back to article Apple: FBI request threatens kids, electricity grid, liberty

Apple's opened another front in its argument over FBI access to San Bernardino killer Syed Farook's iPhone, arguing in a Washington Post column that creating even a single possible point of attack threatens national and personal security. Apple's senior veep of software engineering Craig Federighi makes that argument here, …

  1. Anonymous Coward
    Holmes

    You don't say !

    “Our nation’s vital infrastructure — such as power grids and transportation hubs — becomes more vulnerable when individual devices get hacked,”

    And yet Apple's business model (and Google's and Microsoft's) depends heavily on persuading people that everything is fine and dandy : 'just put everything into that one little egg basket and your life will be enriched'.

    That Apple is now using the obvious drawback in that concept as a legal argument is just a little bit contrary to the lifestyle they're all peddling.

    1. Anonymous Coward
      Anonymous Coward

      Re: You don't say !

      And yet Apple's business model (and Google's and Microsoft's) depends heavily on persuading people that everything is fine and dandy : 'just put everything into that one little egg basket and your life will be enriched'.

      Out of the 3 you mentioned, Apple is the only one who started to work on improving security and privacy BEFORE it became a mainstream press interest. Microsoft and Google could be clones the way they approach the rights of their users and compliance with laws: ignored when it gets in the way of profit..

      1. Halfmad

        Re: You don't say !

        To be fair to Microsoft they did try, just really badly over the years to improve security. It was never an after though, just done with an incredible degree of variance from one patch and development to the next.

        Apple, despite me not being a fan did approach it and continue to do so in a much more mature way. Right off to wash my hands, can't believe I'm typing praise to them.

      2. Anonymous Coward
        Anonymous Coward

        @1st AC - Apple being first to improve security

        I won't contest that. In fact I was surprised (pleasantly) at how far they had gone down that path. But that isn't really what I'm on about. They, and the others, have encouraged us all to put our lives into these things and create a massive security problem that can only be mitigated by the likes of encryption : something that the majority wont even think about.

        This quote :

        Smartphones are therefore “part of the security perimeter that protects your family and co-workers.”

        makes me wonder what reality he lives in. Smartphones are not in any sense a positive part of a security perimeter : they are a significant weakness.

        1. msknight

          Smartphone weaknesses

          Exactly why phones shouldn't be trusted implicitly... whether smart or not...

          http://www.bbc.co.uk/news/business-35716872

          "Some banks text security details when customers forget their details. The activation codes sent by text to mobile phones also allow payments to be made from an account. The scam works by blocking the genuine phone. The owner is unaware of why the phone has been blocked and allows the criminal - who now has control of their phone - to syphon money from their bank account. "

          1. Anonymous Coward
            1. msknight

              Re: Smartphone weaknesses

              OK - so here's the question... why would either Russia or China, allow a phone to operate in their countries, that can't be hacked in to?

            2. Doctor Syntax Silver badge

              Re: Smartphone weaknesses

              "Sim Card Cloning"

              The instruction include reading the victim's SIM. If someone has your SIM to clone he has easier options to make use of it.

        2. steeple

          Re: @1st AC - Apple being first to improve security

          I think you're being a little unfair. Where does he say a "positive" part?

          Regardless, he is just recognising a fact of modern life: in our current reality phones are now pretty firmly baked in as part of our security perimeter. SMS confirmation, mobile banking access, digital wallets, password reset, account recovery, etc.

          Yep, they're right in there.

          Seems to be spot on to me!

      3. Tom 35

        Re: You don't say !

        A good part of it was Apple trying to lock out it's own customers. Blocking the latest jailbreak blocks outside threats as a bonus.

    2. msknight

      Re: You don't say !

      Indeed.

      I also find myself concerned about Cooks preference that the FBI, etc. should have approached Apple on the quiet... and I find myself now wondering whether their ability to operate in Russia and China are possibly down to quiet words already having been spoken with those governments.

      Say what you like, but at least the courts can be scrutinised. Apple, as a corporation, isn't as easy for the likes of me to scrutinise; and I just don't trust Cook.

      1. Anonymous Coward
        Anonymous Coward

        Re: You don't say !

