regardless of Obama, if your complaint is lack of change, that would be the Congress, which is predominately the Republican Party. There is an election coming up, where you have not only the opportunity to change the person at the top, but those who stymied any change for the last eight years.

    • by donaldm ( 919619 )
      Since this is an American issue, so far I think the saying "Hoisted with one's own petard" applies here [phrases.org.uk]. Unfortunately sometimes American issues become world wide problems.
  • by Anonymous Coward

    explain how allowing the FBI to brute force individual iPhones in a lab setting constitutes creating a "skeleton key" that poses a risk to iPhones in the wild? I still haven't heard a remotely plausible explanation of how this happens without some seriously high level industrial espionage of the type that could render iPhones vulnerable *anyway* without Apple ever doing a thing to assist law enforcement? -Love, Legal.Troll

    • The issue is confused. The system is designed to prevent brute forcing, which is what the FBI originally wanted to do, but their recent calls have been for legislation to require tech companies to put in a back door to circumvent the encryption and only accessible by the device creators (yea, good luck with that).
    • Re:"skeleton key" (Score:4, Informative)

      by Nethemas the Great ( 909900 ) on Wednesday March 02, 2016 @09:25PM (#51626133)
      The security of the iPhone is hinged upon OS binaries signed by an Apple security certificate. The FBI wants Apple to sign and/or produce binaries with weakened security. Having achieved this, the FBI and all parties in possession of said binaries simply have to swap out the old secure binaries for their version since the phone trusts anything signed by Apple.
    • by Archfeld ( 6757 )

      Because the FBI doesn't want to brute force the phones, they want a backdoor into all iPhones at the OS or even better firmware level despite the mass amount of FUD https://en.wikipedia.org/wiki/... [wikipedia.org] they are filling the airwaves with. If they get away with forcing Apple to provide such, then the other vendors will be a slam dunk. Beyond that we all know that if there is a door, hidden or not some Ukrainian teenager will figure it out in like a week, not to mention actual government sponsored professionals.

    • by Anonymous Coward

      The skeleton key applies to the court system. If the court forces Apple to open this phone, the FBI will start filing motions to open thousands of other phones. Sort of like FISA I imagine it being a rubber stamp process.

    • Re:"skeleton key" (Score:5, Informative)

      by AHuxley ( 892839 ) on Wednesday March 02, 2016 @09:59PM (#51626273) Homepage Journal
      The House Committee on the Judiciary Hearings, The Encryption Tightrope: Balancing Americans’ Security and Privacy (Streamed live on Mar 1, 2016)
      https://www.youtube.com/watch?... [youtube.com]
      Try around the 4:05 point in. 200 phones are in line for the same skeleton key needs. As mentioned, that federally demanded, universal "skeleton key" will be ready as an overlap for State and Federal courts :)
    • Re:"skeleton key" (Score:5, Insightful)

      by MobileTatsu-NJG ( 946591 ) on Wednesday March 02, 2016 @10:45PM (#51626499)
      Apple hasn't written the software they need to do it. It doesn't exist right now. Once they write it, it's written. Precedent is set and a floodgate of requests will begin and there won't be much Apple can do to make them stop.
      • You, and the FBI, are assuming that apple is even capable of writing such software.

        I'm not so convinced. Bruce Schneier has frequently said: "Anybody can create a security system he himself cannot break", his point is in favour of open security and encryption standards of course - the point of a security system is that somebody else shouldn't be able to break it, being unable yourself is no evidence of that. But it also has some legitimacy as a more direct claim.
        Apple was responding to the market pressures

        • by Khyber ( 864651 )

          "I'm not so convinced. Bruce Schneier has frequently said: "Anybody can create a security system he himself cannot break""

          Which goes against the convention any ACTUAL engineer knows by heart: Man can make it, man can break it, there are no exceptions.

          • And how many international standars hashing algorithms have you written ? This is like some guy who just built a barbeque pit calling the designer of the Golden Gate bridge "not an actual civil engineer"

            • by Khyber ( 864651 )

              The same has been said for almost every encryption method since the beginning of time.

              Almost every one has been broken.

              One only needs to look at history to learn from it. Actual field experience is not required.

              • You utterly misunderstood the quote. It is not suggesting that anybody can create an unbreakable cypher. In fact it means the exact opposite of what you are arguing against. It means being unable to break your own cypher doesnt mean its even a little hard to break. You need lots of people trying to hreak it in order to get a decent one .

    • Well, you can bet the FBI will do everything they can to copy the OS off the iPhone to try to use it on similar model phones. And the NSA just might happen to walk by and see what's up with the FBI's new toy. And then they will 'happen' to have one of each different model iPhone needing to be unlocked.

