|
Am I misunderstanding what the FBI was asking Apple to do? I was under the impression —and this segment seemed to suggest— that the FBI was asking them to disable the feature that wipes the phone if the password is entered incorrectly a number of times, not actually develop a backdoor in the encryption itself. Keep in mind I'm not agreeing with the FBI, I just want to make sure I'm on the same page as all of you.
|
#
?
Mar 15, 2016 08:18
|
|
|
|
| # ? May 14, 2024 17:28 |
|
|
Baronash posted:Am I misunderstanding what the FBI was asking Apple to do? I was under the impression —and this segment seemed to suggest— that the FBI was asking them to disable the feature that wipes the phone if the password is entered incorrectly a number of times, not actually develop a backdoor in the encryption itself. The FBI wants Apple to develop a custom iOS version that doesn't have the 10-incorrect-guess lockout feature, so they can push it to the phone and unlock it with an automated tool that brute-forces the PIN. I guess it's a backdoor into the phone itself, not into the encryption per se.
|
|
#
?
Mar 15, 2016 08:33
|
|
|
Wouldn't you need to unlock the phone to install an upgrade to the phone I don't get this.
|
|
#
?
Mar 15, 2016 08:37
|
|
|
Krinkle posted:Wouldn't you need to unlock the phone to install an upgrade to the phone I don't get this. Eh, I don't use Apple products because they're poo poo, but I'm presuming that Apple can push software upgrades as long as the device is connected to a network, otherwise none of this would even be up for discussion. Android devices, for example, can automatically update applications while locked but I'm not sure if OS upgrades work that way. Whenever I receive an OS upgrade prompt I manually initiate it, but I suppose if the device has downloaded the update and you forced a reboot without unlocking it (by using the power button or pulling the battery) it might install the update on next boot.
|
|
#
?
Mar 15, 2016 09:59
|
|
|
iOS updates won't install at all unless you go through a series of prompts saying that it's okay to do so. No matter if it's plugged in or reset or not.
|
|
#
?
Mar 15, 2016 10:11
|
|
|
Why can't they just copy the files on the hard drive and brute-force it at their leisure? Surely it's within Apple's capabilities to image the disk and shove it into a VM.
|
|
#
?
Mar 15, 2016 10:27
|
|
|
Anticheese posted:Why can't they just copy the files on the hard drive and brute-force it at their leisure? Surely it's within Apple's capabilities to image the disk and shove it into a VM.
|
|
#
?
Mar 15, 2016 10:47
|
|
|
Atomizer posted:Eh, I don't use Apple products because they're poo poo, but I'm presuming that Apple can push software upgrades as long as the device is connected to a network, otherwise none of this would even be up for discussion. My phone has literally never updated. It is a bad android that never updates the operating system. Nothing on the google play store is compatible with my version. I was just assuming it would update like windows where you have to log in and then reboot it later. Goddamn I need a new phone.
|
|
#
?
Mar 15, 2016 10:59
|
|
|
That was a really good segment that got everything right, went into some decent details without confusing people too much and stayed on point. Easily the best bit I've seen on it.Krinkle posted:Wouldn't you need to unlock the phone to install an upgrade to the phone I don't get this. You put it in DFU (Device Firmware Update) mode and can then put any Apple signed code onto it via itunes. It's for fixing broken poo poo like Windows recovery mode but the FBI is pushing Apple to allow them to put in code that circumvents a layer of Apples security. Edit: The amusing thing with this for me is that we keep hearing talk about whether or not this is a backdoor, as an outsider though the All Writs Act seems like it's being used as a backdoor to the constitution. Woden fucked around with this message at 12:54 on Mar 15, 2016 |
|
#
?
Mar 15, 2016 11:11
|
|
|
Atomizer posted:The FBI wants Apple to develop a custom iOS version that doesn't have the 10-incorrect-guess lockout feature, so they can push it to the phone and unlock it with an automated tool that brute-forces the PIN. I guess it's a backdoor into the phone itself, not into the encryption per se. Yes, the issue is it defeats a key security measure of the phone. If it is written and used, it will be used for more than just this instance. It will be leaked (either from within sources at Apple or from people who use it.) If Apple does this, they might as well just remove the feature from the OS as it becomes meaningless. The 10 guesses before wipe is integral to the security since there are only so many combinations. It would be trivial for a machine to cycle though all 10000 combinations of a 4 digit pin. Hell, an extremely bored individual could easily do it in a day manually. Retry lockout is key to any authentication mechanism. It takes a computationally easy thing and makes it unfeasible.
|
|
#
?