        Maybe that is why the FBI is making a public request for this to happen. Perhaps they want those holes plugged for other Governments. I'm not convinced of that, but it is interesting that they've approached this issue in this way. On the other hand, the high public visibility and interest in this case may have largely precluded any other direction.

        1. Doctor Syntax Silver badge

          Re: You don't say !

          "it is interesting that they've approached this issue in this way"

          I think they've taken the best case they can to get a precedent from the courts. This particular case takes advantage of the fact that the phone was owned by a public body, not the user and that the user's rights don't come into it because he's dead. OTOH if that last were a significant part of the precedent then the SOP for getting a phone unlocked might include "shoot user".

      2. Captain Queeg

        Re: You don't say !

        I'm not so sure about trusting Cook.

        In the end his job is to deliver shareholder value - I don't see how tacit assistance to Russia or China would help *long term* value. Granted, it may offer a quick win, but longer term the impact of something like that becoming public, which in the end it certainly would, because these things alway do, would be catastrophic for the company and it's complicit employees.

        While the FBI/NSA would take a very positive view of Apple assisting them, I can't imagine they'd smile and Nod at Cook if he'd helped the Chinese.

        So on balance I'd trust all three not to cosy up to any "foreign power"

      3. tom dial Silver badge

        Re: You don't say !

        One reason the US Attorney might have wanted to take up the matter formally using a court order instead of informally and privately is that there is nothing unique about the Farook iPhone. The issue with it, as well as the several hundred other iPhones for which federal, state, or local law enforcement agencies have search warrants is the governments' need to be able to use the warrants in criminal investigations.

  2. Lysenko

    "“Once created, this software — which law enforcement has conceded it wants to apply to many iPhones — would become a weakness that hackers and criminals could use to wreak havoc on the privacy and personal safety of us all.”

    Balls. Precisely the opposite in fact. Creating this software is penetration testing (which should be going on anyway) and if it works it identifies a vulnerability to be patched. Arguing that it leads inevitably to the seven plagues of Egypt is the same BS that dragged "hacking tools" into the Wassenaar Arrangement.

    This is the same "Think of the children!!" hyperbole the FBI are using and adopting those tactics serves only to validate the opposition. Apple should refuse to hack the phone because it is unconstitutional Judicial and Executive overreach.

    Once you start defending principles in terms of utilitarian consequences you're on the glide path back to tearing up the 4th and 5th Amendments, waterboarding, extraordinary rendition and internment camps.

  3. Malcolm Weir Silver badge

    Please try to keep up, Simon. The World+Dog has now realized that, while the specific order in the San Bernadino case applies to one device, the myriad of orders that will follow (using whatever language is accepted) if that order is approved will apply to large numbers of devices.

    Therefore, as you'd know if you'd been paying attention, the "just one iPhone" argument has been discredited by the people who made it (when they noted that they had "about 12" more they'd like hacked) and that's not counting the state and local law enforcement types who have their own piles of phones that they'd love to unlock.

    So it's clear that, if granted, that this would start a cottage industry in unlocking phones, which in turn means that the chances of the code escaping or it being misused are non-trivial (a point Apple has made).

    1. Dan 55 Silver badge

      They can't immediately delete all the source code and object code an send the engineers onto other projects as soon as this is finished because, if this works and sets precedent, they'd get another All Writs Act for just this other iPhone. Then another. And so on.

      They would also need to testify in court about how the firmware was written, giving more leads to everyone else about how to do it.

      Eventually Apple would argue it's too burdensome and they'd get a demand for govtOS instead, arguing TSA luggage keys as precedent or something. And I'm sure the TSA would want a copy of that too, along with the police, FBI, and so on.

      1. Tessier-Ashpool

        Also, the fbiOS would not be disposable. Apple would themselves be required to retain it (and the processes that were put in place to facilitate it) in case they become subject to litigation in the event there was a claim that they didn't do the job properly.

        1. tirk

          And what's to stop the defence lawyers requesting access to the source code of the cracked OS (to ensue pictures of kittens weren't replaced by plans for bombs)?

