?

Log in

No account? Create an account
   Journal    Friends    Archive    Profile    Memories
 

Apple's fight for freedom to use encryption - morfizm


Feb. 17th, 2016 02:27 pm Apple's fight for freedom to use encryption

I applaud Apple's courage to go public about it. I am sure they're breaking some order of non-disclosure.

"But now the U.S. government has asked us for something we simply do not have, and something we consider too dangerous to create. They have asked us to build a backdoor to the iPhone. ... Opposing this order is not something we take lightly. We feel we must speak up in the face of what we see as an overreach by the U.S. government. ... And ultimately, we fear that this demand would undermine the very freedoms and liberty our government is meant to protect."

http://www.apple.com/customer-letter/

https://news.ycombinator.com/item?id=11120365



Upd.: OK, as _winnie and others pointed out, it does raise questions about Apple intent and competency of people who wrote the letter (and/or perhaps mixed with the fact that Apple can't disclose certain things). One - it exposes the fact that Apple already had a way to break into encrypted data. Two - although it may initially sound like government demands mass backdoor, it actually doesn't (yet) so there's a lot of speculation.

Regardless of what's Apple intent and interest here, I hope public opinion will interpret it as fight for freedom of encryption and will lead to more proper implementation of security in Apple products and elsewhere in IT.


Upd.: Google joins in: http://www.theverge.com/2016/2/17/11040266/google-ceo-sundar-pichai-sides-with-apple-encryption

Upd.: According to USA Today (http://www.usatoday.com/story/tech/2016/02/16/heres-why-fbi-forcing-apple-break-into-iphone-big-deal/80481766/) this isn't about encryption, but about a feature that deletes (possibly unencrypted) user data after several invalid attempts to enter pass code.

Current Mood: satisfiedsatisfied

21 comments - Leave a commentPrevious Entry Share Next Entry

Comments:

From:_winnie
Date:February 17th, 2016 10:47 pm (UTC)
(Link)
Seems suspicious:
Article states FBI asks for "backdoor" for the specific iPhone device.

If Apple can create a backdoor for this specific iPhone, then anyone with some time investment (weeks for single advanced hacker) can do for any device.

If Apple can't create a backdoor, then what this text is all about.

If Apple is asked to insert backdoor into all releases of future iOS, then this is really dangerous and worth this public complaint. But this article doesn't state this.


If Apple is asked to disable autodestruction/pause for wrong password... well, this "protection" can't stop any informed and equipped organization to disable this protection.





Edited at 2016-02-17 10:48 pm (UTC)
From:morfizm
Date:February 17th, 2016 10:50 pm (UTC)
(Link)
"to the iPhone" doesn't mean a specific iPhone device in this context, it means the iPhone [product].
From:morfizm
Date:February 17th, 2016 10:55 pm (UTC)
(Link)
"If Apple is asked to insert backdoor into all releases of future iOS, then this is really dangerous and worth this public complaint. But this article doesn't state this."

It does state exactly this.
From:_winnie
Date:February 17th, 2016 11:02 pm (UTC)
(Link)
> > "If Apple is asked to insert backdoor into all releases of future iOS, then this is really dangerous and worth this public complaint. But this article doesn't state this."
> It does state exactly this.

'The government suggests this tool could only be used once, on one phone'

1) There is no need to modify iOS for all devices to extract information from just one phone.
2) If Apple can write the tool for one device - anyone can write it for any iPhone, this contradicts with "at Apple we are deeply committed to safeguarding their data".

From:morfizm
Date:February 17th, 2016 11:09 pm (UTC)
(Link)
1) Wrong, there is. Because encryption keys are local, Apple doesn't store them. You forgot your password, you're screwed.

2) That's exactly the point they're making. They want to stop government from demanding building a backdoor, because they're deeply committed to safeguarding data.


P.S. It's not interesting for me to discuss language nitpicking, really. If the article's language is too difficult for you and causes a lot of misunderstanding, you can wait before an official translation appears on apple.com/ru or elsewhere.
From:_winnie
Date:February 17th, 2016 11:22 pm (UTC)
(Link)
> You forgot your password, you're screwed.
So, what "tool" can FBI ask Apple for? When no one can create this tool to broke into phone.
Except tool, which can exploit weak passwords, but any rich and technically advanced organization, or talented single hackers can create such tool. Existence of such a tool is not a big deal and not worth admiration/scandals/public letters/fighting.

