Police Unlikely To Win Wider Access To Smartphones Despite FBI Success In San Bernardino Case (latimes.com) 90
An anonymous reader quotes a report from Los Angeles Times: The successful hack of a phone linked to the San Bernardino terror attacks is unlikely to help police win greater access to encrypted data contained inside thousands of smartphones sitting in evidence lockers nationwide, legal experts and law enforcement officials said Tuesday. The process used to gain access to Syed Rizwan Farook's iPhone 5c might not work on other devices, according to an FBI official with knowledge of the investigation. Though the FBI might want to use the new tool to help solve outstanding criminal cases, doing so would also make the process subject to discovery during criminal trials and place the information in the public domain, according to the official, who was not authorized to discuss the case and spoke on the condition of anonymity.
"From all the chiefs that I've talked to, we're hopeful this will give us some insight into how we're going to be able to get into some of the phones sitting in all of our evidence rooms," said Terry Cunningham, police chief in Wellesley, Mass., and president of the International Assn. of Chiefs of Police. "We're clearly anxious to learn what they did and how they did it and if it can be replicated."
Unless used in warrantless surveillance (Score:5, Insightful)
Though the FBI might want to use the new tool to help solve outstanding criminal cases, doing so would also make the process subject to discovery during criminal trials
Only if the use is admitted in court. They can use it in warrantless surveillance without a problem. [wikipedia.org]
Re: (Score:1)
Also, parallel construction is a thing. [wikipedia.org] They snoop into phones / computers / etc, then use that data to create a secondary trail of evidence to the same outcome thus concealing the fact that they snooped without a warrant.
Re: (Score:2)
Re:Unless used in warrantless surveillance (Score:4, Insightful)
What an insight! (Score:5, Insightful)
Though the FBI might want to use the new tool to help solve outstanding criminal cases, doing so would also make the process subject to discovery during criminal trials and place the information in the public domain
Yes, if such a tool exists, details on this process eventually will become public.
Which exactly was Apple's point.
All. The. Time.
Re: (Score:2)
Apple would have told everyone how they flash their chips internally? They would have provided modified binaries that dont increment the bad password counter? Because that is all that was being asked for.
Yes, and yes. Well, Apple wouldn't have done either, but the courts would have done it for them. The right to examine all of the evidence against you implies the right to examine the tools and processes used to gather that evidence. Eventually some court would have ordered the FBI to provide full details to the defense, and it would either come out in the public trial, on the record, or it would have been inadvertently leaked by the defense. Or maybe a copy might have been leaked by an Apple employee for wh
Re:What an insight! (Score:4, Interesting)
or, there WAS NO HACK and they simply are lying to cover their damned asses.
my guess is that they have no hack and they want us all to think they broke in, so they could abandon a LOSING COURT CASE before the proper precident (one that favors freedom instead of unwarranted authoritarian power-grabs) was set.
the simplest explanation is often the case: they were losing big-time in the court of public opinion and they could not force the richest company IN THE WORLD to do their petty bidding. they knew they'd lose and so they cower with tail between legs, making up a fake 'victory story' which is 100% opposite of the actual truth.
the good guys have switches places, it seems. I wonder if/when we'll get our real good guys back? will that happen in our lifetime?
Re: (Score:3)
I think partly describes what happened. The FBI was already able to hack the phone before this case, and wasn't even that interested in the content of the phone, but preferred to use it as a precedent to pressure Apple. Now they're backpedalling, but not by lying. Or maybe they're lying even. But they can still hack the phone without apple. Snowden described one technique for hacking the iphone, backing up the memory and overwriting it again and again after x failed password attempts.Can be automated and o
Re: (Score:2)
or, there WAS NO HACK and they simply are lying to cover their damned asses
I was talking about the modified firmware the FBI wanted Appy to create, not about whatever Cellbrite allegedly did or didn't do.
Re:What an insight! (Score:4, Interesting)
If you go by the simplest explanation (and we receive no further information to help us), then you're going to conclude that someone cracked it.