Mar 15, 2016 14:01
|
|
|
John Oliver was on Colbert last night and he talked more about the hat and the iPhone issue. Jay-Z tried to get HBO to send him the hat for free.
|
|
#
?
Mar 15, 2016 14:38
|
|
|
I wonder if the FBI tried "1234" "0000", the guy's birthday, and now they're sitting at 9/10 tries going "gently caress".
|
|
#
?
Mar 15, 2016 16:32
|
|
|
Can someone tell me why we're assuming it's a 4-digit number? My Galaxy Tab 4 lets me set PINs with more numbers. My current one is 8 numbers, that way it reinforces the PIN I have to remember for work (with my RSA token).
|
|
#
?
Mar 15, 2016 16:49
|
|
|
Demiurge4 posted:There is a clear difference between being able to do something and being legally able to do something. It can be argued that if the FBI cracks your encryption, that since it constitutes hacking into the phone, the evidence was illegally obtained. If you obtain the information through a lawful court order the evidence is fully admissible. The NSA or CIA don't care since they operate outside the law, but the FBI would care a lot. It's pretty much this. The FBI wants what's on the phone legally so they can arrest people without it getting thrown out in court. As shipping people to Guantanamo Bay is out now.
|
|
#
?
Mar 15, 2016 16:52
|
|
|
tarlibone posted:Can someone tell me why we're assuming it's a 4-digit number? I think (don't quote me on this never used one) apple devices only accept 4 digit pins. EDIT: I asked my friend for numerical PINS the max is 6 on apple devices. Though smart people would just use full alphasymbolnumeric passwords Cerepol fucked around with this message at 17:16 on Mar 15, 2016 |
|
#
?
Mar 15, 2016 17:13
|
|
|
Cerepol posted:I think (don't quote me on this never used one) apple devices only accept 4 digit pins. I recently had to set up an Iphone 6S and Ipad Air 2 at work and both forced me to use a 6 digit pin.
|
|
#
?
Mar 15, 2016 17:16
|
|
|
tarlibone posted:Can someone tell me why we're assuming it's a 4-digit number? Because 4-digit pin was the default from Apple for years until recently, and most people don't bother to deviate from that. I don't think any official has outright stated it however. E: Vodos posted:I recently had to set up an Iphone 6S and Ipad Air 2 at work and both forced me to use a 6 digit pin. With iOS 9 they updated the default to 6 but you should be able to set it back to a 4-digit pin in the settings. Also, if you set up a new phone from a backup I think you keep your 4-digit pin. Freaquency fucked around with this message at 17:22 on Mar 15, 2016 |
|
#
?
Mar 15, 2016 17:17
|
|
|
It honestly doesn't matter if it's a 4 digit numerical pin or a 6 or even an 8 when you are talking about brute forcing it with a machine with no retry limit/timeout. Even in the most extreme case, it will probably only take minutes if not seconds to try all the combinations. Even 6 digits isn't impossible to do manually. It would probably take a few months, but it could be done. 7 to 8 digits is where it starts to become unfeasible to guess manually, but a machine would have no issues.
|
|
#
?
Mar 15, 2016 17:50
|
|
|
Demiurge4 posted:There is a clear difference between being able to do something and being legally able to do something. It can be argued that if the FBI cracks your encryption, that since it constitutes hacking into the phone, the evidence was illegally obtained. If you obtain the information through a lawful court order the evidence is fully admissible. The NSA or CIA don't care since they operate outside the law, but the FBI would care a lot. I don't think that argument holds much water. You're basically saying that any computer with a password is untouchable by law enforcement, which is clearly not true. This is exactly why they have warrants. And if it was illegal for the FBI to hack into your phone, how is uploading a custom version of iOS onto the phone and then brute forcing the password not hacking?
|
|
#
?
Mar 15, 2016 18:28
|
|
|
Baronash posted:I don't think that argument holds much water. You're basically saying that any computer with a password is untouchable by law enforcement, which is clearly not true. This is exactly why they have warrants. I could have it backwards, but I believe they're allowed to force you to hand over a key to a padlock (a thing), but not allowed to force you to give up a combination (speech.) They can, however, physically break open a safe. The question is, how does that translate over to digital lock boxes?
|
|
#
?