          1. cd

            If "kittens" is a euphemism for a slang term about felines then have an upvote.

      2. Citizens untied

        Seems to me, so far tech companies have escaped the kind of scrutiny, effectiveness be damned, of other industries where consumer safety is paramount - read auto industry. Their profit margins reflects a position of privilege. I wonder how interested they would be in principles if they had to operate at fast food margins. I wonder how concerned they would be for our safety and well being.

        Say what you will about the government, it is its job to protect us, competent or not. I, for one, will never be comfortable relying on Tim Cook's good intentions.

        1. Will Godfrey Silver badge
          Unhappy

          Wot?

          So rather than Tim Cook's unknown intentions, you'd prefer a government's that has a long track record of stomping all over it's own people's liberty.

  4. Richard Jones 1
    Flame

    Using a Phone to Control the World Is Mad

    Is the USA really using crappy public network connected mobiles to control vital services: That sounds nuts to me. Almost as nuts as the marketing oink from apple's claims that the end of the world is neigh.

    Since I only use a non encrypted voice and text phone I guess can remain safe from the current paranoia storm, if not from the risk of crazy terrorists.

    1. Richard 12 Silver badge

      Re: Using a Phone to Control the World Is Mad

      People's email is on their phone.

      Including internal corporate "email" that normally only resides in corporate servers and has never been transmitted unencrypted.

      Including information about private systems, that may include passwords.

      Including access to password reset facilities.

      That's before you consider the social engineering promise of being able to call someone from the CEO's actual phone.

      And the general phishing opportunities if you have the entire contents of their phone.

      1. Anonymous Coward
        Anonymous Coward

        Re: Using a Phone to Control the World Is Mad

        That's before you consider the social engineering promise of being able to call someone from the CEO's actual phone

        It's more about having his or her personal number - making it appear as if you call from their phone is but a setting for a VoIP system. That's also why you should NEVER, and I mean NEVER give your mobile number to asocial media providers such as Facebook or Google, although Google will most likely sniff it straight from your email signature instead.

      2. Richard Jones 1
        WTF?

        Re: Using a Phone to Control the World Is Mad @Richard 12

        Really I can only ask the simple question why?

        Honestly the scenario you painted sounded grim to me.

        Putting your life and all security tokens on one easily lost, over priced item reliant on a short life battery is simply not my way of life, all risk and no gain.

        Perhaps that is why my phone remains the one I have had for so long - and because unlike the current phones I have seen it is limited to exactly what I need and use and the 'modern' devices no longer support.

        1. Anonymous Coward
          Anonymous Coward

          Re: Using a Phone to Control the World Is Mad @Richard 12

          Really I can only ask the simple question why?

          Honestly the scenario you painted sounded grim to me.

          Putting your life and all security tokens on one easily lost, over priced item reliant on a short life battery is simply not my way of life, all risk and no gain.

          That would be correct if you were to assume the consequences would be limited to just phones, but this whole case is EXACTLY about the issue that setting such a precedent hands unlimited powers to the FBI in all manner of ways. Think about just how often you use crypto (even sometimes without realising it): online banking, paying in a shop (because some of that travels over public lines), paying your taxes, buying something online.

          In addition, all the things that are done on your behalf like gov statistics collection and discussions between your doctors about any medical condition - ALL of that would become accessible, and as we have seen with the Clipper chip, that is far too dangerous.

          Apropos having master keys, just find out what happened to the master keys for the locks you must put on your luggage to make the TSA happy: you can even get the 3D print files for them now, and as nice side effect you will not even get a payout from your insurance as there will be no traces of your locks being broken. If you need an idea just how sterling the US government is with keeping secrets, look up "OPM hack" and consider the impact that will have had to those who were compelled to provide such details to get a clearance. In my opinion, that neglect was nothing short of criminal but, as far as I know, the number of people who have gone to jail for that is exactly zero.

          The scenario IS grim, it's not just tech industries that have their income threatened.