      The NSA MIGHT be competent enough to be able to control it's use if they got it, the FBI is lucky if they can prevent the general population from poking around in their databases.

    • One possibility that requires just a little sloppiness on the part of the FBI and a little sneakiness on the part of the attacker: The next time the FBI wants to access a phone like this, the owner of the phone implanted a sort of trojan horse that recorded the information about the vulnerability the FBI used to access the phone and either phones home immediately (is the FBI diligent about keeping the phone in a Faraday cage?) or waits until the phone has network access and then phones home.
  • As if it matters (Score:5, Insightful)

    by 93 Escort Wagon ( 326346 ) on Wednesday March 02, 2016 @09:19PM (#51626095)

    Given how thoroughly large government organizations keep getting hacked - such as we've recently seen with the OPM and IRS - it's not as if there's any information on government employees' phones which isn't already in the hands of the Chinese, Russians, and various criminal syndicates.

    • it's not as if there's any information on government employees' phones which isn't already in the hands of the Chinese, Russians, and various criminal syndicates.

      It has to be frustrating, from a Chinese hacker point of view. You do your job, hack the super important secret agency chief's phone... And everything you get is a dupe because the guy in the next cubicle already hacked the thing last week.

      Hopefully, Slashdot has prepared him for years to deal with the frustration of reading the same "new data" over and over.

  • by seawall ( 549985 ) on Wednesday March 02, 2016 @09:28PM (#51626145)

    Apple rather slickly has each update of each recent iOS be specific to a phone. ONE physical phone. Probably to prevent the skeleton key scenario.

      Each "copy" (not really an appropriate word here) of the update is unique (I don't know the details) which makes it hard to just use the same binary to on every phone. Each "copy" only works on one phone.

    • by Anonymous Coward

      The skeleton key is the update code just before Apple makes it phone-specific.

  • by ChunderDownunder ( 709234 ) on Wednesday March 02, 2016 @09:30PM (#51626149)

    I find it hard to take the FBI seriously on iPhones when their own IT department's security is so lax.

    Agent Mulder's work issued computer didn't even have a password protected lockscreen when the machine was idle. Thank goodness it was only Scully/Miller/Einstein - anyone from a double agent to a passer-by such as a cleaner or a vending machine technician could have accessed sensitive, classified information.

    • I think Mulder's computer security relied on nobody knowing there was a computer in that room... I'm pretty sure each department of janitorial staff thought the door to Mulder's office was actually a supply closet used by one of the other janitorial departments.

      • Actually... to be serious... did any OS even *have* password protected lock-screens c.a. 1993 ? I don't recall any - and certainly none that had it by default.

        • by tlhIngan ( 30335 )

          Actually... to be serious... did any OS even *have* password protected lock-screens c.a. 1993 ? I don't recall any - and certainly none that had it by default.

          I'm certain at least TWO did. Unix (and Unix-like) and Windows NT. Unix with their X terminals often had a lock function implemented a part of xdmcp or something, and NT3.5 was already a multiuser OS. Granted though, NT 3.5 looked a lot like Windows 3.1, so there may have been apprehension since you expect it to crash...

  • by TsuruchiBrian ( 2731979 ) on Wednesday March 02, 2016 @09:30PM (#51626151)

    If it is possible for Apple to "create a backdoor" after the fact, then that itself is a back door. The FBI wants apple to release a version of it's OS that can disable certain security features and push that update out to the terrorist's phone without any confirmation from the (now deceased) user. Apple seems to confirm that this is indeed possible and has said that it would be dangerous to even create this version of it's OS because it might fall into the wrong hands and be abused. I would argue that it is already in the wrong hands, because it is in the hands of Apple, and even if Apple fights the FBI, they may be forced by a court to cooperate.

    What Apple *should* do (and should have already done), is to create a security system that they would not have the ability to help the FBI hack into. They have already indicated they are working on this.

    The IOS security is already broken. The only thing keeping the FBI from cracking it, is their own incompetence, and Apple's limited will to challenge the government. I doubt many people at Apple are willing to go to jail over this (nor should they be).

    My advice to Apple, is to help the FBI hack into this phone, and come out with a real security system that is actually secure.

    • They'd lose face with their global customers.
      • They could do it in the opposite order (come out with a good security system, and then give the FBI the skeleton key that only works on phones that haven't yet been updated to the new system). I would be much happier with Apple if they did this than if they didn't.
    • "What Apple *should* do (and should have already done), is to create a security system that they would not have the ability to help the FBI hack into. They have already indicated they are working on this."

