Big Brother is Watching You

[O Really]

I enjoyed this comment from the Slashdot article:
"Funny they are so concerned with gaining access to this stupid phone when the real weapons used to commit the crime are sold almost everywhere in america."

[Vrede too]

[O Really]

So if Apple techs could create software to crack the terrorist phone, thereby making it possible to crack anybody's phone, what - other than maybe personal integrity - is keeping somebody from doing it? Surely it must have major value to be sold off for enough to keep you in a good life in some country without extradition. If it can be done, court order notwithstanding, what stands between security and chaos? And I would guess that it can indeed be done, else Apple's answer would have been "it's impossible."

Reminds me of the religious dichotomy question: "if God is omnipotent, can he create a rock that is too heavy for him to lift?"
Can Apple create a system they can't override?

[Vrede too]

rstrong would know better than me, but I suspect it's much much easier for Apple to do an end run around their own security, but then the genie is out of the bottle. Otherwise, the FBI/NSA would have already done it without Apple's help.

[O Really]

rstrong would know better than me, but I suspect it's much much easier for Apple to do an end run around their own security, but then the genie is out of the bottle. Otherwise, the FBI/NSA would have already done it without Apple's help.

OK, so how many people working for Apple could do it? Maybe nobody by themselves? Maybe they put everything together in separate segments so nobody knows everything? If there is a genie, what keeps him/her in the bottle now?

[rstrong]

Reminds me of the religious dichotomy question: "if God is omnipotent, can he create a rock that is too heavy for him to lift?"
Can Apple create a system they can't override?

It's quite easy to create a system that you yourself can't override (if you forget the password). Any decent encryption system is like that.

It gets harder when you add complications - like cloud backups, automatic update installs, etc. And of course, many people prefer convenience over proper encryption. Hence the simple four-digit passwords by default.

But even these can be mitigated. Have the cloud backups encrypted by the phone, so that Apple can't decrypt them once the backups are on the cloud server. Key signing for the update installs. The option to use stronger passwords, and delay/lockout features for even the simple four-digit ones.

It would be much easier for Apple to build that "custom OS" than for anyone else. But again, if they were to succeed, they'd be obligated to immediately patch that hole.

BTW, since Farook's iPhone was owned by his employer, it WAS possible to get at the data. They could force a backup to iCloud, which the San Bernardino Health Department had a password for. But the FBI messed that up.

[rstrong]

Techdirt: Remember When The FBI & NYPD Told People To Upgrade Their iPhones To Enable Stronger Security?

Look, let's face facts here. For all the talk coming from the law enforcement community that they need backdoors into encryption to stop crime, they absolutely know that the reverse is true: strong encryption prevents crime. Lots of it. Strong encryption on phones makes stealing those phones a lot less worthwhile, because all the information on them is locked up. As we noted back in 2014, the FBI had a webpage advocating for mobile encryption to protect your phone's data:

[O Really]

It would be much easier for Apple to build that "custom OS" than for anyone else. But again, if they were to succeed, they'd be obligated to immediately patch that hole.

.

Sounds like a good plan.

So what is the main concern with phone hacking? Identity theft? Access to un-protected bank links? Password list?

[Vrede too]

Our money probably has more people interested in it than anything else, but the possibilities are endless - political advantage, workplace leverage, exposing legal or illegal misdeeds, extorting "favors", repression of dissent, revenge of some sort, etc. . . . gaining privileged info. about your clients.

[rstrong]

Sounds like a good plan.

Until you think about it.

You can be certain that Apple was looking for such a security hole even before the FBI made their demand, and has now redoubled their efforts. They - and their customers - have everything to lose form that "plan."

So what is the main concern with phone hacking? Identity theft? Access to un-protected bank links? Password list?

All of the above and far more, since all are common.

To catch a criminal, you don't force open the gate and leave it unlocked for ten thousand other criminals.

[Vrede too]

Maybe I'm missing some obvious examples but, other than physical public safety measures, when has a company ever before been forced by government to create something that doesn't exist?

[Vrede too]

Common software would have let FBI unlock shooter's iPhone

The county government that owned the iPhone in a high-profile legal battle between Apple Inc. and the Justice Department paid for but never installed a feature that would have allowed the FBI to easily and immediately unlock the phone as part of the terrorism investigation into the shootings that killed 14 people in San Bernardino, California.

If the technology, known as mobile device management, had been installed, San Bernardino officials would have been able to remotely unlock the iPhone for the FBI without the theatrics of a court battle that is now pitting digital privacy rights against national security concerns.