          1. Richard Jones 1
            WTF?

            Re: Using a Phone to Control the World Is Mad Re @AC

            I can see your issue. I last went to the land of the not so very free, now the land of Electronic slaves about 1990. Back then following the light fingered mob dipping into a relative's luggage, I either hand carried anything with value greater than used travel clothes or did not take it with me. Since then I have become wiser. I avoid air travel and thus dodge not only your TSA's worst effects, but also the US Irritation service's efforts to upset and mess traveller's about. In the unlikely event of travelling afield again I would not take electronic devices across boarders; thus avoiding the hassle with customs and outrageous roaming charges. I would probably think about paying with a purpose established credit card rather than a regularly used one and not declare any dietary issues. I don't eat fish or curry through choice and dislike.

            The side effect of this attitude is that some might even think I am going green, oh the horror.

            I have had a few ocean boat trips and found them to be far more civilised than any recent airport experience, drive up, unload luggage, park and go aboard. I did take a mobile in case elderly relatives had problems, though I soon realised there was no point. All it ever did was ping away with welcome messages from every network going, but fortunately no charges. I would not bother now, I am not going to pay for incoming sale's calls!

          2. tom dial Silver badge

            Re: Using a Phone to Control the World Is Mad @Richard 12

            It may be worth observing that nothing the government requested of Apple could subvert encryption methods or algorithms in any way, provide a master key to anything, or operate outside the limits of a judicially authorized search warrant.

            That is true even in the probable case where there would be a great many more such demands if the government wins its case.

  5. Pascal Monett Silver badge
    Big Brother

    "it be used only on government or Apple premises"

    For now.

    How long will it take for the FBI to request a special room at FBI HQ with permanent presence of the cracking software and Apple people to ensure National Surveillance Security ?

    How long after that will the FBI dispense with the Apple people and replicate that room to every FBI building in every state ?

    It's National Security, people. You know it has to be done.

    1. Richard 12 Silver badge

      Re: "it be used only on government or Apple premises"

      "it be used only on government..."

      Exactly. We already know how good they are at keeping electronic data secret.

      We also know that given the chance, they'd use Apple's keys to backdoor every iPhone in the USA.

    2. Anonymous Coward
      Anonymous Coward

      Re: "it be used only on government or Apple premises"

      Any intrusion technique that requires physical access to the phone can't be used for mass surveillance. Anyway Apple stance will lead to:

      1) More efforts to bring in legislation to force remotely exploitable backdoor, instead of only local access to a limited set of devices under court control.

      2) Country like China, Russia, Iran, Saudi Arabia & C. doesn't care because they have quick ways to "ask" any people their PINs or passwords, torturing you and threatening your family are very effective ways, while Apple still makes money (and I wonder if it doesn't already collaborate secretly just to be able to sell in those markets)

      3) More incentives for any wannabe "hacking team" to break into those systems to make money - and selling to everybody willingly to pay. An Apple controlled access would be better.

      The end result is that non democratic states and and crooks will gain an advantage - while those following democratic rules will be cut off from essential evidences in many crimes. Let's see if China asks Apple the same, and what Apple replies - and if China will never ask it, ask yourself why it doesn't need...

      1. Pascal Monett Silver badge

        @LDS

        Um, legislation is not going to magically create a backdoor into a proper, mathematically-proven encryption scheme.

        That is the entire issue that tech companies are rightfully defending.

        Either you have a sound encryption scheme and people and companies will benefit and thrive, or you don't and it is only the scum that benefit.

        As for TLAs they don't actually benefit. They just have a lot of activity for very little return, and everyone else's lives are raped in the process.

        1. tom dial Silver badge

          Re: @LDS

          Correct. US legislation will not limit encryption protocols or require a back door to any of them. It might, however, require manufacturers of devices sold in the US a capability to bypass manufacturer provided individual device security based on a valid search warrant in ways that include those the government has described in the order that they got for the Farook iPhone. Nothing about such a requirement is obviously contrary to the Constitution.

      2. Doctor Syntax Silver badge

        Re: "it be used only on government or Apple premises"

        "The end result is that non democratic states and and crooks will gain an advantage - while those following democratic rules will be cut off from essential evidences in many crimes."

