Apple vs. Feds

[Hokie CPA]

Surprised no thread on this already...

http://www.latimes.com/opinion/editoria ... story.html

Analogy I saw yesterday is Feds are asking for a pass-key that would open any door in the building in order to search one hotel room. There's got to be a way around that.

Any tech peeps in the room able to expound on Apple's encryption and whether Apple can crack one specific phone vs writing in a universal update that would create a back door into any iPhone? I understand Apple says they don't have the key to their own encryption... is that true?

So far, I'm in agreement with Apple as far as keeping iPhones secure, on the whole.

[RiverguyVT]

Surprised no thread on this already...

http://www.latimes.com/opinion/editoria ... story.html

Analogy I saw yesterday is Feds are asking for a pass-key that would open any door in the building in order to search one hotel room. There's got to be a way around that.

Any tech peeps in the room able to expound on Apple's encryption and whether Apple can crack one specific phone vs writing in a universal update that would create a back door into any iPhone? I understand Apple says they don't have the key to their own encryption... is that true?

So far, I'm in agreement with Apple as far as keeping iPhones secure, on the whole.

Im not tech savvy either. Based on the bit I understand, I'm w Apple too.
Trump is out there saying he'd force Apple to cooperate. That's just what we need in the WH huh?

[nolanvt]

Agree, fellow CPA. I'm with Apple in this instance.

[awesome guy]

Sounds like BS to me from Apple. They don't want to jeopardize the Muslim market. Or they could go even further and advertise an IED app.

[BigDave]

I don't understand why they can't just remove the memory from the phone, make a copy of it, and then have at it in a virtual environment. Is that not a thing?

[Bay_area_Hokie]

I am not an encryption expert at all. This is one are of IT I have never really learned and I have no desire to...

That being said, I don't understand why they can't take the phone to their facility, and return every document, image, text message from the phone on a memory stick and give it to the Feds.

Now, I think I just answered my own question. If they did this once, they would have to have a dept with 500 people doing this in a year. They could ask the gov't for $10K every time it's needed. I don't see what is wrong with that. They shouldn't have to bear the cost IMHO.

I guess if they had that dept with 500 people, and Samsung didn't, a lot of people would go to Samsung. I think this whole thing quickly spirals to the point of it being a giant cluster.

[BigDave]

I am not an encryption expert at all. This is one are of IT I have never really learned and I have no desire to...

That being said, I don't understand why they can't take the phone to their facility, and return every document, image, text message from the phone on a memory stick and give it to the Feds.

Now, I think I just answered my own question. If they did this once, they would have to have a dept with 500 people doing this in a year. They could ask the gov't for $10K every time it's needed. I don't see what is wrong with that. They shouldn't have to bear the cost IMHO.

I guess if they had that dept with 500 people, and Samsung didn't, a lot of people would go to Samsung. I think this whole thing quickly spirals to the point of it being a giant cluster.

Well, it's probably not as simple as that - I'm sure the data on the phone is encrypted and would have to be decrypted first. But you'd think that it would be separable where you could physically remove the data memory from the phone and then make a copy of it. The copy would still be encrypted, but the government could then brute force hack that copy.

[awesome guy]

I am not an encryption expert at all. This is one are of IT I have never really learned and I have no desire to...

That being said, I don't understand why they can't take the phone to their facility, and return every document, image, text message from the phone on a memory stick and give it to the Feds.

Now, I think I just answered my own question. If they did this once, they would have to have a dept with 500 people doing this in a year. They could ask the gov't for $10K every time it's needed. I don't see what is wrong with that. They shouldn't have to bear the cost IMHO.

I guess if they had that dept with 500 people, and Samsung didn't, a lot of people would go to Samsung. I think this whole thing quickly spirals to the point of it being a giant cluster.

Well, it's probably not as simple as that - I'm sure the data on the phone is encrypted and would have to be decrypted first. But you'd think that it would be separable where you could physically remove the data memory from the phone and then make a copy of it. The copy would still be encrypted, but the government could then brute force hack that copy.

They just don't want to give up the encryption key or key generator.

[133743Hokie]

I am not an encryption expert at all. This is one are of IT I have never really learned and I have no desire to...

That being said, I don't understand why they can't take the phone to their facility, and return every document, image, text message from the phone on a memory stick and give it to the Feds.