There is significant fraction-of-a-world of people who think Apple's hardware is generally pretty decent (at worst! a lot of people downright like it). But the hardware, for all its perceived virtues, has one big glaring problem: it tries to prevent people from running whatever software that they want to. So there are a fuckton of people who look for bugs, in order to be able to root their own phones and gain control of the machine that they bought. Some of them find the bugs. It has always been so, and that's how it is on this platform too, unless you are saying that you think Apple is the one company in the history of this industry, who has finally managed to produce bug-free consumer products.
You're not saying that, are you?
If not, then the simplest explanation is that someone with physical access to the device managed to gain control of it, since that sort of thing happens all the time anyway, with or without the FBI backing the effort.
Believe it or not, you're actually overstating how much the FBI was winning; they were far more doomed and already-defeated than you describe. They've probably won the battle for the iPhone 5c, and they might possibly (it's iffy, but possible) win on some newer handheld/toy PCs. But they have no chance, ever, when it comes to solving the general problem. If users actively try to protect their data then the data will be really encrypted, such that subverting the device doesn't get you the key (or 10k possible keys, where one is really it). And then attackers can go crying or threatening whatever manufacturers they want, and it won't help them a bit.
This time, they couldn't wave their $5 wrench at the user (dead men are hard to intimidate), so they waved it at someone else. (It was either a miracle or technological travesty (pick your PoV) that someone else could actually help them.) Next time, there is no "someone else" unless the user is just as incompetent (or more likely: apathetic) as Farook was.
Re: (Score:2)
Perhaps that, instead of some 'mystery hack', they simply figured out how to use the damned controls that the employer (who actually owned the phone) had in place?
Re: (Score:2)
or, there WAS NO HACK and they simply are lying to cover their damned asses.
I'm mainly inclined to believe this as well, especially given the reports I saw yesterday where the phone is now useless because the FBI managed to spill water on the phone, completely destroying it, mere moments after they broke in. Really?
Re: (Score:2)
Apple is the party the government wants the exploit to not get leaked to. The entire point of the anonymous official's quotation is that if the FBI ever uses (in court) evidence gained through this exploit, then Apple will be able to fix ..
Re:What an insight! (Score:5, Interesting)
But make no mistake: the effectiveness of the security system that we're talking about, is decades behind what we're otherwise used to.
Completely false. Desktop encryption is, in general, far, far inferior to what we have on mobile devices today, because the systems are wide open, which means that the only line of defense is the user's password. Pull the hard drive out, make a copy, and go to town brute forcing it. Done. A small subset of machines these days have a TPM and use it in their encryption, which is better but not hard to fake out. You just have to feed the right sequence of hashes to the device, and it'll do your bidding.
No, mobile devices and mobile OSes are dramatically more secure than desktops and laptops. They use hardware-embedded keys in addition to the user password. When the hardware also enforces brute force rate limiting (as the newer Apple devices do), it's even better.
The one small advantage that machines with full-sized keyboards have is that users are slightly more likely to choose a better password. But only slightly, and hardware performance plus the availability of dirt cheap supercomputing (AWS or GCE) has largely erased that advantage.
Re: (Score:2)
I hope they have plans for relocating their brute forcermachines, because the sun is going to become a red giant a blink-of-an-eye into the project.
If what you're describing were practical, then the FBI could have done it with that phone too. They wouldn't have cared about obtaining the hardware-embedded keys, because who needs keys?
Re: (Score:2)
I hope they have plans for relocating their brute forcermachines, because the sun is going to become a red giant a blink-of-an-eye into the project.
No, silly, you don't brute force the encryption keys, you brute force the password. Search the 20-bit space, not the 256-bit space.
If what you're describing were practical, then the FBI could have done it with that phone too. They wouldn't have cared about obtaining the hardware-embedded keys, because who needs keys?
The key being burned into the chip means that brute force search of the password space has to be done on the phone (unless you can dig the key out of the chip). The basic idea here is that the disk encryption key is something like a keyed hash of the password, e.g. HMAC(key, password). If you try to brute force the encryption key directly, being enveloped by the expanding sun is
Re: (Score:2)
*(yes, of course I'm kidding about where I checked it; I also test
Re: (Score:2)
I hope your employer doesn't make you change it every 90 days.
Now, here's the real question: What percentage of users have a password like yours?