If you have weak password, you're screwed, FBI or criminals can brutforce your password. If you have strong password backed with good cryptography no point to ask anyone for some magic tool.


This letter have contradicting statements. If the statement about specific iPhone ('The government suggests this tool could only be used once, on one phone') is removed, then logic seems sane, but the letter explicitly state that FBI asks for assistance with just one device ('The government suggests this tool could only be used once, on one phone').

> P.S. It's not interesting for me to discuss language nitpicking, really. If the article's language is too difficult for you and causes a lot of misunderstanding, you can wait before an official translation appears on apple.com/ru or elsewhere.

'The government suggests this tool could only be used once, on one phone' - what can be unclear here?



Edited at 2016-02-17 11:29 pm (UTC)
From:morfizm
Date:February 17th, 2016 11:31 pm (UTC)
(Link)
So far it looks like either you didn't read the entire article, or you didn't fully understand it.

There is no contradiction of statements.

1. Government wants backdoor for all future phones. ("...the FBI wants us to make a new version of the iPhone operating system, circumventing several important security features,...")

2. Government says backdoors will only be used occasionally on select specific phones ("...the government suggests this tool could be only used once, on one phone...")

3. Apples calls it bullshit and doesn't want to build backdoors ("... But that’s simply not true. Once created, the technique could be used over and over again, on any number of devices. ... The government could extend this breach of privacy and demand that Apple build surveillance software to intercept your messages, access your health records or financial data, track your location, or even access your phone’s microphone or camera without your knowledge....")
From:_winnie
Date:February 18th, 2016 12:01 am (UTC)
(Link)
Government wants backdoor for all future phones. ("...the FBI wants us to make a new version of the iPhone operating system, circumventing several important security features,...")
"Specifically, the FBI wants us to make a new version of the iPhone operating system, circumventing several important security features, and install it on an iPhone recovered during the investigation"
"The investigation" seems to be specific investigation in "The San Bernardino Case" section, not all investigations in future.

If Apple can create "version of OS" which can be used to break into existing iPhones without backdoors then this means that cryptography on existing iPhones/existing iOS versions is already compromised. This means that anyone (criminals, governments) already can reach your data, so this government requirement doesn't mean or change something important.

But that’s simply not true. Once created, the technique could be used over and over again, on any number of devices
Cryptography is quite binary subject. Such technique is impossible (or is extremely hard to make, it requires to break math, not some buggy program), even for Apple. So there is no point to ask Apple for the "technique". Or this technique is known to be possible, and this means that anyone (criminals, governments) already can reach your data.

Government wants backdoor for all future phones.
Of course, it wants. But I can't see anywhere in the letter that government asks Apple all phones in this specific case. May be you point to any specific quotation, that unambiguously states about all phones in this specific case?

The government could extend this breach of privacy and demand that Apple build surveillance software to intercept your messages, access your health records or financial data, track your location, or even access your phone’s microphone or camera without your knowledge...."
This sounds spooky, but it depends of possibility of such a break. If it is known to be possible, where is nothing important - criminals and government already can read our messages. If it is unknown - we are safe, and no point to ask Apple for impossible.


Edited at 2016-02-18 12:12 am (UTC)
From:morfizm
Date:February 18th, 2016 12:25 am (UTC)
(Link)
> "The investigation" seems to be specific investigation in "The San Bernardino Case" section, not all investigations in future.

I think it's implied that if this request is satisfied, new requests will follow that are worse.


> Cryptography is quite binary subject. Such technique is impossible (or is extremely hard to make, it requires to break math, not some buggy program), even for Apple. So there is no point to ask Apple for the "technique". Or this technique is known to be possible, and this means that anyone (criminals, governments) already can reach your data.

That's a good point, I didn't pay attention at first. Perhaps, it's pointing to the fact that Apple already have access to user's encryption keys via Apple-signed software.

Cryptography is binary subject - true. Security overall - no. There are different... shades of gray :)


I think you didn't understand the spirit of this article. All tech companies in the U.S. want to implement true security. If any part is deliberately weakened - be sure it's a government order. Now government asked for a little more and instead of sucking it up, Apple decided it's big and strong enough to fight back. It's really great news actually, and sets a great precedent for other companies to follow, if they raise enough public support out of this.