      Precisely. I can think of at least two ways to do this that would make the "skeleton key" scenario moot. One of those ways would make brute forcing impossible, but would require significantly greater processor power and memory.

    • My advice to Apple, is to help the FBI hack into this phone, and come out with a real security system that is actually secure.

      The problem with this is once Apple successfully helps the FBI crack this phone, it will set a pattern of sorts, establishing a certain type of relationship between Apple and Law Enforcement. If Apple later threatens to create an OS which can't be hacked in this way, it would give the FBI the ammunition they need to go to Congress and ask for legislation to ensure that Apple can continue to provide this help to them in the future. The FBI can just say "Apple has helped us in the past, and now they're deli

      • On the contrary, I think Apple would be able to say "We are literally helping as much as we can" (whihc is not very much since the system is very secure). As opposed to "We are purposefully not helping because if we did, the FBI would actually get what they want and a lot more".

        Not to mention the fact that lots of people in the government actually use these phones, and having them be secure (even from Apple), as probably a good thing. It means that the data belonging to government agencies is safe, even i

        • On the contrary, I think Apple would be able to say "We are literally helping as much as we can" (whihc is not very much since the system is very secure). As opposed to "We are purposefully not helping because if we did, the FBI would actually get what they want and a lot more".

          But they are already helping the FBI as much as they can and have to, and if the FBI hadn't destroyed an easy way to acquire evidence by forcing the San Bernardino County to reset the iCloud password for the phone, they'd already have the information.

          • They are not helping the FBI as much as they can, because they are not creating the backdoor that the FBI wants. I want Apple to be able to help the FBI as much as they can. And if they remove the back door, Apple can try to help the FBI crack passwords as much as they can, and it won't compromise the security of other users.
  • As opposed to the fact that most of the federal employees who got an iPhone just wanted one a lot more than a BlackBerry 10 phone. Which is a shame, really, because my Z10 is the best phone I've ever owned including my previous two iPhones. BlackBerry has the only MDM with an ATO from the DoD. If security were the primary motivation, they'd have standardized on BB10 phones with BlackBerry BES.

    • by LostMyBeaver ( 1226054 ) on Thursday March 03, 2016 @12:09AM (#51626795)
      I'll address this in a few parts.

      1) BB was a good platform for its time. It's near absolute inflexibility from a development perspective made it a good platform for security since it was hard enough to code, it was pretty hard to hack. Palm Pilot wasn't bad either in its time.
      2) BB10 is not BB. It is based on QNX which (I have extremely extensive experience coding for at a system level in direct coordination with QNX themselves) and is otherwise an entirely new operating system consisting of millions of lines of code produced by hundreds of developers over a short span of a few years.
      3) To suggest that much new and untested code (no it hasn't been) is sheer silliness and doesn't belong in a forum for people who claim to understand technology. It is mathematically impossible to develop that much code that fast with that many people and have a secure platform.

      So, let's talk about this... an iPhone and a Blackberry compared side by side are equally insecure. Sure, the obvious routes probably aren't a problem, but hackers don't use obvious routes... well sometimes the do... depends on what you consider obvious :)

      I have always hated people saying things like "I don't even run antivirus, I'm running a Mac. Unlike a PC, it's secure!". I would respond "Just because no one is openly hacking it currently doesn't mean it's secure".

      BES is secure until the messages hit the phones. Once they reach the phone, all security is absolutely gone. Secure messages require secure keys. Secure keys are 3072 bits or longer (for now according to the NSA... this means they can crack 3072 but they believe others can't). Unless you are manually typing 768 hexadecimal characters into the phone every time you log in to use BES, the key used for decrypting your messages is stored on the phone somewhere.

      The key to decrypt the keys is probably a pin code or possibly up to a 10 character password convenient to type on the BB keyboard without too many shifts, controls, etc...

      If I can locate the store of the key, locate the code to decrypt the key, find the location of 2 or more messages which contain headers (all do), then with the proper computational power, I can obtain the key to decrypt all messages stored by BES on the phone. It's only a matter of CPU. While the number of possible passwords to decrypt the keys increases exponentially with each character in length, the fact a laptop can crack 6 characters in a few second, 8 characters in about 10 minutes, throw 65536 CPUs or a few FPGAs at the problem and it would do 10 characters in about 10 minutes.

