Judge forces Apple to unlock iPhone

[bozack]

Blowing holes in your security scheme just because isn't much of a reason since only their signed software could be loaded in the first place and they already know where the vulnerability would be.

Its a vulnerability you're already aware of since you engineered it why wouldn't you want to test it out to verify....if they truly wanted these to be secure they would have put preboot authentication on them and made it so every update had to be approved by a user, but they didn't.

I'm not all that familiar with Apple devices but does it force the user to encrypt the phone? If not it's the owners responsibility to ensure that their devices are being used in accordance to their standards. Do Iphones automatically update the OS or is it like my Android where I have to agree to download and install the update? If it doesn't automatically update the government was perfectly free to institute a policy that told their employees not to upgrade government owned Iphones. Again the burden is on the owner to ensure that they retain access to both the device and the data unless they entered into some sort of specific contract with Apple to do otherwise.

I guess one could argue that when the phone was originally purchased that tools to circumvent the security existed and therefore were expected but I would need to see some sort of evidence that the .gov expected this to remain the case as a condition of purchasing and using Iphones. From everything that I have read though the .gov is treating this like any other seized phone and not necessarily as their property. It would be kind of ironic to see the government argue that Apple sold them a device that was to secure against hackers.

With iOS8 they enforced encryption on the user data partition, it seems similar to Microsoft's Bitlocker in that part of the encryption is handled by hardware and that the OS is not encrypted which is why Apple would be able to update it if they wanted to

As for OS updates Apple used to push updates in the past but now is moving more towards a user acceptance model, the caveat is that if you buy new hardware you have to get the latest OS, which is how Apple has rolled for like ever and is brutal for those of us who try to manage a standards based environment when it comes to their laptops and desktops.

And while a company can introduce such a policy there is virtually no way to enforce it, much like Apple Desktop OS, users on iOS need full access and can remove all company enabled controls on their device (if the company is using an MDM solution)

So it would be a verbal policy at best, and once a phone is upgraded there is no way to roll back to an earlier supported release, so its rather futile for companies to attempt to block updating of iPhones....we tell folks all the time to hold off on updating when an iOS change negatively impacts our MDM solution but most users disregard that notification and just update because they see the notice on their phone.

The big difference between Apple and other companies in the tech sector when it comes to corporate device management is that the former basically doesn't care about enterprise customers when it comes to device management/control and tells them to go to some third party vendor which has limited ability other than to manipulate settings which already exist within the device...whereas others will develop tools for enterprise management that are far more difficult for users to circumvent when implemented properly.

Even if the govt was using a solid MDM platform the user in this case could have removed device control and done whatever he wanted with the phone (barring getting corporate email) and the govt would be in the same position they are in now.

 

[DCal430]

If someone is working so hard to prevent the government from accessing something, that in it self is suspicious. It should raise flags and even enough for further investigation. What are you trying to hide, I would say.

 

[Darwin333]

Does anyone know if this page was updated after the subpoena from the FBI or if it's been there for a while?

Finally, I want to be absolutely clear that we have never worked with any government agency from any country to create a backdoor in any of our products or services. We have also never allowed access to our servers. And we never will.

http://www.apple.com/privacy/

 

[Subyman]

If someone is working so hard to prevent the government from accessing something, that in it self is suspicious. It should raise flags and even enough for further investigation. What are you trying to hide, I would say.

Lol, how many angles are you going to use to try to weasel your perverse logic into this debate?

 

[DCal430]

Lol, how many angles are you going to use to try to weasel your perverse logic into this debate?

I was just saying, I don't understand people insistence on privacy on unimportant things. Like the whole phone metadata stuff, who cares if the government knows who you called, or who called you. The only people who should care are those we need to worry about.

 

[nickqt]

I was just saying, I don't understand people insistence on privacy on unimportant things. Like the whole phone metadata stuff, who cares if the government knows who you called, or who called you. The only people who should care are those we need to worry about.

Once you give up certain liberties, and privacy is very much a liberty, they don't usually come back.

That's why people care about metadata.

You give up that liberty, and then they come for the next "unimportant" liberty, and so on, and so forth, until you're left saying, "who cares if the government knows what you said, the only people who should care are those we need to worry about".

 

[Darwin333]

The big difference between Apple and other companies in the tech sector when it comes to corporate device management is that the former basically doesn't care about enterprise customers when it comes to device management/control and tells them to go to some third party vendor which has limited ability other than to manipulate settings which already exist within the device...whereas others will develop tools for enterprise management that are far more difficult for users to circumvent when implemented properly.

Even if the govt was using a solid MDM platform the user in this case could have removed device control and done whatever he wanted with the phone (barring getting corporate email) and the govt would be in the same position they are in now.

