Welcome to WebmasterWorld Guest from 23.20.6.115

Forum Moderators: travelin cat

Message Too Old, No Replies

Apple/FBI thing backdoor practical discussion

     
2:05 pm on Feb 24, 2016 (gmt 0)

Junior Member

5+ Year Member

joined:Jan 18, 2008
posts: 100
votes: 0


I'm not an apple user, but my understanding of the situation is that apple encrypts iphone data using a passcode or fingerprint. Then if someone tries to unlock the phone 10 times it erases all personal data. First of all that seems really scary. That gives anyone with someone's iphone the ability to wipe their phone even if they don't have the password. But anyway, on the the actual point of this thread.... If their data is ACTUALLY encrypted with a passcode, it doesn't matter what software apple installs on the phone, you'd still need the original passcode to decrypt it, right? The only thing I can think is that apple could install something that would override the 10 try lockout and allow a brute force attack. If there is some other method people can think of, I'm interested to hear it.

The practical application is in regard to encrypted data in database for a website. The safest option is to encrypt it with a password only the end user knows. That way even the db admins, or anyone who might physically steal the server couldn't get access (short of a brute force attack). But if the user forgets their password there is no way to retrieve the data.

The next option (as far as I'm aware), is to have a global passcode that is "as secure as possible." Which is separate than a user's login password. That way if they forget their login password, it can be reset without losing the data. This is less secure because anyone with access to that passcode has access to everyone's data.

Since apple claims they absolutely can't retrieve the data, it sounds like their system is most like the first scenario. So I don't see how they could even do anything that would grant the FBI the data.
3:41 pm on Feb 24, 2016 (gmt 0)

Administrator from US 

WebmasterWorld Administrator not2easy is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:Dec 27, 2006
posts:2761
votes: 64


It is more like a combination of the two scenarios. The account ID has a password and there is a second 'PIN' password set by the end user that Apple does not have. A third "key" can be the user's fingerprint. Wiping the device is not necessarily permanent because you can privately store a backup copy, the data is only wiped locally. You would need the account ID and the PIN and most likely a backup key to access that data.

Apple encourages users to use a fingerprint ID along with their personal key. Apple can't access the data without the user's keys.
11:01 pm on Feb 24, 2016 (gmt 0)

Moderator This Forum from US 

WebmasterWorld Administrator travelin_cat is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Feb 28, 2004
posts: 3163
votes: 5


Apple is now working on an iPhone even they can’t hack:

[nytimes.com...]
12:15 am on Feb 25, 2016 (gmt 0)

Administrator from JP 

WebmasterWorld Administrator bill is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month Best Post Of The Month

joined:Oct 12, 2000
posts:14786
votes: 86


It's hard to brute force a device that securely wipes itself after a certain number of tries. They're lobbying for removal of this 'security feature', not to break the encryption. This seems like an obvious political ploy to gain precedent to do this on a larger scale. It's doubtful there's anything valuable on this actual phone as they have older iCloud backups to play with. This is a smart way for them to garner public support to do this in a way that doesn't make them look like privacy violators the way that asking for a backdoor to encryption does.

Apple's 4 digit pass-code is to blame here. It's imminently brute-forceable in a reasonable amount of time. Their band-aid has been this OS controlled 'feature' that limits the number of attempts. Although clever, it's their Achilles heel in this case, as it's possible to override this by altering the OS. Going forward, they have little choice but to make this impossible. The problem will be whether they can make something that is still usable for the public.
3:13 am on Feb 25, 2016 (gmt 0)

Senior Member

WebmasterWorld Senior Member 5+ Year Member Top Contributors Of The Month

joined:July 29, 2007
posts:1739
votes: 80


Lets get real, there is no mystical data that is only available locked up inside the iphone that isn't available in other places. I thought we learned from the NSA's hack of Google? We're talking about privacy vs the illusion of privacy here.

Why would the FBI be butting heads with Apple when they likely know what's in the phone?
4:53 am on Feb 25, 2016 (gmt 0)

Administrator from US 

WebmasterWorld Administrator not2easy is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:Dec 27, 2006
posts:2761
votes: 64


The phone wiping is not a default setting, it would need to have been set by the user. They would not likely set the phone to wipe all data unless there were a backup. The backups need the account ID and password and the PIN passcode to access encrypted data. Apple does not have the PIN which can be reset by the user any time.