Now, I think I just answered my own question. If they did this once, they would have to have a dept with 500 people doing this in a year. They could ask the gov't for $10K every time it's needed. I don't see what is wrong with that. They shouldn't have to bear the cost IMHO.

I guess if they had that dept with 500 people, and Samsung didn't, a lot of people would go to Samsung. I think this whole thing quickly spirals to the point of it being a giant cluster.

Well, it's probably not as simple as that - I'm sure the data on the phone is encrypted and would have to be decrypted first. But you'd think that it would be separable where you could physically remove the data memory from the phone and then make a copy of it. The copy would still be encrypted, but the government could then brute force hack that copy.

They just don't want to give up the encryption key or key generator.

The issue is that Apple says they don't have one and will have to develop it. Their concern, legitimate or not, is that once the "key" is developed it will be out there. There will be no way for them to contain it, even within their own business. Essentially they don't want to develop a monster.

[awesome guy]

I am not an encryption expert at all. This is one are of IT I have never really learned and I have no desire to...

That being said, I don't understand why they can't take the phone to their facility, and return every document, image, text message from the phone on a memory stick and give it to the Feds.

Now, I think I just answered my own question. If they did this once, they would have to have a dept with 500 people doing this in a year. They could ask the gov't for $10K every time it's needed. I don't see what is wrong with that. They shouldn't have to bear the cost IMHO.

I guess if they had that dept with 500 people, and Samsung didn't, a lot of people would go to Samsung. I think this whole thing quickly spirals to the point of it being a giant cluster.

Well, it's probably not as simple as that - I'm sure the data on the phone is encrypted and would have to be decrypted first. But you'd think that it would be separable where you could physically remove the data memory from the phone and then make a copy of it. The copy would still be encrypted, but the government could then brute force hack that copy.

They just don't want to give up the encryption key or key generator.

The issue is that Apple says they don't have one and will have to develop it. Their concern, legitimate or not, is that once the "key" is developed it will be out there. There will be no way for them to contain it, even within their own business. Essentially they don't want to develop a monster.

You have to have the key before you can encrypt. They already have the key. But a company I used to work for had a patent on doing secret encryption like this, where we didn't have the key and only the user could decrypt. And we too had tons of requests from the feds to stop criminals and couldn't without releasing the master key. This was also pre 9/11 so the stakes weren't as high.

[Major Kong]

One thing I heard yesterday was that these phones are made in China.

The Chinese probably already have the pass keys, so just ask China for the info.

[miles]

One thing I heard yesterday was that these phones are made in China.

The Chinese probably already have the pass keys, so just ask China for the info.

Apple prolly signed a nondisclosure agreement.

[TheH2]

Surprised no thread on this already...

http://www.latimes.com/opinion/editoria ... story.html

Analogy I saw yesterday is Feds are asking for a pass-key that would open any door in the building in order to search one hotel room. There's got to be a way around that.

Any tech peeps in the room able to expound on Apple's encryption and whether Apple can crack one specific phone vs writing in a universal update that would create a back door into any iPhone? I understand Apple says they don't have the key to their own encryption... is that true?

So far, I'm in agreement with Apple as far as keeping iPhones secure, on the whole.

From what I've read, I'm with Apple. I don't think they should be providing a back door into all their software. Now, I think on a case by case basis they should hack into a phone if there is a warrant, but it sounds like that is more difficult than I would think.
I think the former would be a detriment to every U.S. tech company.

[absolutvt03]

Surprised no thread on this already...

http://www.latimes.com/opinion/editoria ... story.html

Analogy I saw yesterday is Feds are asking for a pass-key that would open any door in the building in order to search one hotel room. There's got to be a way around that.

Any tech peeps in the room able to expound on Apple's encryption and whether Apple can crack one specific phone vs writing in a universal update that would create a back door into any iPhone? I understand Apple says they don't have the key to their own encryption... is that true?

So far, I'm in agreement with Apple as far as keeping iPhones secure, on the whole.

From what I've read, I'm with Apple. I don't think they should be providing a back door into all their software. Now, I think on a case by case basis they should hack into a phone if there is a warrant, but it sounds like that is more difficult than I would think.
I think the former would be a detriment to every U.S. tech company.