Thanks for the detailed explanation, I was initially surprised that he worked for the .gov and had an Iphone issued to him because historically Iphones have been horrible at enterprise integration and security. I know they have made some advances in security and encryption, hence the issue the .gov is having right now, but wasn't sure about the enterprise features.

My question remains, is it not the responsibility of the company to ensure their employees properly use any and all tools the company provides them? If Iphones suck as an enterprise smartphone solution is it not the customers due diligence to choose a separate device/OS barring some sort of false advertisement? If an employee decides to steal a company vehicle the manufacturer of said vehicle shouldn't be on the hook to make some sort of master key so the company can retrieve the vehicle. If the manufacturer decides to offer that service then so be it. To compel a company to do something by force of law that is a polar opposite of a perfectly legal product/service/feature that they have spent tons of effort and resources into developing is just beyond wrong. As I have repeatedly said, if Apple had already developed this tool and had it sitting around it would be a different situation altogether. To compel them to make something new that undermines the very thing that they legally developed is something that the .gov shouldn't have the power to do.

 

[Darwin333]

If someone is working so hard to prevent the government from accessing something, that in it self is suspicious. It should raise flags and even enough for further investigation. What are you trying to hide, I would say.

Can we all assume that you do not have locks on your door? Would you mind posting your full name, address of said unlocked home and your social security number? If not, what are you trying to hide? But but but only the government will have this ability is probably going to be your retort and to that I, and history, call bullshit. Even if it wasn't bullshit, absolute power corrupts absolutely and our government has proven that it doesn't give dickall about our privacy rights. Even worse is you are willing to give up your rights for something that even the government doesn't claim would have protected you from this attack. So you are willing to trade your rights for something that will not make you any safer. FFS the government invented the TOR network and let it into the wild so that people in other nations would have a secure way to communicate.

I would really appreciate an answer to this one question: What other rights are you willing to give up for a very small sliver of perceived safety?

 

[K1052]

Its a vulnerability you're already aware of since you engineered it why wouldn't you want to test it out to verify....if they truly wanted these to be secure they would have put preboot authentication on them and made it so every update had to be approved by a user, but they didn't.

They engineered it out in subsequent devices/software so the question would have been moot anyway. With current iOS and the secure enclave they couldn't do what the government wants them to here.

 

[K1052]

Does anyone know if this page was updated after the subpoena from the FBI or if it's been there for a while?



http://www.apple.com/privacy/

It shows up in articles from at least 2014 so the wording doesn't seem to be new.

 

[Darwin333]

It shows up in articles from at least 2014 so the wording doesn't seem to be new.

If, and I'm not sure if it is but lets assume, this is their official privacy policy that is in their TOS couldn't every Iphone owner sue them for breach of contract if Apple decided to cooperate with the government and create a backdoor? I would think just being on their website under "privacy" would be more than enough which leaves it up to some non-technical people to determine if this is truly a "backdoor" or not with god knows how much money on the line and a huge PR hit.

 

[CZroe]

If someone is working so hard to prevent the government from accessing something, that in it self is suspicious. It should raise flags and even enough for further investigation. What are you trying to hide, I would say.

Stop mischaracterizing. The government would have to be able to get it without Apple's assistance for Apple to be working hard against it to prevent it. They are asking APPLE to work hard on undermining their own service commitments.

 

[sportage]

On the Sunday talk shows, the government said again that they want Apple to "just this one time" allow the government to open up the privacy of a cell phone.
And the attorney for Apple, the great one and only TED OLSON, said that the congress "has never addressed, but should have" addressed this privacy issue.
And Ted is correct.

Just another example of our congress neglecting their job until something like a terrorist attack hits the fan.
And NOW everyone wants to blame Apple? WTF is up with that?
In all truth, the US congress are the ones fully to blame and letting the American people down... yet once again.
And a republican controlled congress, I might add.
Just as this same republican congress has let down America with refusing to take up illegal immigration reform.
As Ted Olson said, the congress should have settled this issue of personal privacy long ago, not Apple.

Then on the other side, John Miller (deputy commissioner NYPD) claims Apple is making too much out of nothing.
That this deputy commissioner does not understand, with this one case, why Apple would not turn over the codes to break into a personal cell phone?
Which sounds all fine and dandy, except....

Once this pandoras box is opened concerning personal privacy, with the US congress failing to rule on the issue, does anyone really believe that once the government can get away with this then our government would not look at this win as their given ok to invade ones privacy over and over again?
All for causes not anywhere nears the level of debunking terrorism?