Mar 15, 2016 19:16
|
|
|
I think the point is that with a warrant, they can force you to hand over that locked box. Now, you might have destroyed the only key, and if it's a combination lock they can compel you to tell them the combination but if you refuse, other than locking you up, there's poo poo-all they can do about it. With this iPhone situation, they can't get in without the cooperation of the suspect, who is dead. It's just more complicated now. As discussed in the program, you can create a special key to break into one particular lock or door that probably won't work in any other lock or door unless that other lock and/or door just happens to share the same key, and the odds on that are remote. The type of backdoor that the government wants Apple to create would work on any Apple iPhone, and if it is created, it's not like that physical key that the locksmith made that someone would have to steal before it got destroyed. Hackers from outside of Apple or saboteurs from inside Apple could distribute the software and threaten the security of anyone's iPhone, and that's assuming Apple isn't required to hand the software over to the government, where, again, it could be stolen from and distributed. There isn't a perfect solution, but there probably is a better one than just hoping that our laws, some of which haven't changed in 200 years, can still be applied given the drastic advances in technology we've enjoyed over, hell, just the last 20 years or so.
|
|
#
?
Mar 15, 2016 20:01
|
|
|
tarlibone posted:if it's a combination lock they can compel you to tell them the combination Wasn't this a central point of the whole Touch ID argument a few years back? That you had the legal right to not tell law enforcement the combination on grounds of self-incrimination, but them taking your thumb and forcing you to physically unlock the phone fell under a more grey area?
|
|
#
?
Mar 15, 2016 20:10
|
|
|
tarlibone posted:I think the point is that with a warrant, they can force you to hand over that locked box. Now, you might have destroyed the only key, and if it's a combination lock they can compel you to tell them the combination but if you refuse, other than locking you up, there's poo poo-all they can do about it. With this iPhone situation, they can't get in without the cooperation of the suspect, who is dead. Police are able to cut a lock or get a locksmith to open your locked box if they have a warrant. Baronash fucked around with this message at 20:15 on Mar 15, 2016 |
|
#
?
Mar 15, 2016 20:13
|
|
|
Baronash posted:Police are able to cut a lock or get a locksmith to open your locked box if they have a warrant. Right. That was kind-of my point. I edited out a sentence that made it more clear, apparently. See, they can tell you that you have to open it for them, but if you refuse, they can't actually make you do it because you're a human with free will. But, they can cut it open or get someone else to do it. That's not the case with the iPhone situation we've got here.
|
|
#
?
Mar 15, 2016 21:07
|
|
|
Baronash posted:Police are able to cut a lock or get a locksmith to open your locked box if they have a warrant. Sure, but are they able to compel the company that made the locked box help them, by pointing out structural weaknesses, engineering the metal to react to a specific quick-dissolve compound, stuff like that?
|
|
#
?
Mar 15, 2016 21:43
|
|
|
TheCenturion posted:Sure, but are they able to compel the company that made the locked box help them, by pointing out structural weaknesses, engineering the metal to react to a specific quick-dissolve compound, stuff like that? They'd be able to compel the company to give them a key if it existed and probably tell them that if you dropped it at exactly 45 degrees on an uneven plane of yogurt it'll pop right open. The issue here is that there is no key and the structural weaknesses are known to all. So the FBI is demanding that Apple create a key for them, which runs into issues outside those talked about in the piece. Since code is considered speech, the FBI is asking a court to compel the speech of Apple. Which is a hell of a request considering the 1st amendment and all.
|
|
#
?
Mar 15, 2016 22:38
|
|
|
Why cant they just write the update, and only have it pushed to that one phone so the feds can brute force it? iOS updates come out in different regions at different times, so it's not like they don't have a way to isolate phones based on geography/other arbitrary factors.
|
|
#
?
Mar 15, 2016 23:35
|
|
|
Jaramin posted:Why cant they just write the update, and only have it pushed to that one phone so the feds can brute force it? iOS updates come out in different regions at different times, so it's not like they don't have a way to isolate phones based on geography/other arbitrary factors. It is following the order to produce the custom, insecure OS that they take exception to, not anything to do with how it gets on the phone.
|
|
#
?