      I never have been figuring out why so many idiots think that BES is secure... to decrypt messages, the phone has to be storing the information required to decrypt them. At some level there must be a way to read the messages and the security isn't as strong as the door and the lock securing it. It's as strong as the box next to the door holding a spare key that is guarded by a simple code.
      • From Wikipedia "The product was originally developed in the early 1980s by Canadian company Quantum Software Systems, later renamed QNX Software Systems and ultimately acquired by BlackBerry in 2010.[1] QNX was one of the first commercially successful microkernel operating systems[citation needed] and is used in a variety of devices including cars[2] and mobile phones."
        So ... not developed in a short span of a few years.

        BB10 has FIPS 140-2 certification

        "The company said its BlackBerry 10 platform has rec

      • by Anonymous Coward

        " Unless you are manually typing 768 hexadecimal characters into the phone every time you log in to use BES, the key used for decrypting your messages is stored on the phone somewhere."
              The encryption software module generates the keys you never have to type them in. The keys are changed every 24 hours so if you do manage to crack the encryption key you are only able to decrypt messages sent during that 24 hour period.

  • by no-body ( 127863 )

    here is the famous shoot in the foot again :-))

    Nice to see...

  • where we have strong security that nobody but the good guys can break.

    Your government communications and data stores are secure, approved business communications and data stores are secure, but everything else can be decrypted on demand.

    Wonder when non-IT businesses are going to realize they have a dog in this fight.

  • Protecting the U.S. government communications and information systems against penetration is part of the NSA's charter.

    Wait, what?! You guys were breaking encryption as well? Who was supposed to be protecting this stuff?

  • "Missed their chance" - yeah right. The mainstream news is spreading this bullshit bad enough - do we really want Slashdot treating us like a bunch of naval-gazing know-nothings?

  • by bsDaemon ( 87307 ) on Wednesday March 02, 2016 @10:53PM (#51626529)

    I wrote something similar on this topic a few weeks ago for a blog post at work, though I went into more technical detail than TFA did:

    http://blog.acumensecurity.net... [acumensecurity.net]

  • Our founding fathers would be pissed.

    • by LostMyBeaver ( 1226054 ) on Thursday March 03, 2016 @12:28AM (#51626865)
      The founding fathers were just as big a bunch of dicks as the current lot. Often worse.

      The "justice for all" bullshit was because they were pissed at what British Parliament did to the colonies by taxing them. King George III wasn't able to do much more than watch from the side lines. He was pissed at them too.

      The truth is, more than half possibly 3/4 of the founding fathers probably would have hung Tim Cook and beat him until he cried like a girl and screamed "open it, open it".

      I always wondered if those guys were so great and wise and pure and all that shit... why would they write a constitution which more or less would so easily let the country devolve into some religion where we have now existed for decades without a single amendment to improve the document by modernizing it for the times? Where's the review requirement? We treat the document as an absolute as if it is perfect in every way and to question that is borderline treason. Where is the part of the document which would protect civil liberties regarding electronic data protection? It's not there because the founding fathers didn't absolutely require that the constitution is reviewed and updated.

      It was written by a bunch of pissy little bitches and a poet or two. They were all pissy at England and wrote a document to provide freedom from their oppressors for a million people or so and didn't give a shit whether it lasted 200 years in the future and certainly had no clue it would eventually be used to govern 400 million people from every country, race and religion as equals.

      If you want to be true to yourself, with a few exceptions, these guys were mostly soulmates with Donald Trump. They weren't wise, they weren't great, they didn't shoot lightning bolts from their eyes and they didn't shit daffodils when they sat upon the bowl. They were men who :
        a) Wanted to secure power for themselves and their families
        b) Represented a group of truly fucked up people who believed righteousness was the Salem Witch Trials.
        c) Believed black people were less valuable than dogs since you could love a dog.
        d) Believed that religious freedom meant you should be free to believe in any form of Christianity you want.
        e) The one odd ball or two who felt it was a chance to do something wholesome and good.

      Don't place politicians pedestals. They might make impressive art, but they sure as hell are nothing more than people and very rarely are they more than sales people.
      • Well, they *did* intend for it to be reviewed and updated continously. James Madison suggested it be reviewed by a major national congress based on referendums every 10 years.

        Their big mistake was not mandating that in the words - so now it's used like holy writ and it's authors like prophets, exactly what they knew better than to want !

      • ...and yet the nation they created became the most successful the world has ever seen. Honestly, at this point, you have to really question whether the United States is for you. It sounds like you would be much better off in a country that agrees with your left-wing politics, such as Bolivia, Venezuela, or Cuba. It's a good thing we live in a borderless world where global citizens can go wherever they want. There will be a period of cultural adjustment, of course, where you learn to deal with things th
        • ...and yet the nation they created became the most successful the world has ever seen.