I think the problem with the case by case thing is once the "hack" is created, it exists and who knows who will try to get their hands on it or for what purposes. I don't know that it's a case of how difficult it would be and more the repercussions of the existence of a "skeleton key" to get into any Apple device.

[133743Hokie]

I am not an encryption expert at all. This is one are of IT I have never really learned and I have no desire to...

That being said, I don't understand why they can't take the phone to their facility, and return every document, image, text message from the phone on a memory stick and give it to the Feds.

Now, I think I just answered my own question. If they did this once, they would have to have a dept with 500 people doing this in a year. They could ask the gov't for $10K every time it's needed. I don't see what is wrong with that. They shouldn't have to bear the cost IMHO.

I guess if they had that dept with 500 people, and Samsung didn't, a lot of people would go to Samsung. I think this whole thing quickly spirals to the point of it being a giant cluster.

Well, it's probably not as simple as that - I'm sure the data on the phone is encrypted and would have to be decrypted first. But you'd think that it would be separable where you could physically remove the data memory from the phone and then make a copy of it. The copy would still be encrypted, but the government could then brute force hack that copy.

They just don't want to give up the encryption key or key generator.

The issue is that Apple says they don't have one and will have to develop it. Their concern, legitimate or not, is that once the "key" is developed it will be out there. There will be no way for them to contain it, even within their own business. Essentially they don't want to develop a monster.

You have to have the key before you can encrypt. They already have the key. But a company I used to work for had a patent on doing secret encryption like this, where we didn't have the key and only the user could decrypt. And we too had tons of requests from the feds to stop criminals and couldn't without releasing the master key. This was also pre 9/11 so the stakes weren't as high.

No, they have clearly stated they would have to develop this.

[awesome guy]

I am not an encryption expert at all. This is one are of IT I have never really learned and I have no desire to...

That being said, I don't understand why they can't take the phone to their facility, and return every document, image, text message from the phone on a memory stick and give it to the Feds.

Now, I think I just answered my own question. If they did this once, they would have to have a dept with 500 people doing this in a year. They could ask the gov't for $10K every time it's needed. I don't see what is wrong with that. They shouldn't have to bear the cost IMHO.

I guess if they had that dept with 500 people, and Samsung didn't, a lot of people would go to Samsung. I think this whole thing quickly spirals to the point of it being a giant cluster.

Well, it's probably not as simple as that - I'm sure the data on the phone is encrypted and would have to be decrypted first. But you'd think that it would be separable where you could physically remove the data memory from the phone and then make a copy of it. The copy would still be encrypted, but the government could then brute force hack that copy.

They just don't want to give up the encryption key or key generator.

The issue is that Apple says they don't have one and will have to develop it. Their concern, legitimate or not, is that once the "key" is developed it will be out there. There will be no way for them to contain it, even within their own business. Essentially they don't want to develop a monster.

You have to have the key before you can encrypt. They already have the key. But a company I used to work for had a patent on doing secret encryption like this, where we didn't have the key and only the user could decrypt. And we too had tons of requests from the feds to stop criminals and couldn't without releasing the master key. This was also pre 9/11 so the stakes weren't as high.

No, they have clearly stated they would have to develop this.

They're lying

[HokieJoe]

My understanding is that breaking into the phone will destroy all of it's contents. According to Apple, they'd have to write a program to avoid that. On a related note, it looks lIke John McAfee has offered to break into the phone within 3 weeks; or eat a shoe on live tv.

http://www.dailymail.co.uk/news/article ... -free.html


So there's that.

[BigDave]

My understanding is that breaking into the phone will destroy all of it's contents. According to Apple, they'd have to write a program to avoid that. On a related note, it looks lIke John McAfee has offered to break into the phone within 3 weeks; or eat a shoe on live tv.

http://www.dailymail.co.uk/news/article ... -free.html


So there's that.

If the Commerce Clause means that you can be forced to buy health insurance, then why shouldn't the government be able to compel Apple to write a new program for them?

[HokieJoe]

My understanding is that breaking into the phone will destroy all of it's contents. According to Apple, they'd have to write a program to avoid that. On a related note, it looks lIke John McAfee has offered to break into the phone within 3 weeks; or eat a shoe on live tv.

http://www.dailymail.co.uk/news/article ... -free.html


So there's that.