Edited at 2016-02-18 12:25 am (UTC)
From:morfizm
Date:February 18th, 2016 12:29 am (UTC)
(Link)
> I think it's implied that if this request is satisfied, new requests will follow that are worse.

Also, keep in mind that even if Apple have satisfied tons of government requests in the past, it may be still bound with strong non-disclosure orders so it can't talk about it. I am almost sure they did break such an order this time, but they may not have enough balls to break previous orders. It's up to your personal imagination to guess what was already there and extrapolate the trend :)
From:morfizm
Date:February 18th, 2016 01:10 am (UTC)
(Link)
Updated the post.
From:morfizm
Date:February 18th, 2016 02:12 am (UTC)
(Link)
Судя по статье в usatoday, там не про encryption вообще речь, а про фичу, удаляющую (возможно-таки изначально unencrypted) данные при нескольких неправильных попытках ввода pass-code:

http://www.usatoday.com/story/tech/2016/02/16/heres-why-fbi-forcing-apple-break-into-iphone-big-deal/80481766/

Для FBI, я так понимаю, обойти это своими руками можно, но дешевле было попросить Apple. Возможно, в результате поднятого шума это им встанет дороже.
From:rezkiy
Date:February 18th, 2016 12:28 am (UTC)
(Link)
Basically they are saying that the hardware backdoor is already there, but they refused to implement the software use of it.

From:morfizm
Date:February 18th, 2016 12:30 am (UTC)
(Link)
Yes, seems like it.
From:rezkiy
Date:February 18th, 2016 12:48 am (UTC)
(Link)
... therefore I perceive this as an Apple PR campaign orchestrated with NSA or whoever. I am quite sure that this 'version of ios' as they have succinctly put it already exists and it is available to people with appropriate level of security clearance, on need-to-know basis. It does not looks like ios though. Making it into ios will be indeed dangerous because it will highly increase its usability therefore highly increase the motivation of NSA's competitor agencies to get a copy.

People who wrote the 'customer letter' are likely unaware of that.
From:morfizm
Date:February 18th, 2016 06:41 am (UTC)
(Link)
Well, Occam's razor would easily cut it: I think they just calculated it's a good time to get public support and lobby reduction of privacy/security impacting government orders. I've read some background story, there were several similar orders relatively recently, some of them with government actually *losing* in court.

How much valid and appropriate sized is the pretext, and whether or not it discloses too much (thus creating potential negative public image) - it's a separate low priority question. The move is to get support. Google's CEO supported without thinking - again, I am sure he wouldn't do it "randomly", but I guess he figured the positive momentum is in its high, and it's not Google but Apple who did it first :)


Edited at 2016-02-18 06:42 am (UTC)
From:_winnie
Date:February 18th, 2016 12:44 am (UTC)
(Link)
Or this can be interpreted as Apple already has some backdoor ( not important, in which ****ware exactly ), but does't want to share it.


(sorry for edits, it's disturbing to see most basic misspells in my own text)

Edited at 2016-02-18 12:46 am (UTC)
From:rezkiy
Date:February 18th, 2016 12:50 am (UTC)
(Link)
or that. Or there are multiple backdoors and there is ONE of them that it doesn't want to share an GUI version of xploit POC. It did share for the others though.
From:archaicos
Date:February 18th, 2016 01:51 am (UTC)
(Link)
Today's SJ Mercury newspaper described it as a request to extract data from that one device to figure out where the owner was at specific times and such. Apple appears to be overreacting. Look it up in the paper online: Judge: Apple must help U.S. hack San Bernardino killer's phone.
From:morfizm
Date:February 18th, 2016 02:00 am (UTC)
(Link)
Nevertheless, Google picked up: http://www.theverge.com/2016/2/17/11040266/google-ceo-sundar-pichai-sides-with-apple-encryption

It's possible that Apple has overreacted in this case, but it does uncover a valid long-standing issue of government overreach, mass surveillance, etc, and the role of technology companies in all that crap.
From:andreyvo
Date:February 18th, 2016 05:09 pm (UTC)
(Link)
PR
and nothing more