Once the government has those keys into everyones private life, does anyone really think or believe our very own government would not take this as their free pass to then use those keys however and whenever they wish?

This time is it all about terrorist and hacking into cell phones.
Next time, it may be hacking into your personal privacy to see what you've been up to.
And as Ted Olson said, then the terrorist win.
Terrorist would have succeeded in chipping away another huge chunk of American protected freedoms.

And I find it hard to believe with all the technology and tools the FBI and the government currently has at their disposal, that the government can only solve this one case by forcing Apple to turn over their system of encryption?
I find that very hard to believe.

I would bet the farm that the FBI has a truck-load of options currently legally available to find out exactly what they want to know.
I think this is not so much about terrorist nor finding out what they were up to and who else was involved. I would bet this is exactly what it looks like, government overreach simply because opportunity exists, and they feel entitled and above the constitution.
THAT is what this all comes down to.

I find it hard to believe the government does not already know exactly who else if anyone were involved in this terrorist attack.
I truly doubt the cell phone of any terrorist has anything to do with what the government is up to with their attacking Apple.
The government has a case here where a company like Apple through technology can stop a governments peering eyes from invading someones personal life.
And knowing our government, THEY DO NOT LIKE THAT.
No sir, not one bit.

 

[DrPizza]

AGAIN,

The person who OWNS the phone, the person who the data belongs too, is NOT the shooter. It is the people, the county of San Bernardino. Apple is denying the information to the people who it rightfully belongs too. Most seem to think this is the shooters private phone and private information. It isn't, it a government phone, with information that belongs to the government.

So if I have 100,000 in bit coins stored on phone, and I forget my PW, should them mean I am SOL. No it shouldn't.

Open letter to the County of San Bernardino: Hey - maybe if you're worrying about getting the data off one of your phones in case one of your employees dies, then maybe you shouldn't be using phones that encrypt the data. Now that you're realized YOU made a mistake, does not make it someone else's responsibility to fix.


Does anyone know of companies that keep critical data encrypted in such a way that only one employee in the entire company can get to that data, and the data is lost to the company if something happens to the employee?

 

[DCal430]

Stop mischaracterizing. The government would have to be able to get it without Apple's assistance for Apple to be working hard against it to prevent it. They are asking APPLE to work hard on undermining their own service commitments.

That comment wasn't about apple. It was about people who are so concerned with privacy. People on this forum.

 

[DCal430]

I have said before. If the government installed cameras on every street corner, had satellites monitor all outside areas, put tracking devices on all of our cars. I wouldn't mind, I would actually feel more secure.

 

[brycejones]

I have said before. If the government installed cameras on every street corner, had satellites monitor all outside areas, put tracking devices on all of our cars. I wouldn't mind, I would actually feel more secure.

Sounds like you need to move to the UK. I for one would not feel more secure with an omnipresent surveillance state that knew everything about me all the time for easy recall later.

 

[FrankRamiro]

I don't know why some people make a big deal of this? maybe people that don't want to be listening to may have something to hide!

 

[lopri]

Just because an entity does business in the United States does not mean you can force them to create a product that doesn't exist.

Why? Because you say so? You are the one who raised the outrageous spectacle of slavery and I reminded you of one basic feature of slavery: That you are not free to run away from it. ("indentured" as they say) In contrast, Apple has quite a few options, including but not limited to, stopping iPhone production and sales. Corporations engage in this kind of decision making all the time when they want to expand/retreat from their markets.

I have managed many construction projects for the government but I am under no contractual obligation to do any work for them currently, should they be able to force me to work on a current project since I've done similar work for them before? Of course not, I can (and should) be able to tell them to pound sand if I so desire.

And if your work facilitates criminal activities or is an impediment to enforcement of law, you do have some culpability. Take a "Swiss bank" I mentioned earlier as an example. That you do not ask where the money come from your customers does not excuse you from duty to report nor does it shield you from civil liability.

And to date there is no law that requires software makers to include or provide backdoors to their encryption. Until such a law is passed by Congress I don't see how this is remotely legal and I'd still question the constitutionality of such a law. Since no such law exists that is a debate for another time.

A lot of laws post-9/11 were unprecedented when they were enacted. Indeed, we can say new laws are always unprecedented by nature because they are enacted to adapt to new developments. If the world did not change the need for a new law would decrease dramatically.

But I do agree that this is a grey area. That is not particularly surprising if you take into account the speed of technological advancement as well as unprecedented kind of threats the nation faces. However, the argument you are making (with "slavery," "forced laber," etc.) is a different one.

Let's try a hypothetical.. ..If it's not involuntary servitude what exactly would you call the forcing of a person to provide their labor to the government against their will?