If the Commerce Clause means that you can be forced to buy health insurance, then why shouldn't the government be able to compel Apple to write a new program for them?

Good point. Maybe we should get Justice Robert's to read the political tea leaves and make decision. Because politics is a central concern of the SC. And Supreme's aren't appointed to life time tenures for a reason.

[ieatbacon]

Surprised no thread on this already...

http://www.latimes.com/opinion/editoria ... story.html

Analogy I saw yesterday is Feds are asking for a pass-key that would open any door in the building in order to search one hotel room. There's got to be a way around that.

Any tech peeps in the room able to expound on Apple's encryption and whether Apple can crack one specific phone vs writing in a universal update that would create a back door into any iPhone? I understand Apple says they don't have the key to their own encryption... is that true?

So far, I'm in agreement with Apple as far as keeping iPhones secure, on the whole.

I'm not an encryption or iThing expert, but I did read the iOS security guide and think I have a pretty good understanding of the issue.

Apple does not have the encryption keys or passwords of the phone. The encryption keys are created during manufacturing and not saved anywhere. The FBI is asking Apple to create a custom version of the iOS, which can be installed without unlocking the phone, which bypasses two specific security features: 1) The time delay between password entries and 2) The setting which automatically deletes all data on the phone after 10 failed attempts at the password. This will allow the FBI to brute-force the password on the phone and unlock it.

I don't understand why they can't just remove the memory from the phone, make a copy of it, and then have at it in a virtual environment. Is that not a thing?

They could, but to read the memory, they'd have to brute-force guess at the encryption key, rather than the password to read the data, which is orders of magnitude more difficult. There may be more sophisticated ways to hack the hardware to access the encryption keys (which are not in memory, but are on a separate chip), but if the FBI has that capability, they're not going to expose it and thus can't use it in any legal cases (I've also heard that such methods would break the chain-of-custody of the evidence).

That being said, I don't understand why they can't take the phone to their facility, and return every document, image, text message from the phone on a memory stick and give it to the Feds.
....
I guess if they had that dept with 500 people, and Samsung didn't, a lot of people would go to Samsung. I think this whole thing quickly spirals to the point of it being a giant cluster.

Their concern (which is justified IMO) is the precedent it sets. If the FBI has access to this capability, so will local law enforcement, foreign governments, and it won't take long before hacker groups get a hold of the software too. In an era where we constantly hear stories about Target, Sony, OPM, and everybody else getting hacked, we should be happy that someone in the tech industry finally built a secure product, not asking them to deliberately weaken the security that protects all of their users. It's incorrect to think about Apple's position in the context of only San Bernardino, or even Apple vs. the US Govt.

One other important point - There are 1000s of encryption products in the market - many developed outside the US, and some are actual good (i.e. possibly not breakable even by sophisticated entities like the NSA). They're largely not as usable as what's built into the iPhone, but groups like ISIS already do use them. Weakening the security of the iPhone will weaken it for the average user, but a determined threat will still have plenty of options to use to avoid surveillance.

[HokieForever]

I can answer everyone's question. There are two separate issues going on here.

First, let's talk about this guys iPhone it was an iPhone 5c. The iPhone 5c was a less powerful version of the iPhone 5 and did not have what Apple called a Security enclave in it. What does that mean, basically you can upload a different operating system to the phone allowing the FBI do to what it wants. No problem right, agree except for this....

Starting with iPhone 5 or 5s (don't remember), Apple added the Security enclave. What this does is encrypt everything on the phone using the devices UUID, a random string of text, and your passcode. That means even Apple cannot decrypt your phone. They cannot upload a custom operating system circumventing the software controls or give access to anyone. Ever notice when you go to install an iOS update it asks for your passcode? Its unlocking the encrypted part of your system to allow the iOS update.

So you are saying to yourself so what, Apple can help in this case, yes it can, but now you have set a precedence. If Apple complies with this order, a subsequent case could have Apple being required to unlock any iPhone at any time and what does that mean you ask. Simple they will have to release an iOS update that gives the Government backdoor access to your phone effectively circumventing encryption and every American citizen's right to privacy. The problem here is there is no way to limit WHO uses the backdoor like say a hacker.