        If legit software had backdoors then legitimate users would have be at risk. Criminals? There's be plenty of people, some of them competent, prepared to produce illegal software and remember this simple fact: you do not discourage people intent on breaking the law by furnishing them with more laws to break.

  6. Anonymous Coward
    Joke

    "Apple works mighty hard to ensure its products are secure"

    That's why they build it in China...where nobody form that government will ever, ever, have easy access to all the facilities and technologies used to build them...

    1. Anonymous Coward
      Anonymous Coward

      Re: "Apple works mighty hard to ensure its products are secure"

      That's why they build it in China...where nobody form that government will ever, ever, have easy access to all the facilities and technologies used to build them...

      Building high grade security products follows a certain methodology where you segregate the build phases. You provide the factory with testing software that does not contain operational keys so you can check functionality but don't give away the family jewels with it. The hard work is ensuring integrity of your testing process, but even that can be automated. With current networking technology you can even build in a per-device authorisation phase (a luxury we did not have in earlier years).

      Been there, done that, etc :).

    2. Anonymous Coward
      Anonymous Coward

      Re: "Apple works mighty hard to ensure its products are secure"

      I'm not sure why you thinking assembling them in the US would be any more secure than building them in China. Being able to see all the parts that go in it as it is being put together isn't any different than taking one apart and seeing the parts that way. Either way they have no access to alter the software or get hold of Apple's signing key, which is probably located in only a single secure room in Apple's HQ.

      If China thought they could get some special information from access to where they are being assembled, it isn't like getting that access would be difficult if they were assembled in the US. They manage to infiltrate US nuclear weapons research programs, so I think getting access to a factory where many thousands of people assemble phones wouldn't present much of a challenge!

  7. Efros

    Interesting use

    of the "think of the children card"

    Seems the politicos and the enforcement agencies can be played at their own game.

    1. Anonymous Coward
      Anonymous Coward

      Re: Interesting use

      Seems the politicos and the enforcement agencies can be played at their own game.

      I'd go further here: given that their statements were clearly aimed at misleading the court, I want to know what they have to hide. After all, the general idea was that the FBI is accountable as a law enforcement agency, and this has the heady smell of politics all over it.

      Why is the FBI attempting to set policy? That's not its role.

  8. Fitz_

    Cognitive Dissonance

    It is fascinating seeing The Register cover this case with their strict policy of Apple negative spin; obviously Apple are in the right, but how to paint Apple as the bad guys? Quite the conumdrum but I see it's happening with a negative twist as expected.

    1. Anonymous Coward
      Anonymous Coward

      Re: Cognitive Dissonance

      It is fascinating seeing The Register cover this case with their strict policy of Apple negative spin; obviously Apple are in the right, but how to paint Apple as the bad guys? Quite the conumdrum but I see it's happening with a negative twist as expected.

      You caught a bad case of confirmation bias. Review other articles.

      1. Handy Plough

        Re: Cognitive Dissonance

        >> "You caught a bad case of confirmation bias. Review other articles."

        Yes and no. It's hard to argue the merits of this article. Sharwood's polemic is so beyond inept, it's laughable. There is 'biting the hand that feeds IT' and there is this article. Sharwood is tying himself in knots to make Apple look unreasonable. I gave up taking seriously anything this site had to say many moons ago. This though, this article is utter shite, and I'd wager goes against the views of the majority of the readership (not the good ol'fashioned Apple hating, the erosion of privacy).

        1. Anonymous Coward
          Anonymous Coward

          Re: Cognitive Dissonance

          I don't read the Reg's coverage of this as negative to Apple. As stated, you see what you want to see, so if you look for bias against Apple you'll find it if you look hard enough. I imagine there are a few readers who support the FBI who think the Reg's coverage is pro Apple and highly biased against the FBI.

  9. Pen-y-gors

    Time for a compromise?

    Given that it appears to be possible (if somewhat surprising) for Apple to get access to 'the phone' perhaps they should do what the court orders and hack it, under protest, this time. Really, it's not that different to a safe manufacturer cracking a safe. BUT, Apple then update their OS so that that hack isn't possible in the future.

    Seems a reasonable compromise, no? Both sides save face, and future security is enhanced.

