After months of work, the FBI finally has a way into the San Bernardino iPhone. In a court filing today, prosecutors told the court the new method for breaking into the phone is sound, and Apple’s assistance is no longer required. “The government has now successfully accessed the data stored on Farook’s iPhone,” the filing reads, “and therefore no longer requires assistance from Apple.” The filing provides no further details on the nature of the new method. Still, the result effectively finishes the court fight that has consumed Apple since February.
This is one of the strangest cases in technology I’ve seen in a long time.
Hunch: the FBI realised it would never win the case, and got out when it still could.
What they really wanted was to set a precedent where American tech companies would have to respond to court orders to decrypt, thereby formally setting precedent for legal and mandatory back doors into devices and information. Fortunately, the FBI was quietly convinced that would be a death knell for any remaining trust people had in American technology companies. So relax everybody, they don’t have the key to the front door.
Unfotunately, they are now convinced (and compelled) to use back doors or Windows with impunity. So even though they decided the collateral damage wasn’t worth it, this really doesn’t change a thing. Realistically, every outcome to this was bad. Fortunately, this is the least bad option for the short term.
Why relax? if this is true, it means they only will wait for the next opportunity to try again. Or push for legislation which will help them with the next similar case.
I intended that part of the comment to come off as tongue-in-cheek. The truth is, this whole scenario is bad and is bound to get worse. The only silver lining, as I said (and this part I meant seriously), is that this is the least bad outcome to this opening round.
“The truth is, this whole scenario is bad”. Was bad -how long ago, now we know for sure-. This was essentially a Military&Corporative Consortium Party.
Even if Law-Enforcement is fighting for his own Address-Space, complete Digital Environment is pivoting now.
We Users|Consumers -for the first time- are invited to the conversation. And we should not desist on learning of the needs of every part at stake [worldwide]. Weather will clear and new horizons will be seen
This was just one battle. The war’s not over. The next time, they’ll just go after a company that is either smaller or more favorably disposed towards compliance. It is far, far from over.
So, they’re going to wait until they can use the All Writs act against a company with a smaller, less-resourceful legal team where they have a better chance of winning, so they can set a precedent.
The only remotely surprising event in this whole case was the fact that Apple actually fought the subpoena. Companies almost never fight subpoenas – its almost always a lose-lose. Hell, even Apple historically doesn’t. They have complied with lots of subpoenas in the past.
I agree with the general notion that the government was going after precedent, but I do not believe it was calculated from the onset. They fully expected Apple to simply comply, why would they expect anything different? Sure, after they realized Apple was going to fight them on it they were good and ready to try and make an example out of them, but at the end of the day all they wanted was the data on the phone. They ended up getting the data on the phone, so no point getting roughed up in the court of public opinion when there was no need anymore.
Just saying, there is no grand plan to set precedent, and there is no other smaller company to even try this with. Apple is fairly unique by virtue of their resources, the level of sophistication of their security implementation, and their messaging to customers claiming to be unable to access their device data even if they wanted to. They fought the government mostly because they had to – they have talked so much shit about how much they care about customer privacy they had to fight just to save face.
But put a different company into the same situation and there are only 2 likely outcomes:
1. The government wouldn’t need their help – the security would be easily defeated. Android? Something like 95% of all Android devices aren’t even encrypted to begin with, and of the ones that are few are configured to wipe data on repetitive failed access attempts. Apple’s stats on this are basically the exact opposite. Android can be made secure – but in practice it simply isn’t. Most devices can be accessed with little effort (relatively speaking – we are talking about the FBI).
2. The company would roll over the minute they got served.
Businesses don’t exist to challenge FBI’s authority, they exist to make money. Selling stuff makes money, going to court with the federal government doesn’t (and often has exactly the opposite effect).
If there is a precedent setting case involving the use of the All Writs act to compel a tech sector company to assist in a similar manner in the future, the company in question will almost certainly be Apple. Microsoft would trip over themselves complying, and I suspect Google would grumble a bit but would comply as long as the government agrees to keep it quiet (which is the norm anyway).
Apple is the only company with any reason to fight, the resources and gumption to actually do so, and a security system sophisticated enough and widely adopted enough for the government to have to go to extremes to contend with.
You say “Businesses […] exist to make money. Selling stuff makes money”. Well, Apple makes security a big issue and a selling point for their phones. They had to defend it.
Yes. That was kind of my point. Few other companies have publicly gone out that far on the limb… Most talk a good talk but would have just given the government the help they wanted as long as it was kept quiet.
Imagine how any smart phones Apple will sell, now that they not only are seen to have a secure design, but are seen to be willing to fight so hard to protect it.
I mean, a couple of weeks ago when I picked up a new phone, I found myself considering an iPhone, despite having only recently dove into the Android ecosystem from Windows (And having just spent a bit on Android versions of the same or similar apps).