Re: (Score:2)
Re: (Score:2)
I'm thinking the password is likely to be much larger than a 20 bit space. 20 bits is only slightly larger than the number of words in the English language. If the password can be more than a single word, or a word in another language, or uses even rudimentary and obvious character substitutions this number scales up very rapidly. Maybe you won't get up to the true 256 bit space, but it can still be enough to make brute force costs prohibitive.
Re: (Score:2)
I'm thinking the password is likely to be much larger than a 20 bit space.
It can be. And I meant to type "40-bit space"... which is still *well* within the realm of what's brute forceable. 20 bits can be searched in under a second on a single machine, depending on the per-try computation required (use of a good password hash algorithm makes it a little harder).
Maybe you won't get up to the true 256 bit space, but it can still be enough to make brute force costs prohibitive.
Less than you might think. Passwords are weak. Very few users actually choose passwords that get anywhere near 40 bits of entropy, and these days you really need closer to 50 bits. And climbing, but as computers get faster
Re: (Score:2)
I take your point. You're right.
Now let's try to help. Please stop using the word "password." It's "passphrase." Thanks.
(ObXKCD. [xkcd.com])
Re: (Score:2)
I take your point. You're right.
That's very unusual on slashdot. Well done, sir. And, BTW, I apologize for inserting "silly" into my earlier post. That was unnecessary.
Now let's try to help. Please stop using the word "password." It's "passphrase." Thanks.
(ObXKCD. [xkcd.com])
Passphrases are better, certainly, but without some significant anti brute force mitigation they're also not going to be secure for long. There are limits to what people can invent and remember, and are willing to enter regularly, and those limits aren't anywhere near the "red giant sun" range... particularly if people have to deal with many different passphrases.
FBI did not win (Score:3, Interesting)
The media is overstating the case. The actual FBI court filing of two days ago did not say they had defeated the iPhone security; it merely alleged to have 'obtained the contents of the iPhone' in question. Maybe they found an iPhone backup for all we know.
The FBI has a significant reason to mislead or lie since they would want to avoid a negative precedent being set at the District Court level, especially after federal Magistrate Judge Orenstein of Brooklyn, NY ruling that Apple did not have to be subject to the All Writs Act. I believe that the FBI will wait for an even more sympathetic case.
http://www.nytimes.com/2016/03/01/technology/apple-wins-ruling-in-new-york-iphone-hacking-order.html
Even if they had "cracked the iPhone" there is no reason that the FBI would not pursue the case in District Court IF it thought it would prevail, since there is no reason to believe that Apple would not patch the bug and a favorable ruling wold apply to all hardware vendors.
No, it is clear that the FBI lost this one AND they are likely to be misleading or lying about about the obtaining the information.
Here is the relevant text from the very short FBI filing:
“...the FBI has now successfully retrieved the data stored on the San Bernardino terrorist’s iPhone and therefore no longer requires the assistance from Apple required by this Court Order,”
The technically naive would naturally think that this means they cracked the iPhone security. Bullshit.
Re: (Score:1)
more than that they now claim to have destroyed the phone after gaining access but before accessing the data:
The NewYorker
"Unlocked iPhone Worthless After F.B.I. Spills Glass of Water on It"
By Andy Borowitz
http://www.newyorker.com/humor... [newyorker.com]
Re: (Score:2, Informative)
Psst: That URL contains the word "humor" for a reason.
Propaganda machine in full swing (Score:4, Insightful)
Wow, two articles in one day claiming a victory in the case they withdrew. Seems the propaganda machine is in full swing.
Re: (Score:1)
Even worse than the expected FBI spin is the NYT coverage both declaring an FBI victory and smearing Apple as a defiant scofflaw.
http://www.nytimes.com/2016/03/18/technology/apple-encryption-engineers-if-ordered-to-unlock-iphone-might-resist.html
Despite the fact that Timothy Cook said that Apple will follow the law once settled in the courts what it actually is.