    1. theOtherJT Silver badge

      Re: Time for a compromise?

      They already have updated their OS - and their hardware. In newer phones it seems that they genuinely wouldn't be able to comply with this order anyway.

      1. Anonymous Coward
        Anonymous Coward

        Re: Time for a compromise?

        I do hope that is correct.

      2. Tessier-Ashpool

        Re: Time for a compromise?

        They also need to sort out iCloud backups. It's unacceptable (to me) that Apple currently have the ability to decrypt my backups.

        1. Steve Davies 3 Silver badge

          Re: Time for a compromise?

          You don't have to use iCloud to backup your iDevice. I thought any self respecting Fanboi knows that.

        2. Anonymous Coward
          Anonymous Coward

          iCloud backups

          Yes, I would like to see them add the ability to have my full iCloud backups encrypted by a key that only I control. Currently that's true for files that have certain protections (like passwords stored with apps) but files that have 'no protection' status in iOS are encrypted with a key Apple controls which allows them to decrypt the content.

          Since iMessage data is among the things that have 'no protection' (there are reasons for that, and it isn't something that would be that easy to change) it leaves something to be desired, which is why I've never used iCloud and backup to iTunes exclusively. Part of the reason for this is because if it is protected by a key you control and you lose it, you lose your backups - i.e. ease of use. I think that's fine, just allow a more secure option for those who choose it, with appropriate warnings of 'if you forget your iCloud backup key (password) you will lose access to the iCloud backups of your phone'. Since you already have an iCloud password, and that can't be used as this key, nor can your device password (otherwise you couldn't restore to a new device if yours was lost) they would need to allow you to create yet another password....that's hard to get across to customers and create a simple UI for...

      3. tom dial Silver badge

        Re: Time for a compromise?

        The article at Trail of Bits suggests that Apple could provide the same circumvention on post-5C iPhones, although with somewhat greater difficulty.

    2. Bronek Kozicki
      Megaphone

      Re: Time for a compromise?

      If the software to get around iPhone security gets created, try to imagine what happens next. This would be an extremely valuable piece of software. Governments would want it and they have any legal leverage they want. Also, the mob would want it as well and, although they probably cannot make legal requests to Apple as a company, they can surely threaten its employees. Next you have foreign spy agencies, which do not have scruples either, and the list goes on.

      If this software gets ever written, I'd absolutely hate to be a programmer involved into this - it would have likely placed my family in danger. Also Apple executives might be in danger for the same reason. Also foreign Apple businesses might be in danger, from local governments. Basically the only safe way for Apple, and its employees, to handle this software would be to indiscriminately distribute it to anyone interested. It does not matter at all that the request in question is for software to unlock "single phone only", it is like requesting a calculator which can only work in certain hands. Once you have certain operation implemented, the use scenarios are outside of programmers hands.

      The only way Apple can prevent massive privacy violation is to either 1) do not write the software at all, or 2) if it gets written, stand as a shield between mobs/spies/TLAs/governments and users privacy. Which would introduce risk to business of the worst kind i.e. one they are not prepared to manage - I can see why they have no appetite for this. Even if they did, would you trust them to maintain such a shield policy over the years? I would not, and neither would customers and investors. It is a suicide move (for programmers involved, possibly literal one).

      Basically that means that the privacy of all iPhone users would take a huge hit. I am not among them, but I do appreciate that it is a very popular phone. Apple is right in pointing out the implications of such a privacy hit and, frankly, I am astonished that an El Reg journalist does not seem to understand it.

      1. Anonymous Coward
        Anonymous Coward

        Re: Time for a compromise?

        Panic! Panic! Panic! The sky is falling in.

        Sorry grow up and get real.

        So lets take stock, the iPhone 5c now has a publicly known method by which its security can be compromised so as to permit a brute force attack with a realistic chance of success within a reasonable amount of time. We also know that this exploit will not work on subsequent iPhones.

        Let us assume that this revised version of iOS gets built, proves the above, and gets released into the wild. What is going to happen, other than Apple showing that it is just as insecure as many other organisations?