I didn’t consider it for very long, but it was the first time I seriously considered an iPhone, and this is is coming from a person that, for a short time, excitedly used a jail broken iPod Touch as a tiny, dedicated, *nix box.
But, you are right. Setting a precedent wasn’t their goal from the outset, but avoiding setting a precedent is absolutely why they withdrew the lawsuit.
I can’t wait for all the 99% redacted FOIA requests in the future that fail to show the information on the phone was useless, but without the accompanying press releases that would show the information was useful (Because, if it was useful, they’d tell everybody they could).
Because, Farook and Malik had enough of a sense of OpSec to destroy their own phones, AND destroy their own hard drives – I really, really doubt Farook used his work-issued phone for anything related to the attack.
After hearing the news Apple immediately forwarded an application for the Trademark of the name iBreak!
Oh please! The government has always had access to whatever devices it wants because, first of all, security is nothing but an illusion (and never has been anything but.) Secondly, its lawsuit against Apple was little more than public theater to “show” how tech giants weren’t helping fight terrorism. The U.S. government was hoping to simply show how it is a bright white noble knight out for the best interests of the people while tech giants are big baddies aiding and abetting terrorism. Really?!? Too bad Apple called its bluff! Does the government really think that intelligent people are that naive?
Does the government really think that intelligent people are that naive?
That’s the problem, does the government of any country think at all?
It would seem not most of the time!
cmost,
Those of us with a cryptographic background knew this from the beginning, there’s just no way that apple’s own engineers didn’t know this too. Apple has been very deceptive about their crypto in order to protect it’s brand, but in doing so they’re lulling their own customers into a false sense of security.
Apple needs to come clean and inform it’s users that there’s barely any mathematically backed cryptographic security when used with low entropy pin codes. 4-8 digit pins is a joke.
They need to come clean and inform their users that while hardware restrictions can impede certain software attacks, they don’t offer any of the mathematical guaranties associated with real cryptography. Hardware/firmware CAN be reverse engineered (for the right price) and WHEN it is the only thing that could protect the encrypted data is a high entropy pin/password.
Apple needs to come clean and concede they exaggerated, they can in fact remove security on their devices if they want to. This is the whole basis for the FBI knocking on their door in the first place.
Fighting for civil liberties in court is well and good, but if apple willfully neglect to educate their users on the privacy risks/weaknesses of their devices, then apple deserves some of the blame when the security on those devices ends up getting broken.
Edited 2016-03-30 03:13 UTC
An iPhone is demonstrably more secure by default than an EMV card is – and the banks fought for years to even get those adopted here because the public was perfectly happy with a mag stripe anyone could clone is 2 seconds and a 4 digit pin code (which conveniently is rarely needed). No amount of telling them how insecure mag stripe cards were made any difference…
I’m sorry, but Apple isn’t the problem – the public is. Your complaining about the wrong party.
galvanash,
Are you sure? For years I’ve been searching in vein for banks that took security more seriously, they were the ones ignoring customers like myself. Customers willing and eager to embrace better technology while they collectively dragged their feet. I still haven’t found a bank that will issue an online security fob to normal consumers like myself. Technology is available but they refuse to adapt.
I suspect it’s more profitable to keep things broken. The credit cards industry shifts liability for fraud away from themselves on onto the merchants. Merchants are required to pay expensive fees every year for compulsory PCI DDS compliance to compensate for the inherent idiocy of attaching value to static credit card numbers. On top of that when there is fraud, the merchants are liable for covering the amount stolen, and additionally they still have to pay CC company profits for fraudulent transactions. This is absolutely insane! Without incentives to combat credit card fraud, it’s no wonder things aren’t getting fixed.
This state of insecurity over the course of decades stirs up quite a bit of anger in me, we all end up paying for this one way or another.
If the credit card companies were held liable for fraud, it would be a sure bet that they would suddenly start adopting the secure technologies that would empower us to prevent it.
Regarding your conversation about the 4-6 digit PINs, you might want to understand the complete system before you bash it. The 4-6 digits is to allow the card holder to retain the PIN in their memory without having to write it down on the card itself (which was a MAJOR issue when ATM cards were first issued). The security actually comes on the backend where the processor will typically mark the card as “hot” and now allow any further transactions on the card until the bank investigates and marks the card as “good” when the bad PIN limit has been reached. Typically the limit is 3 bad PINs before the card is marked.
dekernel,
I get it, it’s the something you have plus something you know principle. Just to be clear I bashed the low entropy pin in the context of cryptographic security.
With credit cards what is most disappointing is the continued reliance on static information. The magstrip, EMV, and even what’s printed will leak authentication information, that’s not very secure and as long as this is the case, we will remain vulnerable to “skimming”, which can even compromise the user’s pin at modified terminals.