Mar 15, 2016 23:36
|
|
|
Jaramin posted:Why cant they just write the update, and only have it pushed to that one phone so the feds can brute force it? iOS updates come out in different regions at different times, so it's not like they don't have a way to isolate phones based on geography/other arbitrary factors. It's not an issue of getting the software on that one phone. Apple would have to produce a custom version of their OS that is open to intrusion, and they do not believe that it would be possible for them to keep it from getting out into the wild if they did so. e: Beaten
|
|
#
?
Mar 15, 2016 23:41
|
|
|
withak posted:It is following the order to produce the custom, insecure OS that they take exception to, not anything to do with how it gets on the phone. Correct. It's folly to think this will be the only request. We know NYC alone has over 100 phones that police want to get into. And that's the rub. Once it becomes routine to request this OS push, it will be leaked. It will be reverse engineered. Apple will have to patch against it, and the cycle will start again. Millions of people could have their personal information put at risk in the meantime. Meanwhile, once those who really want their info secret realize this has become routine, they'll further encrypt info stored in the phone beyond what the device provides and the whole thing is rendered useless anyways.
|
|
#
?
Mar 15, 2016 23:48
|
|
|
But only Apple can push a phone update externally, so the opportunity to brute force it wouldn't exist on any other device even if it did get out. A hacker wouldn't be able to force a phone to accept the insecure OS update without manually doing so, at which point they're already in the phone. If the issue is security on-site while actually writing the update, then put the development data on devices encrypted the same way as their phones.
|
|
#
?
Mar 15, 2016 23:52
|
|
|
Jaramin posted:Why cant they just write the update, and only have it pushed to that one phone so the feds can brute force it? iOS updates come out in different regions at different times, so it's not like they don't have a way to isolate phones based on geography/other arbitrary factors. Among other reasons, because the method used to acquire evidence has to be properly vetted to make sure it's actually accurate. Otherwise the FBI could say "yeah we totally used this custom tool and found Bob Smith of New York City is going to commit Terrorism. We can't show you now though because it's one use".
|
|
#
?
Mar 15, 2016 23:56
|
|
|
computer parts posted:Among other reasons, because the method used to acquire evidence has to be properly vetted to make sure it's actually accurate. Why would that make vetting the evidence any harder, assuming you had a warrant? You just copy the data from the phone once its open. This is like saying that saying that you couldn't use child pornography in a pedophiles house's wall safe against him because you had to break the safe to get it open. I'm not saying that you could or should do any of this without a warrant.
|
|
#
?
Mar 16, 2016 00:04
|
|
|
Jaramin posted:But only Apple can push a phone update externally, so the opportunity to brute force it wouldn't exist on any other device even if it did get out. A hacker wouldn't be able to force a phone to accept the insecure OS update without manually doing so, at which point they're already in the phone. If the issue is security on-site while actually writing the update, then put the development data on devices encrypted the same way as their phones. In this specific case the government is telling Apple to enable brute-forcing of passwords on this one model of phone, but it has already been pointed out that this exploit can't work on current-generation phones anyway where this security function is built into the hardware instead of in the software. The concern is that it sets a precedent of hardware/software companies having to intentionally weaken their products at the direction of the government. The only way for Apple (or whoever) to comply with a government request to unlock arbitrary phones in the future would be to design the weakness in from the start.
|
|
#
?
Mar 16, 2016 00:12
|
|
|
Jaramin posted:But only Apple can push a phone update externally, so the opportunity to brute force it wouldn't exist on any other device even if it did get out. A hacker wouldn't be able to force a phone to accept the insecure OS update without manually doing so, at which point they're already in the phone. If the issue is security on-site while actually writing the update, then put the development data on devices encrypted the same way as their phones. The ability to update a pin protected phone falls into the same category of things that could potentially be leaked, it's just been of limited utility right now since it can't be used to bypass protections since the OS that would bypass them doesn't exist. Keep in mind ANY user can update or restore a PIN protected device without the PIN, it will just result in a wiped device right now. Also, as John pointed out, the whole industry is barely (and often times not) ahead of the hacker community. The ability to load an arbitrary update while the phone is pin protected is a weak point that could be exploited down the line.
|
|
#
?