        I, like many others, have had for many years now a CD that contains some tools that enable me to crack Windows security and thus break into any Windows machine to which I have physical access. This ability is far greater than what the revised version of iOS that the FBI are requesting will be capable of doing, yet the availability of such tools hasn't caused the Windows market to disappear...

        So the issue at stake here isn't so much about the compromising of the security on this specific iPhone, but what that represents and why the FBI decided to do this publicly through the courts rather than as Apple have intimated via the security services backdoor.

        1. Bronek Kozicki

          Re: Time for a compromise?

          have had for many years now a CD that contains some tools that enable me to crack Windows security and thus break into any Windows machine to which I have physical access

          there is nothing new about it - now show me a CD that contains tools to decrypt encrypted filesystem. With strong encryption. You know, like TrueCrypt volume that one TLA failed to decrypt previously. Still feeling so smug?

          1. This post has been deleted by its author

          2. Anonymous Coward
            Anonymous Coward

            Re: Time for a compromise?

            there is nothing new about it

            Precisely, and there is nothing new here either. The device security is a little stronger but the principle and intent is the same.

            now show me a CD that contains tools to decrypt encrypted filesystem. With strong encryption. You know, like TrueCrypt volume

            https://www.elcomsoft.com/efdd.html

            Remember software encryption such as Truecrypt isn't as secure as TPM-hardware based full disk encryption...

            Still feeling so smug?

            Yes, because you've not provided any reason to show that the world will change for the worse given where we are now, with the vast majority of devices having only basic levels of security. So I see no reason to run round in circles crying the sky is falling in.

            However, what has changed is public awareness of how secure Apple's iPhones are and have become since the 5c. I suspect that prior to this court case, few knew about the extensive security measures built into more recent iPhones and if asked would had recommended someone with security concerns to buy a Blackberry. So I suspect that one of the reasons Apple are relatively happy about this court case is the global publicity they are getting and the security endorsement being given by the FBI, who acknowledge they are unable to use similar techniques on newer models...

        2. tom dial Silver badge

          Re: Time for a compromise?

          If the software were developed and released into the wild it is not obvious how it could be installed on any iPhone other than as described in judge Pym's order without Apple's assistance, at the very least, to sign the modified OS files.

          Even if it were not released, it is likely that there are a few thousand people or organizations with the right combination of knowledge and maybe equipment to develop software capable of as much or more, given physical access to the iPhone model they wish to target.

          So a couple of additional reasons not to panic.

          1. Anonymous Coward
            Anonymous Coward

            Re: Time for a compromise?

            If the software for JUST THIS ONE PHONE was released in the wild, sure. How likely is that, given that the FBI already has a dozen other phones they want to do this with, the NYPD has 173, and undoubtedly there are thousands of others in the US alone.

            It will quickly become impossibly unwieldy to create a custom version of iOS that runs on just that one phone in each case, so it will become necessary to create a generic FBiOS at that point.

            If you think that won't happen, tell me where I'm wrong in this scenario. I sure hope you don't believe the FBI's original assertion that this is about "just one phone" because Comey himself has already backed down off that claim.

            1. Anonymous Coward
              Anonymous Coward

              Re: Time for a compromise?

              If the software for JUST THIS ONE PHONE was released in the wild, sure.

              My original question, assumed the version that got released could be applied to all iPhone 5c's - because that is the simplest way of creating a signed iOS update... I assume that Apple haven't implemented checks so that updates can only be signed for a single phone.

              But yes given that Apple seem to create a single iOS image for all supported iPhones, it might be wise to assume it can be installed on any iPhone... Now does that change things? I suspect not.

    3. Anonymous Coward
      Anonymous Coward

      Re: Time for a compromise?

      Apple was already working on a change that would remove the ability to update software on a locked phone (which was done for convenience...i.e. it allowed recovery from a bad flash)

      And no, this is not like a safe manufacturer cracking a safe. It is like a safe manufacturer being ordered by the court to create a special tool that allows breaking into EVERY safe they make, but the FBI saying "but you can bring the safe into your lab and use this tool on it rather than give it to us so that's OK". The problem is that the FBI will come back and ask them to do this for a lot of other safes. And the safe manufacturer will have this tool in their possession, where the possibility exists for it to be copied by an unscrupulous employee (or one that has had his family kidnapped and is under duress) or a burglar (i.e. hacker) could break in and steal a copy of it.