IF the phone was connected to a computer and accessed via iTunes all the contacts, notes, files and settings could be accessed - but they would need the iTunes login and the PIN. If it has not been set to wipe on failed attempts, it could be cracked. They should be talking to the person who owns the iPhone, not Apple.
11:04 am on Feb 25, 2016 (gmt 0)

Administrator from JP 

WebmasterWorld Administrator bill is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month Best Post Of The Month

joined:Oct 12, 2000
posts:14786
votes: 86


I'm not currently an iOS user so I'm not familiar with the defaults. When I did have an iPhone there was an option (think it was an option) to increase the times between guessing if you entered the password incorrectly more than once. That would also prove to make brute-forcing a phone's password quite difficult. This would also be something that the OS controls, not the hardware (there is a separate hardware controlled delay that the FBI can't ask Apple to remove.). I recall having this activated and password guesses could make you wait about an hour before trying again after a certain amount of tries. I've heard talk that they're trying to remove this as well.
7:15 pm on Feb 25, 2016 (gmt 0)

Administrator from US 

WebmasterWorld Administrator not2easy is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:Dec 27, 2006
posts:2761
votes: 64


I was passing through the Apple site today to check post-holiday refurbs and noticed a link down in the corner [apple.com...] The article/letter covers Apple's POV and it paints quite a different picture. They have complied with all subpoenas and even offered their engineers to help in this specific case. It also explains the difference in this case:
A Dangerous Precedent

Rather than asking for legislative action through Congress, the FBI is proposing an unprecedented use of the All Writs Act of 1789 to justify an expansion of its authority.

The government would have us remove security features and add new capabilities to the operating system, allowing a passcode to be input electronically. This would make it easier to unlock an iPhone by “brute force,” trying thousands or millions of combinations with the speed of a modern computer.
It explains their refusal pretty clearly.
8:10 pm on Feb 25, 2016 (gmt 0)

Senior Member

WebmasterWorld Senior Member 5+ Year Member Top Contributors Of The Month

joined:July 29, 2007
posts:1739
votes: 80


You and I need to enter a password to use it and if a person gets the password wrong things might get wiped but that has never stopped an update from installing itself which TELLS you that the phone is NOT secure. Again, why are we even discussing as if the FBI doesn't already know what's in the phone? They want to officially have it unlocked so they can actually use what they know is in there. If it's not "officially" unlocked then the illusion of privacy would be shattered when they bring up some of the things that are supposed to be private.

Like a good lawyer the FBI only asks for things when they already know what they will get.
3:31 am on Feb 28, 2016 (gmt 0)

New User

joined:May 29, 2014
posts:10
votes: 0


This specific case of the FBI vs. Apple is simply the battle the federal government has picked to finally launch their war against all digital privacy in the USA.

For the last few years, both the Directors of the FBI and National Intelligence have been barnstorming the country, both in public and in private with the tech companies, insisting that law enforcement in this nation MUST have backdoor access to encryption as a matter of national, state, and local security and law enforcement. But instead of seeing both the public and the tech companies meekly or pseudo-patriotically comply with its demands, more of the public and virtually all the tech companies are separating themselves from the government on the issue and, indeed, going in the opposite, American constitutional direction to even more private (read stronger) encryption technology.

So, the law finally decided to force the issue legally, and what better case to do it with than an open and shut terrorism case?

If the feds can win this battle by having the Court force Apple to even attempt to backdoor both the 10 password attempts and pause between password entry (thereby allowing the FBI to then try all the brute force they want, no matter how long it takes them), then they will have succeeded in setting a legal digital precedent for the government to really start exercising its anti-encryption will over every private corporation and company in America.

Others have already mentioned what many already believe: the federal government almost certainly already has all the meta from that phone, which - if, in fact, true - simply proves that this particular battle with Apple serves as the first significant shot of the digital privacy war against private corporations and companies the feds have now decided to wage.

Legislation in both the Senate and the House, both pro- and anti-encryption, is currently circulating; the Executive has simply decided it wants a a very, very public ruling from the Judiciary most favorable to its draconian intent first.

Think about the now-here future of the Internet of Things and how all the info it utilizes must be encrypted to maintain any semblance of privacy for users - and then think about backdoor access to it all, allowing not only the federal government entry, but any other entity that has the talent to work its way in, too.

Surely we've traded-off enough of our constitutionally protected privacy by now in exchange for all the "security" they've been selling us, right? Or, are we really going to surrender it all to the police state which is already enveloping us?
5:25 am on Feb 28, 2016 (gmt 0)

Senior Member

WebmasterWorld Senior Member 5+ Year Member Top Contributors Of The Month

joined:July 29, 2007
posts:1739
votes: 80


Aherman, the privacy is already gone! They now want to be able to openly use info they collect without someone saying "how did you know that?" in court. If they receive the right to unlock at will they no longer need to reveal how they gather data. We're talking about the same FBI that openly taught police how to lie to judges about their use of "stingers" to trick cell phones, google it.
11:07 am on Feb 28, 2016 (gmt 0)

Full Member

Top Contributors Of The Month

joined:Sept 12, 2014
posts:323
votes: 48


A local police chief got fired for using a stinger to listen in on teenage girls phone conversations, and this is a tiny little town.