The service costs $4 per month per phone.

Instead, the only person who knew the unlocking passcode for the phone is the dead gunman, Syed Farook, who worked as an inspector in the county's public health department....

Should Apple be forced to do what government was too cheap to do?

[O Really]

Maybe I'm missing some obvious examples but, other than physical public safety measures, when has a company ever before been forced by government to create something that doesn't exist?

I don't know, but it probably depends on the meaning of "doesn't exist." I think it could be argued that it's just an adaptation of existing software. Unless you want to say that any new app or modification of software is a creation that didn't exist.

[O Really]

Is it not true that Apple could open their phones up until late 2014? And that there is no long parade of horrible things happening because of that? Is this request by the FBI not asking reinstatement of a former practice, not creating something never done before? (maybe not technically, but in principle?)
Were there long lists of law enforcement and other crooks demanding access from Apple when they could do it?

[rstrong]

I think it could be argued that it's just an adaptation of existing software.

It is, actually. That "adaptation of existing software" being a government-ordered back door. Which everyone will know is there, and all the criminals can exploit.

We went through this with the government's "Clipper Chip" proposal back in the 1990s. It turned to be full of security holes too. And like with the iPhone today, nothing stopped the user from using PGP or some other encryption system on top of it.

Maybe I'm missing some obvious examples but, other than physical public safety measures, when has a company ever before been forced by government to create something that doesn't exist?

It's not quite the same , but one other case comes immediately to mind:

When email viruses became popular, Microsoft and the other email client authors started blocking executables by default. This however blocked executable animated greeting cards from several companies. Who then contacted the folks behind the ever-changing government anti-trust investigation of Microsoft, who then ordered Microsoft not to block executables in Outlook and Outlook Express by default.

This did more than anything (except OS popularity) to leave Windows vulnerable to viruses.

[rstrong]

Is it not true that Apple could open their phones up until late 2014?

Mostly no.

But Apple HAS locked things down even further in response to the Snowden revelations. Because once it was known that one government agency had access, the others want it. As would government agencies in all the other countries.

There's also the espionage issue: Would you allow your government officials and defense contractors and corporate CEOs to use iPhones knowing that the Russian government could extract all the data? (And your government couldn't?)

And that there is no long parade of horrible things happening because of that?

There WAS a long parade of horrible things happening. The Snowden revelations were simply the last straw.

[O Really]

There WAS a long parade of horrible things happening. The Snowden revelations were simply the last straw.

Not saying there weren't, but do you have readily available examples?

[Vrede too]

I think requiring companies to make something new, as opposed to stopping certain things, is a bridge with future repercussions that we might not want to cross.

[O Really]

Auto companies have been required to come up with new technology (or creative statistics) to meet exhaust quality standards. Would a "catalytic converter" have been newly created to meet a federal requirement? Other companies have been required to come up with new tech or process like filtering, etc. True those are legislative requirements and not court orders, but requirements to create nonetheless. Creation of new software and systems was required by HIPAA.

But anyway, I looked at the issue from a practical standpoint since I just got a new mobile. I had the ummmm, "opportunity" to go over everything that was on and accessible by my old phone and considered which of that I would consider catastrophic if there was a court order that required somebody to look at it. Couldn't find much. Some inconvenience, nothing embarrassing, nothing that would open the vaults to my vast wealth. I suppose I'd think differently if I ran bank apps that remembered me or had all the same guessable passwords. Or if I kept social security numbers or credit card numbers or whatever. But I don't. Actually, there isn't much real information at all resident on my mobile. Apps and links to somewhere else, and I suppose some information can be gleaned from some apps, but little that's not available elsewhere. You could probably find out more just googling me than digging through my phone. Certainly more by running a typical pre-employment background check. Not nearly as much as the credit companies hold on me and who knows what they do with that.

[Vrede too]

No offense, but you're an old, stable liberal that doesn't have his whole life on his phone like younger folks do, probably don't have skeletons in your GPS and you don't have very controversial clients. If I understand the tech correctly there are more and more financial things that one can only do with a phone.

Otoh, I've been responsible for anthrax terrorism lately,

Spoiler:

exercises and drills, snoops.

Yeah, I made an exception for the very kind of "physical public safety measures" in consumer products like catalytic converters. I'm okay with the government mandating new technology in those cases, but this would be a major step beyond them. HIPAA is a better example, though its mandates don't specifically require particular software or any software at all, but that is the effect.