  10. John H Woods Silver badge

    "Really, it's not that different to a safe manufacturer cracking a safe" --- Pen-y-gors

    Did you somehow miss all the coverage and comments? It's ok if you did, but you should either catch up or shut up.

  11. Anonymous Coward
    Anonymous Coward

    Did you somehow miss all the coverage and comments? It's ok if you did, but you should either catch up or shut up.

    Both is also an option :)

  12. Boris the Cockroach Silver badge
    Big Brother

    I still think the FBI

    Has gone about this the right way

    Legally obtained the device in question, asked the manufacturer "Can you get the data off this thing", then got a court order signed by a judge telling apple to get the data off the thing.

    Sounds better than slurping where ever google has found cheapest to put its servers and illegally accessing the illegally google slurped data off your "secure" google phone....

    1. Doctor Syntax Silver badge

      Re: I still think the FBI

      Has gone about it in the right way to do what?

      AFAICS, they've gone about it in the right way to give them the best chance to obtain a precedent that they'll then take every opportunity to extend until no meaningful safeguards are left. I doubt they give a monkey's about the content of the phone, even assuming it has anything they haven't got from the backup.

  13. John Lilburne

    This pudding needs more eggs ...

    ... yes lots more.

  14. Cari

    Fair play to Apple for fighting this. Though who or what they are really protecting here?

    The average customer isn't going to give a shit either way (considering the number of users of other devices whose manufacturers haven't put as much effort in to security). Most will still be taken in by Apple's glamour and shell out for the latest piece of shiny kit, so it can't be public custom they're worried about losing.. can it?

    1. noj

      the average customer

      I don't think people on this forum are average customers. And I don't think the people in Security who decide whether a device has access to their business are average customers either. I know of one such institution that prefers the iPhone precisely because of its "walled garden" and the fact that it will erase itself after 8 attempts.

      There will always be a majority of people who don't care about security. And some of them are going to suffer for it. That doesn't mean that a the option shouldn't be available for those who do care.

      For the record: I have an iPhone. I work at at a pediatric hospital. I want to be able to be in touch with my hospital 24x7 to provide the best support I can. And I want to protect those kids by having the best security possible for the hospital and that includes the devices that attach to it. I don't care who manufactures the device or what their motives are, profit or philanthropic, as long as they are secure and the more secure the better.

    2. Doctor Syntax Silver badge

      "Though who or what they are really protecting here?"

      That's an easy one. Everyone who didn't think it mattered until they ended up on the wrong end of a false accusation and find out too late that it did matter.

  15. Jin

    There is a backdoor.already

    Something is apparently overlooked in the discussions over the backdoor. iPhone and many other smart devices already have valid backdoors, namely, a fingerprint scanner or a set of camera and software for capturing faces, irises and other body features, which can be collected from the unyielding, sleeping, unconscious and dead people.

    It is now known that the authentication by biometrics usually comes with poorer security than PIN/password-only authentication. If Apple wants to claim that they are conscious of privacy and security, they could tell consumers to turn off the biometric functions. If the authority wants to have those backdoors open, they could tell consumers to keep them turned on all the times. And, security-conscious consumers could certainly refrain from turning them on.

    1. Anonymous Coward
      Anonymous Coward

      Re: There is a backdoor.already

      There's a timeout on being able to use the fingerprint reader on the iPhone, after which it requires the password. It also requires the password when it is first booted (so if you are about to get arrested, power off your phone or touch the wrong finger to it 3-4 times in succession)

      The way the fingerprint reader works on the iPhone is that your actual password is stored in the secure enclave (so it must get your password from you when you first boot the phone to allow this) so yes it is less secure. But that's a problem with biometrics in general - doesn't matter if you use fingerprints, irises, palm veins or whatever. Fingerprints and irises are particularly bad because they are trivially lifted in public places unless you go everywhere in gloves and sunglasses.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like