John Markoff is a long-time NYT tech staff writer and I have known him for more than 25 years; I cannot imagine why he would want to vilify Apple in
Re: (Score:1)
beat me to it!
this has gotten to the point of being utterly disgusting. did the fbi have success in getting the data off the phone? maybe. did they have success against Apple or against strong encryption? fuck no.
i've been saying from the very beginning that iGummies do not run on faerie dust and unicorns. (even 35,000 year old unicorns!) i am fucking sick of the media misleading the public to believe that Apple has some kind of deep magick from before time that they've cast on their phones that make
a new federal holiday (Score:2)
its called LIARS DAY and it 'celebrates' the fact that our government will happily lie, cheat or steal to get what it wants; ironically, becoming the very evil it claims to be at war against!
april first is 'all fools day'; I propse we take the day before and call it 'all liars day' and we all wear fbi, cia, nsa, leo costumes and make a big party of it.
(sigh. yes, this is depressing. humor is the only way I can deal with such bullshit.)
Re: (Score:2)
Keep using any phone with confidence to chat, call and keep lots of data on it too
I'm betting they spent $$ on a vulnerability (Score:2)
I'll bet the DOJ/FBI spent some money at one of those purveyors of vulnerabilities. You know, the folks who constantly sell hacks and backdoor tricks to governments for big profits.
As we all let out a collective.... (Score:2)
The process used to gain access to Syed Rizwan Farook's iPhone 5c might not work on other devices, according to an FBI official with knowledge of the investigation.
uh DUH!
Re: (Score:2)
Why not? If you can make a lucky guess once you can make a lucky guess twice.
Re:Claimed Success (Score:5, Interesting)
As a one-time litigator in US district court, it is not perjury to lie to the court unless explicitly under oath. Though as an officer of the court it is unethical--possibly even contemptuous or an obstruction--to mislead or lie in a motion or other non-sworn court paper. In my experiences sanctions are few and far between for such behavior, however, despite my experience that the most prolific perjurers in court are the police and the attorneys.
In general parties ask for dismissal of their claims all the time before adjudication in order to avoid a bad result. For example, I made a motion for summary judgment in a trade secret case in San Jose. The Plaintiff moved for dismissal with prejudice. Since it was immediately granted, I did not gain a District Court precedent.
In this case the smearing and vilification of Apple is in fully swing. I suppose that it is punishment for not simply rolling over for LE demands.
Re: (Score:2)
Replying since this got upmodded to 1 by somebody...
A little chip can do AES-256 encryption, and cracking that, assuming we could develop large enough quantum computers that ran sufficiently efficiently, would require more resources than exist in the Solar System. The only way to attack the cipher is to determine what the key is. The key, on a 5C or later, is a 256-bit random number combined with the PIN in some manner. The 256-bit random number is inaccessible, so the only way to get the key is to pu
opening the phone isn't cheap or convenient (Score:1)
So all those DAs and Police Chiefs were hoping for a "plug in cable and download contents" kind of hack. More likely, the FBI's contractor opened the phone, carefully removed the NAND flash, copied it, and went about the crack in the way described in the ACLU filing. This is a "multiple work week" kind of task and probably would cost $15-20k/phone: the technique, the tools, and the process are well understood. No police department is going to invest $20k to crack a phone for a minor crime.
Furthermore, t
Apple has a new acquisition target :) (Score:2)
A rich company like Apple could acqu-hire the company who did the FBI's dirty work.
Re: (Score:2)
Probably not. Rumor has it that it's an Israeli company. And most companies based in foreign nations that are involved in security or intelligence work are not available for purchase by outsiders. Or anyone not inside the good old boys intelligence circle (definitely not Apple).
Re: (Score:2)
Except, it seems...for the US, where just about any company or asset of the US is up for sale to other nations....freely.
I think I only have heard of ONE sale that in recent history was denied, one of the large shipping hubs I think on the east coast somewhere?
Where is the proof? (Score:2)
Is there any proof that the FBI gained access to the data on this phone. I've not seen any. And they have plenty of reasons to lie.
Re: (Score:2)
And they have plenty of reasons to lie.
Just watch. Every 'no knock' warrant served in So Cal for the next few years will be based on 'intelligence' gathered from Farook's phone.
State of Non-Emergency, I'll miss you most (Score:1)
"We need this unusual power for terrorists! Emergency! Emergency! Emergency!"
"So you won't immediately use it for normal crimes?"