So this is a privacy issue and a security issue all "stop" terrorism. Before some of you agree with what the Government is asking I ask that you look up the statistics of what the chances are being killed by a terrorist vs say cancer, car accident, etc. You would be surprised at the lengths we are going to "stop" terrorism.

HokieForever

[ElbertoHokie]

I can answer everyone's question. There are two separate issues going on here.

First, let's talk about this guys iPhone it was an iPhone 5c. The iPhone 5c was a less powerful version of the iPhone 5 and did not have what Apple called a Security enclave in it. What does that mean, basically you can upload a different operating system to the phone allowing the FBI do to what it wants. No problem right, agree except for this....

Starting with iPhone 5 or 5s (don't remember), Apple added the Security enclave. What this does is encrypt everything on the phone using the devices UUID, a random string of text, and your passcode. That means even Apple cannot decrypt your phone. They cannot upload a custom operating system circumventing the software controls or give access to anyone. Ever notice when you go to install an iOS update it asks for your passcode? Its unlocking the encrypted part of your system to allow the iOS update.

So you are saying to yourself so what, Apple can help in this case, yes it can, but now you have set a precedence. If Apple complies with this order, a subsequent case could have Apple being required to unlock any iPhone at any time and what does that mean you ask. Simple they will have to release an iOS update that gives the Government backdoor access to your phone effectively circumventing encryption and every American citizen's right to privacy. The problem here is there is no way to limit WHO uses the backdoor like say a hacker.

So this is a privacy issue and a security issue all "stop" terrorism. Before some of you agree with what the Government is asking I ask that you look up the statistics of what the chances are being killed by a terrorist vs say cancer, car accident, etc. You would be surprised at the lengths we are going to "stop" terrorism.

HokieForever

HokieForever dropping the knowledge bomb.

[awesome guy]

I can answer everyone's question. There are two separate issues going on here.

First, let's talk about this guys iPhone it was an iPhone 5c. The iPhone 5c was a less powerful version of the iPhone 5 and did not have what Apple called a Security enclave in it. What does that mean, basically you can upload a different operating system to the phone allowing the FBI do to what it wants. No problem right, agree except for this....

Starting with iPhone 5 or 5s (don't remember), Apple added the Security enclave. What this does is encrypt everything on the phone using the devices UUID, a random string of text, and your passcode. That means even Apple cannot decrypt your phone. They cannot upload a custom operating system circumventing the software controls or give access to anyone. Ever notice when you go to install an iOS update it asks for your passcode? Its unlocking the encrypted part of your system to allow the iOS update.

So you are saying to yourself so what, Apple can help in this case, yes it can, but now you have set a precedence. If Apple complies with this order, a subsequent case could have Apple being required to unlock any iPhone at any time and what does that mean you ask. Simple they will have to release an iOS update that gives the Government backdoor access to your phone effectively circumventing encryption and every American citizen's right to privacy. The problem here is there is no way to limit WHO uses the backdoor like say a hacker.

So this is a privacy issue and a security issue all "stop" terrorism. Before some of you agree with what the Government is asking I ask that you look up the statistics of what the chances are being killed by a terrorist vs say cancer, car accident, etc. You would be surprised at the lengths we are going to "stop" terrorism.

HokieForever

They have yhe uuid of every device so that's not really true.

[HokieForever]

They have yhe uuid of every device so that's not really true.

But they don't have the random key or the user's security code, the only thing the UUID does is associate the encryption with that device and that device only. That is why they can't take a "copy" of the memory and take it elsewhere to "crack", the encrypted part of the system won't even attempt to allow an unlock unless the UUID associated with it is present. The UUID is just an identifier not a part of the encryption itself.

HokieForever

[awesome guy]

They have yhe uuid of every device so that's not really true.

But they don't have the random key or the user's security code, the only thing the UUID does is associate the encryption with that device and that device only. That is why they can't take a "copy" of the memory and take it elsewhere to "crack", the encrypted part of the system won't even attempt to allow an unlock unless the UUID associated with it is present. The UUID is just an identifier not a part of the encryption itself.

HokieForever

Sure they do. They have the random keys for every phone created at the factory. They don't need the security code as that's not part of the key. Just listen to what they're saying, they say they have the capability to push an update to all phones to unlock it. They couldn't do that if the key was in the user domain. They just don't want to do it and the claims of breaking every phone just isn't true.