Edited 2016-03-30 19:29 UTC
4-8 digit pins may be joke, but is secure enough for what most people need, for example a deterrent for the occasional pick-pocketer. Those people are more worried they may forget their own pin and get locked-out of their own phone.
Still, more security conscious ones have the ability to set strong passwords from the same interface, so they can have reasonable security.
Uhmmm…. Why is it Apple’s job to educate the users? If the user can’t think, well… Then it’s not Apple’s fault. In wich country are users that mindless and lazy, that they can’t take blame on their own shoulders? Need privacy? Do it you’r self. Use the brain.
If you fall off the cliff, then it is not exactly the states fault is it? You had to go to the edge. There is action and there is consequence. And there is nothing we have to do. You don’t need to have sequrity, and the outcome is the consequence. If you don’t like it, then get sequrity. Were I am going with this? Well… Apple do not need to educate or implement sequrity do they? In return they do not need to educate on it. If you fail to know anything about the devices sequrity. Then the consequence could be negative. It’s all up to you or anyone else, on how to use a product. Dry the kitten in the micro? You’r deal with the consequence, as you did it. Not the one that made the micro. Making popcorn in the micro, the consequence is nice warm popcorn. Action + consequence.
Nope….. Apple should not educate. People need to start learning on their own, instead of being mindless children, that are easy to offend. Does not suit an adult at all.
brostenen,
That’s an odd example. With a bit more context yes, it could absolutely be negligent on the part of the state. For example, a state park might have paved trails open to bicyclists, one might lead abruptly off a cliff with no barriers or warning, leading to tragic accidents. One would need to be a sociopath to not accept some level of state responsibility, like a fence at the end of the trail or at the very least a warning sign to make sure people are aware of the danger before they reach it.
I didn’t choose this cliff analogy, but to see it through to completion: apple isn’t merely omitting the warning sign, they’re actively telling people that the danger isn’t there, which is wrong.
Edit: Putting this aside, would you agree in principal that vendors shouldn’t make misleading statements to customers?
Edited 2016-03-30 10:56 UTC
@thom
FBI would have won the case in the court hands down.
Shortly, this is about “nobody reads my files/conversation DOT” (that is geeks and Apple) versus “nobody reads my files/conversation without a warrant from a court” (that is always has been in real world).
Edited 2016-03-30 07:00 UTC
Apple saw themselves losing the case and the fallout would have hit their sales Hard (especially in China). So they helped out the FBI (via an independent security firm). FBI are happy, Apple remain the guardians of our freedom. Win-Win.
Apple knows they need to keep perception of security if they are going to crack the government contracts that are oh so lucrative. Post-snowdon it was already an uphill struggle. With FBI access, it would have been dead as a market.
IMHO, which no one here will agree with, is that you can let the feds in the front door that’s heavily monitored and regulated, or you can let them in the backdoor that no one knows about, nor do they know when or how that happens.
Looks like Apple shut the front door on them, so they had to find the back. Not a great outcome. The FBI, now knows how to hack these model iphones, and no one else does. They’re not going to release the security vulnerability, because its their only way in. If Apple had just done it for them. Then if FBI had stumbled on this vuln, they would have released it.
And you don’t think they would have been “encouraged” to remain silent? Please. You do understand which government you’re talking about, right?
[/SmallVoice] an alpaca at eleven.
The FBI had a very good case but handled it poorly.
First there is always a question of security when a device falls out of the hands of the original user.
Second in principle this is no different from a warrant being served on a bank or hotel with the police asking to give them the key to ta safe deposit box … or hotel room …or other thing they need access to.
Third the warrant was entirely valid, there was no question of innocence or guilt.
What I think happened is that the FBI bungled it by overreaching such as asking every bank or hotel to give it the same master key. Apple and others honestly said if we do this every other government will want it.
The “government” hasn’t given up on WhatsApp and that is where where what I feel the real battle will take place. Looking backward RSA had a number of patents issued in Switzerland to avoid US regulation.
Fifth, there were always several alternative suggestions floating around on how it could crack the iphone in question.
Question for the future, what happens if Quantum Computing becomes feasible for the NSA? I’ve read a few things on AES being secure for a while even with quantum computers although RSA is just one encryption scheme I don’t see encryption as being that hard of a problem for the average programmer to implement on a DIY basis so backdoors are inherently going to be doubtful except for the unsophisticated user who probably is using 1111 abcd or something similar as his or her password.
I personally sided with the FBI on this one due to the nature of the crime committed but I think they overreached and handled it poorly. I also think they invited Apple to engage in this legal argument which in a way undercut the government position. Next time they won’t invite a large company and will go after an easier target with lesser legal capacity behind it to put up a fight.