"Mmmmmm...pay no attention to that tiny pile of thousands of phones behind the curtain."
Here it is (Score:2)
The DOJ don't want you to be able to own a thing they can't open. It could be a new super-secure safe, a car with a security trunk, or an electronic device.
If they attack your right to own such a thing, they look like bad guys. So, they've been working behind the scenes to ensure you can't acquire such a thing to begin with. The secret moves against Truecrypt and now the iPhone encryption show this new strategy . I don't know how many other companies have been pressured also.
I think it's wrong, but I don't
They proved they can do it themselves (Score:2)
Since they already demonstrated they don't need apple's help, even after much insistence, it will be much more difficult for them to convince the courts they can't do it without apple's help.
I cannot Trust Anything About This (Score:3)
I cannot trust the US Government had not already opened the phone when they raised is as a fulcrum in a war against personal privacy.
I cannot trust the US Government successfully opened the phone, because they were in no position to admit they could not.
I cannot trust the US Government did not state they opened the phone, to wait for a better political climate, meaning after the next inevitable terrorist attack, to push their agenda forward.
I cannot trust the US Government because they lied to the American people, and went ahead with the Total Information Awareness program--even after they were told not to.
People, we have three serious problems:
Firstly, there are terrorists in the world, who do nothing more than than soldiers who strike against civilian targets.
Secondly, we have people in power using unpolitical tested methods to gain information, and therefor power, with no checks and balances.
Lastly, and no one seems to be talking about this: it is impossible for any information to collected and observed--and not be used in a partisan way.
Does this mean police will do more police work? (Score:2)
Re: (Score:2)
I was thinking this big priority on accessing phones, surveillance, etc. but generally police no longer respond to burgarlies. I'm old enough to remember police would investigate burgarlies but these days not really. Will it free up resources to concentrate on crimes that effect us commoners?
If the burglar does not leave his iPhone behind then the police will have nothing they can do!
Evidence room (Score:2)
The FBI would like to unlock all those phones collecting dust in the evidence room...
Which got me thinking about a dead man's switch?
Apple could get the secure enclave to wipe the key and all data on the phone after a long period in the locked state?
Let's say after 2 months, if the phone hasn't been unlocked successfully you wipe the key and all data.
I would like something like that on my phone, so if it get stolen or lost I know that it will eventually wipe itself after some time (if I'm unable to do the r
Re: (Score:1)
In other words, if your phone is lost, you want it to automatically wipe all information on it that would make it possible for somebody to return it to you.
Why not just toss it off a bridge into the ocean?
Re: (Score:2)
The loss of my phone is of litte consequence to me, apart from the inconvinience of buying a new one and configuring/re-installing the apps.
Clear LOSS for the FBI. (Score:2)
This was not about getting the information. Neither Apple, nor the public, nor the courts said the FBI could not get the information.
This was always about whether the government could force Apple to get the information for them. That did not happen.
Therefore the FBI clearly lost this issue. They failed to convince Apple to do their bidding. They failed to convince a court to order Apple to do their bidding. They failed to convince the general public that their bidding was righteous, they even failed
Re: (Score:1)
As long as the 'case' goes away and we don't have to read about it every day in the MSM, we have all won.
Except Apple's marketing people.
How long do they keep phones in the evidence rooms (Score:2)
be able to get into some of the phones sitting in all of our evidence rooms
At what point if any can a defendant request the government return his property (phone)? If we acknowledge that smartphones are different because they contain a huge amount of personal information, should there be a limit to how long law enforcement can hold onto the device?
It would be like them seizing your entire house of all contents, along with all your safe deposit boxes, and every document from your place of business, and keep them forever while they decide whether or not to make a case against you
"Ok... But we don't have to tell Apple." (Score:2)
(That's kinda messed up.)
"From all the chiefs that I've talked to, we're hopeful this will give us some insight into how we're going to be able to get into some of the phones sitting in all of our evidence rooms," said Terry Cunningham, police chief in Wellesley, Mass., and president of the International Assn. of Chiefs of Police. "We're clearly anxious to learn what they did and how they did it and if it can be replicated."
The epitath on The Rule of Law's tomb stone (Score:2)