Mar 16, 2016 00:12
|
|
|
bull3964 posted:The ability to update a pin protected phone falls into the same category of things that could potentially be leaked, it's just been of limited utility right now since it can't be used to bypass protections since the OS that would bypass them doesn't exist. If this were the case then PINS would already be obsolete because it's possible to decompile the source code that iPhones use already. I don't really see a problem with complying with the order, since even if it got leaked the same protection that right now keeps their software from just being remotely updated to just not have a PIN at all would still apply.
|
|
#
?
Mar 16, 2016 00:35
|
|
|
Why are you fixated on "remotely" updated? The whole point of FDE is to deny someone access to the contents of your device if they physically have it in their possession.
|
|
#
?
Mar 16, 2016 00:45
|
|
|
All I mean by that is that that device cant have the software updated from within the device, the update has to come from somewhere else. there's no "iOS8" chip inside of it. Right now apple are the only people able to make an iOS device go from iOS8 to iOS8.1 without the user's input. Even if iOS8.1 were made publicly available online after its release, hackers would still need to find a way to load it onto a device in order to take advantage of the brute-force weakness. There is no way to do that without decompiling the OS and modifying it to not require the update to come from Apple. If you've already decompiled and modified the OS, then it doesn't matter that you have the update with a weakness, because you could just remove the security feature entirely. If it were possible to jack Apple's remote "update" signal, which is not be new—they've had that capacity forever, then it would have already been done. PINS aren't new, and if hackers had the ability to modify the OS version they would have made it an obsolete feature years ago. They don't, so its still useful. EDIT:If I'm wrong, and hackers can hijack the update signal then ignore me. Jaramin fucked around with this message at 01:00 on Mar 16, 2016 |
|
#
?
Mar 16, 2016 00:57
|
|
|
Jaramin posted:Why would that make vetting the evidence any harder, assuming you had a warrant? You just copy the data from the phone once its open. This is like saying that saying that you couldn't use child pornography in a pedophiles house's wall safe against him because you had to break the safe to get it open. I'm not saying that you could or should do any of this without a warrant. It's not just good enough to say "here's the data we got off the phone after we cracked it", they have to account for any alteration made from the time the phone was possessed by law enforcement. That's not so bad in the case of cracking a safe, because they make sure to document how they broke into the safe, and the safe and it's contents are relatively discrete entities. In this case, Apple would have to provide a custom firmware, and then that firmware is what provides the decryption. If they just had the keycode they found on a slip of paper, there'd be no question, because they would not do any alteration to the state of the phone from the moment they took it into custody. But when you alter the software to break open the phone, now you have to document strongly what you're doing so that you can prove that the things you've done to crack the phone are accurate and don't effect the data that comes out. And the standard for that is that the information about the crack would need to be disclosed to the defendant to give them an opportunity to challenge it. Even in the best case scenario, where Apple could theoretically create this thing in house, unlock this one phone, and then destroy any trace of the crack they created, all the backups, and mindwipe the knowledge out of all of their engineers, the only thing a court could ever get as an assurance is a "Apple did it and certifies that it's all on the up and up". But that's not good enough for legal scrutiny, especially when you're talking about a process that was specially created for this particular case. In order to defend it in court, the methods of the crack will necessarily have to be divulged, and if Apple were to somehow erase all that information, then the crack may well have been for naught in the case because none of the evidence derived from the crack can be used in court.
|
|
#
?
Mar 16, 2016 01:01
|
|
|
|
| # ? May 14, 2024 17:28 |
|
|
thefncrow posted:Even in the best case scenario, where Apple could theoretically create this thing in house, unlock this one phone, and then destroy any trace of the crack they created, all the backups, and mindwipe the knowledge out of all of their engineers, the only thing a court could ever get as an assurance is a "Apple did it and certifies that it's all on the up and up". But that's not good enough for legal scrutiny, especially when you're talking about a process that was specially created for this particular case. In order to defend it in court, the methods of the crack will necessarily have to be divulged, and if Apple were to somehow erase all that information, then the crack may well have been for naught in the case because none of the evidence derived from the crack can be used in court. This makes sense, but witnesses can block the disclosure of specific copyrighted material at the discretion of the court. And in this case, I think it wouldn't even be necessary since you could test that the update wasn't altering data pretty easily on a control device.
|
|
#
?
Mar 16, 2016 01:22
|
|