[Cryptography] Hope Apple Fights This!

Kevin W. Wall kevin.w.wall at gmail.com
Wed Feb 17 21:34:52 EST 2016


On Wed, Feb 17, 2016 at 6:31 PM, Tom Mitchell <mitch at niftyegg.com> wrote:
>
> On Tue, Feb 16, 2016 at 8:28 PM, Aram Perez <aramperez at mac.com> wrote:
>>
>> "A federal judge has ordered Apple to help the government unlock the
>> iPhone
>
> .....
>>
>> does not ask Apple to break the phone’s encryption but rather to disable
>> the feature that wipes the data on the phone after 10 incorrect tries at
>> entering a password."
>
> ......
>>
>> This will set a dangerous precedent along a very slippery rode.
>
>
> This is a court order no different from other orders in many regards.
>
> If Apple is able and complies with this one order then there is proof of the
> capability
> and any court order from any court domestic or international has proof
> that the action is possible and can thus demand the service.
>
> This is not one court order or one phone.  This is the first phone.
> There is no way Apple can address this single court order as special
> and contain the service to this one writ.

Yeah, agree 100%, but it's scary that of all the newscasts I've seen,
the sentiment seems to be running the other way.

> Divorce actions looking for proof of dalliance, any law enforcement agency
> can demand the service.   A business will crop up for machines to automate
> the input of the keys.
>
> This is not a domestic issue.  Once demonstrated in this court any court
> domestic or international can make such a demand.   France, Germany,
> China, Iran, Cuba... the list is longer than the list of nations in the UN.
> The requests would not be limited to national security (no law to this end)
> thus divorce, health care provider snooping, companies worried about
> corporate secrets.

Right; the development burden is almost all upfront costs, other than
tweaking so parameters to ensure it only operates on a specific device
and resigning the new update with Apple's private keys.

And if we get that far, it won't be long until Comey has the FBI issue
an NSL to Apple demanding they generalize it so that they don't need to
be "delayed" when doing manhunts for terrorists, child pornographers,
kidnappers, <insert-your-favorite-evil-group-here>.

> Border crossings maned by the likes of the TSA can mandadate via regulation
> a special software version at the gate.
>
> Apple has a lot at stake.  Apple pay and iTunes transfer a lot of value
> enough money that the Apple system is likely fully covered by
> The Computer Fraud and Abuse Act (CFAA) to a degree that the Writ
> may prove to be illegal.

Let us hope so, although given that the judge went along with this in
the first place seems to imply that the FBI has found someone sympathetic
to their cause.

> The fact that phones authorize payments
> is a big deal and done badly risks financial chaos.  As large as Apple
> is the liability of a breach is larger.

Indeed, I pretty much see this whole loss of business as Apple's only
feasible approach. Because if they just say "we can't do this because it
will cost us $X million", the USG will just toss them the $X to pay for
the costs (or if they can't legally do that, they will find some other
way to get around it).

>
> This individual phone is a lot like a customer hosted at an ISP or Cloud
> storage provider.
> One defense for a computer system  is login code that protects from denial
> of service attacks as well as brute force pass word attacks.   In the
> US one cannot be compelled to divulge something you know but
> the ISP in the same way this writ requires can be compelled to disable
> the attack deflecting tools to allow a brute force attack of an account
> that contains an encrypted home directory or virtual machine (effectively
> all).
>
> The reality that foreign nations will line up to avail themselves of this
> service
> should stop this public action with a national security letter by Monday.
>
> One analogy is to ask a company to engineer a virus to kill a single pig or
> cow.
> A lethal virus that escapes into the wild could cause agricultural collapse.
> Note the problem with bananas being infected and dying ...  happening now.
> Worry about changes in the Ebola virus... only a fool would demand to have
> Ebola
> weaponized with a court order.   It could be done but legal... no.

If Donald Chump were elected, I could see him trying that if he couldn't
get his way in some other manner. But I digress.

> To my mind this is so ill thought out that someone should consider if it is
> being
> promoted by an agent of a hostile nation or provocateur.  All those involved
> in
> asking need to have their financial, private paper and digital data public
> and private gathered,
> secured and  inspected.

I thought the timing of it was rather suspect. Does anyone know where the
present SCOTUS comes down on the 4th amendment rights? I know that Scalia
was very outspoken in supporting the 4th amendment.

> This is a big deal.  Not just for apple but for global stability.

If this were just about getting access to THIS PARTICULAR phone, does
anyone believe that the NSA TAO couldn't do it, even if it meant
surreptitiously stealing Apple's current source code and signing key(s).
But if they did that, it wouldn't set any sort of a precedent, which
is what Comey is really trying to force.

-kevin
-- 
Blog: http://off-the-wall-security.blogspot.com/    | Twitter: @KevinWWall
NSA: All your crypto bit are belong to us.


More information about the cryptography mailing list