Again, your analogy to slavery is without merit. If what the employee has to do is objectively unreasonable or unduly harsh, then I believe that can be a defense and the employee can be excused. Perhaps this is what Apple is saying, in which case Apple will have surer footing to resist FBI. This is not my opinion, btw, but the state of law. (see the link in my previous post)

Oh, and slavery -> https://en.wikipedia.org/wiki/Slavery

(What do you count as "forced labor," in your slavery argument? Does "lifting a finger" count as labor in your book?)

Does the government, in your opinion, have the power to throw those two people in jail until they agree to provide their labor to the government even though they are under no contractual obligation, have committed no crime nor has Congress, to date, passed a law that requires them to do so? If so, how is that not involuntary servitude which is expressly prohibited by the 13th amendment? If it's not involuntary servitude what exactly would you call the forcing of a person to provide their labor to the government against their will?

Your "force" argument is a familiar one (from Libertarians and Tea Party movement), and there are many rebuttals around the web so I will refer you to one of them. -> What Do Voluntary Mean?

This would be a different story if the government could prove that Apple already developed the software and had it in their possession. I would argue that the case that you cited might work if the FBI writes the software themselves and then requires Apple's assistance to install it. In the case you cited the Feds wanted to install their own device onto existing infrastructure, everything that was "new", in this case a pen register, was provided by the Feds. Like my own personal example above, if they can force Apple to create something that doesn't exist why can't they force me to work on a future construction project? Also, does that "force" extend to the men on my crews that worked on previous .gov projects regardless if they are still my employees or not?

I have to reluctantly point out that your protest has the quality of "Get your government hands off my Medicare." The observation is that those who are most angry about the government and the regulations are not those who are truly burdened by them, but those who have been the beneficiaries of the governmental grants and perceive their privileges are threatened. It adds further to the irony to your slavery rant.

Another question, do you think that the Federal Government has the lawful ability to force Phil Zimmerman, the original author/developer of PGP, who no longer works on the PGP project to write and release an update that gives the FBI a backdoor to PGP? If so, what penalties do you think the government can impose if he doesn't comply? How many hours a day do you think they can, or should be able to, force him to work?

I am not familiar with PGP so I will pass.

 

[bozack]

My question remains, is it not the responsibility of the company to ensure their employees properly use any and all tools the company provides them? If Iphones suck as an enterprise smartphone solution is it not the customers due diligence to choose a separate device/OS barring some sort of false advertisement? If an employee decides to steal a company vehicle the manufacturer of said vehicle shouldn't be on the hook to make some sort of master key so the company can retrieve the vehicle. If the manufacturer decides to offer that service then so be it. To compel a company to do something by force of law that is a polar opposite of a perfectly legal product/service/feature that they have spent tons of effort and resources into developing is just beyond wrong. As I have repeatedly said, if Apple had already developed this tool and had it sitting around it would be a different situation altogether. To compel them to make something new that undermines the very thing that they legally developed is something that the .gov shouldn't have the power to do.

So a part of me says yes absolutely, companies should be selecting platforms which they can manage in a way which they deem appropriate, however as someone who deals with this daily as a part of my responsibilities the reality is the consumerization of IT has broad impact....to the point where IT departments are forced to deal with device security and management shortcomings to appease their users, but that is something of a different topic.

As for this case, Apple in some ways was the one who changed the game...the government had been going to them in the past and Apple cooperated, so Apple was in the data recovery business, but now due to a change in their approach towards device security and to limit their liability and involvement in these cases they have forced encryption ...not full disk encryption with a preboot pass phrase, but selective hardware encryption that leverages a pin to unlock

Now you have the government technically asking for the same level of service they had gotten in the past, and no difference in what they are looking to collect off of the device...but due to decisions Apple made to limit their liability and market on security are being told by apple that while they can do it, they won't as it will mean a big financial impact and loss of integrity.

I am torn on the issue, part of me agrees that the company shouldn't be forced to develop that which they say they don't want to, but on the other hand Apple shouldn't have assisted in the past as they set a precedent for their being involved.

 

[bozack]

They engineered it out in subsequent devices/software so the question would have been moot anyway. With current iOS and the secure enclave they couldn't do what the government wants them to here.

Umm you might want to check your information:

http://www.msn.com/en-us/news/techn...uld-destroy-the-product/ar-BBpMVSQ?li=BBnbcA1

"Apple technicians told investigators that they could write the software the FBI wants to unlock Farook’s phone"

http://blog.trailofbits.com/2016/02/17/apple-can-comply-with-the-fbi-court-order/

Secure enclave isn't fully "secure" as of yet it seems, and Apple has apparently admitted they could work around this for the FBI if they wanted to.