          Which wouldn't have happened without Adolf Hitler. So unless you count him as one of the founding fathers ...

          • Hitler made a wreck of Europe, but we were already a very successful country.

            • Hitler made a wreck of Europe, but we were already a very successful country.

              "A very successful country." is hardly the same as "the most successful the world has ever seen", Hitler destroyed several very successful countries and made the best scientists and artists flee to the US. The only country who has more to thank Hitler for is Israel.

      • by Anonymous Coward

        "We treat the document as an absolute"

        Well, duh. If you don't do that then it might as well not exist at all. If you treat it like it's just some flimsy list of "suggestions" then it becomes trivially easy to take away everybody's rights and you end up with a fucking totalitarian militarized nation.

      • why would they write a constitution which more or less would so easily let the country devolve into some religion where we have now existed for decades without a single amendment to improve the document by modernizing it for the times? ... Where is the part of the document which would protect civil liberties regarding electronic data protection? It's not there because the founding fathers didn't absolutely require that the constitution is reviewed and updated.

        I believe that the part you're looking for is the 4th Amendment. That the current government does not honor the clause has nothing to do with the document itself, but the politicians and the voters who fail to hold them accountable for violating the constitution.

        They were men who : c) Believed black people were less valuable than dogs since you could love a dog.

        Not all of them. The reason slaves were treated as 3/5 of a person is the fact that the Northerners did not want the South to have undue influence from counting the population of people who could not vote and would, under the compromises they came

  • One major reason for that is -- you guessed it -- the strong native security

    If Apple can reset the pin count on their phones with a software update, the "native security" isn't so strong. And what that really means is that the FBI's data is owned by Apple, hardly a good situation.

  • by Anonymous Coward

    "Now in its fervor to force Apple to create software that can break its own encryption algorithm"

    It's doing no such thing. Could people please stop writing about this until they have the first clue about the actual issues involved here?

    They're not asking Apple to 'break its own encryption algorithm'. They're asking it to provide a customized operating system that disables the automatic lockout and delay while entering PIN numbers.

  • by Anonymous Coward

    - Given an order to produce software, and that such a capability will demonstrably then exist.
    - Given a duty to maximize shareholder value.
    - Given a duty to comply with national laws.

    The only satisfactory solution appears to be to create the software for the first government that asks, and then to sell it to the Chinese, Germans, British, India, Brazil and anyone else.

    So the question is -- just how much should Apple charge the Chinese government for the back door, so they can at least establish a fair marke

  • by kenwd0elq ( 985465 ) <kenwd0elq@gmail.com> on Thursday March 03, 2016 @12:22AM (#51626853)

    I suppose it's asking too much of the Feds to have properly implemented Apple's mobile device management protocols, so that when the next Ed Snowden takes his government-issued iPhone to Moscow with him, the Feds can read his itinerary from it?

  • by LostMyBeaver ( 1226054 ) on Thursday March 03, 2016 @12:32AM (#51626873)
    As soon as they make it public that they can open any iPhone they can get a court order for, people with something to hide from them will move to using more secure applications which are written by companies or people the FBI can't so easily influence with the American legal system.

    Better yet, they'll move to using programs that are written by people who added security and wouldn't know how to hack them themselves.

    So, basically, all they're doing is educating the criminals to use technologies that are more secure written by companies outside of their jurisdiction.

    If they open this phone, it basically will guarantee they will never be able to get to "terrorist data" ever again.

    How come no one ever bitches about this? I bet you that 99% of all terrorists have moved to using something more secure by now.
  • Like Cook said, public safety is important,so is citizen private information !
  • "One major reason for that is -- you guessed it -- the strong native security."

    Blackberries are more secure in many ways than iPhones. They certainly have more remotely manageable security, and can be more locked down, feature-wise.

  • by jon3k ( 691256 )

    In its rush to gather information, the FBI blew its chance to retrieve data from the iPhone of one of the San Bernardino terrorists when it ordered his iCloud passcode to be reset shortly after the attacks.

    This is very misleading. It would have only given them access to the data on the phone stored in iCloud.

    • In its rush to gather information, the FBI blew its chance to retrieve data from the iPhone of one of the San Bernardino terrorists when it ordered his iCloud passcode to be reset shortly after the attacks.

      This is very misleading. It would have only given them access to the data on the phone stored in iCloud.

      This is very misleading,They won't find any useful information on his work phone anyway, because he would have it destroyed it anyway if there were, like he did with his actual phone.

"More software projects have gone awry for lack of calendar time than for all other causes combined." -- Fred Brooks, Jr., _The Mythical Man Month_

Working...