If they truly wanted these phones to be secure they would have equipped them with a preboot authentication mechanism and also forced all updates to be user accepted, two things which they clearly did not do as they don't want to inconvenience users as people are more than willing to sacrifice security for ease of use.

 

[DCal430]

I don't know why some people make a big deal of this? maybe people that don't want to be listening to may have something to hide!

Yes, someone who understands.

 

[bozack]

On the Sunday talk shows, the government said again that they want Apple to "just this one time" allow the government to open up the privacy of a cell phone.
And the attorney for Apple, the great one and only TED OLSON, said that the congress "has never addressed, but should have" addressed this privacy issue.
And Ted is correct.

Just another example of our congress neglecting their job until something like a terrorist attack hits the fan.
And NOW everyone wants to blame Apple? WTF is up with that?
In all truth, the US congress are the ones fully to blame and letting the American people down... yet once again.
And a republican controlled congress, I might add.
Just as this same republican congress has let down America with refusing to take up illegal immigration reform.
As Ted Olson said, the congress should have settled this issue of personal privacy long ago, not Apple.

Then on the other side, John Miller (deputy commissioner NYPD) claims Apple is making too much out of nothing.
That this deputy commissioner does not understand, with this one case, why Apple would not turn over the codes to break into a personal cell phone?
Which sounds all fine and dandy, except....

Once this pandoras box is opened concerning personal privacy, with the US congress failing to rule on the issue, does anyone really believe that once the government can get away with this then our government would not look at this win as their given ok to invade ones privacy over and over again?
All for causes not anywhere nears the level of debunking terrorism?

Once the government has those keys into everyones private life, does anyone really think or believe our very own government would not take this as their free pass to then use those keys however and whenever they wish?

This time is it all about terrorist and hacking into cell phones.
Next time, it may be hacking into your personal privacy to see what you've been up to.
And as Ted Olson said, then the terrorist win.
Terrorist would have succeeded in chipping away another huge chunk of American protected freedoms.

And I find it hard to believe with all the technology and tools the FBI and the government currently has at their disposal, that the government can only solve this one case by forcing Apple to turn over their system of encryption?
I find that very hard to believe.

I would bet the farm that the FBI has a truck-load of options currently legally available to find out exactly what they want to know.
I think this is not so much about terrorist nor finding out what they were up to and who else was involved. I would bet this is exactly what it looks like, government overreach simply because opportunity exists, and they feel entitled and above the constitution.
THAT is what this all comes down to.

I find it hard to believe the government does not already know exactly who else if anyone were involved in this terrorist attack.
I truly doubt the cell phone of any terrorist has anything to do with what the government is up to with their attacking Apple.
The government has a case here where a company like Apple through technology can stop a governments peering eyes from invading someones personal life.
And knowing our government, THEY DO NOT LIKE THAT.
No sir, not one bit.

Apple is the one that took this fight to the masses and is trying to rally support for their position...so keep that in mind...

So considering the average person what data would they retain on their phone that would be of critical importance from a security perspective that they would have an issue with this?

Speaking for myself I have none which I can think of....most of my services are cloud based, so those can all be served from a legal perspective and can produce whatever information....

Some pictures...notes on the device itself, and possibly iMessage chat history which is something else intelligence agencies have issues with.

I don't see why this has anything as of yet to do with Congress, remember this isn't an issue that just the US is dealing with, China, the UK, Russia and others are all questioning how to deal with device encryption like apples in which companies that implement have very little control on how it behaves...this is much different from say Bitlocker which has an engineered mechanism for accessing encrypted data on corporate systems.

This is all uncharted territory given that in the past folks didn't readily have access to encryption for their devices and the degree to which communication was facilitated was far less than it is now....

Congress is going to interview both Apple and the DOJ soon, but I don't see how this relates to Congress yet.

 

[brycejones]

Yes, someone who understands nothing.

Ftfy

 

[K1052]

Umm you might want to check your information:

http://www.msn.com/en-us/news/techn...uld-destroy-the-product/ar-BBpMVSQ?li=BBnbcA1



http://blog.trailofbits.com/2016/02/17/apple-can-comply-with-the-fbi-court-order/

Secure enclave isn't fully "secure" as of yet it seems, and Apple has apparently admitted they could work around this for the FBI if they wanted to.

If they truly wanted these phones to be secure they would have equipped them with a preboot authentication mechanism and also forced all updates to be user accepted, two things which they clearly did not do as they don't want to inconvenience users as people are more than willing to sacrifice security for ease of use.

What part of "subsequent" was unclear? The 5C does not have a secure enclave.