FBI Insists It's Not Trying To Set A Precedent, But Law Enforcement Is Drooling Over Exactly That Possibility

from the going-to-court-to-force-you-to-hack-your-customers dept

In Jim Comey’s defensive blog post over the weekend, he insisted that the FBI was absolutely not doing this to set a precedent or to do anything other than get into a single phone:

The San Bernardino litigation isn’t about trying to set a precedent or send any kind of message….

The particular legal issue is actually quite narrow. The relief we seek is limited and its value increasingly obsolete because the technology continues to evolve. We simply want the chance, with a search warrant, to try to guess the terrorist’s passcode without the phone essentially self-destructing and without it taking a decade to guess correctly. That’s it. We don’t want to break anyone’s encryption or set a master key loose on the land.

Yeah, except that’s clearly bullshit. They absolutely want the precedent, and if the FBI’s PR strategy is to now insist this precedent won’t be useful beyond this case, perhaps it should have coordinated those talking points with others in law enforcement. Because if you talk to them, they’re happy to tell everyone just how badly they want this precedent so they, too, can demand Apple build hacking tools into iPhones. Jenna McLaughlin at The Intercept has put together examples of law enforcement people practically drooling over the possibilities that will be opened up should the FBI win.

In Suffolk County, Massachusetts, district attorney?s office spokesperson Jake Wark said prosecutors ?can?t rule out? bringing their own case of a locked cellphone before a judge, too. ?It may be a question of finding the right case,? he told the Wall Street Journal.

?It?s going to have significant ramifications on us locally,? Matt Rokus, deputy chief of Wisconsin?s Eau Claire Police Department, told the city?s Leader-Telegram newspaper on Monday.

In South Dakota, Minnehaha County State?s Attorney Aaron McGowan told the Sioux Falls Argus Leader that ?the court?s ruling could have a significant impact on conducting sensitive criminal investigations.?

And then of course, there’s Cyrus Vance, the Manhattan DA who also has been quite vocal in asking for backdoors into encryption, who has admitted that he basically wants the same power the FBI is now trying to exert. And, meanwhile, Senator Richard Burr used the Apple case as a keying off point to try to push for legislation he’s been working on for a while that would effectively mandate such backdoors.

So it’s fairly difficult to believe the FBI and Director Comey when not only does everyone know he’s lying, but his friends and colleagues in law enforcement can’t even be bothered to play along with the script.

Update: Oh, and even the DOJ is off-script as well. It’s now being reported that the DOJ is currently seeking similar orders on 12 more iPhones. So, yeah, Comey’s flat out lying.

Filed Under: , , , , , , , ,
Companies: apple

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “FBI Insists It's Not Trying To Set A Precedent, But Law Enforcement Is Drooling Over Exactly That Possibility”

Subscribe: RSS Leave a comment
62 Comments
That One Guy (profile) says:

"Dangit you lot, you're supposed to wait before celebrating!"

I imagine Comey is more than a little annoyed at all the law enforcement people talking about how eager they are to start using the ‘totally not designed to set a precedent, honest’ case for their own gains before it’s actually run it’s course.

Just a little difficult to get people to buy the ‘There’s no point in focusing on what the precedent from the case might do, that’s not important right now’ argument after all when you’ve got people chomping at the bit to use that very precedent, making it very much an important consideration.

Bergman (profile) says:

Re: The Floodgates Open

What I’m curious about — suppose China, Russia, Pakistan, whichever, were to demand Apple provide them the same backdoor that the USA is demanding. And possibly not even Apple, just a hardware provider in general.

Suppose that hardware provider is also a defense contractor. The foreign country then uses the backdoor they are given to break into secure US military or government systems.

Who is guilty of espionage if that happens? Certainly the foreign government is, but is the hardware manufacturer also guilty?

And how much harm could unfettered access to top secret databases cause before the backdoor could be pulled again? This isn’t just the wet dream of law enforcement here, this has national security consequences as well.

Anonymous Coward says:

No Suprise

This is the defacto state of the US since 9/11… fear and propaganda to strip liberty at every possible opportunity.

No matter how much people bitch about it they keep voting for it. If people actually gave a shit about liberty more candidate like Rand Paul would still be in the race.

Either way, this nation is heading out the door, we are nothing like we once where. Things have been so damn peaceful and nice we are not even able to see what true evil is and plan to give every last part of this nation to that evil for political and social expedience.

Anonymous Coward says:

Not bothering to play along

[I]t’s fairly difficult to believe the FBI and Director Comey when not only does everyone know he’s lying, but his friends and colleagues in law enforcement can’t even be bothered to play along with the script.

Unfortunately, if it is hard to believe the FBI, it is also hard to believe Apple. Rather, I think that there’s a significant probability that the FBI is colluding with Apple to sell a lie to the American people.

Law enforcement, lately, has become famous for “parallel reconstruction”. Apple, though, is noted for the famous Apple “reality distortion field”.

Do we want real security — or do we want marketing hype? If the smartphone pin does not have enough entropy to prevent a brute force attack on data at rest, then there’s a non-ignorable threat to the privacy of that data at rest. Are all these people really going to try to sell me on the idea that the NSA can’t crack that phone without Apple’s help? I’m not buying it.

It seems fairly likely to me that the government already knows what’s on that phone. Now Apple and the FBI are just trying to come up with a cover story for how the government already knows what’s on the phone. Or a cover story for how the government denies it knows what’s on the phone, and must have acquired the intelligence some other way. Either way, a cover story that’ll help preserve Apple’s market position. Either way, a cover story that’ll have people buying into the lie that Apple phones protect their privacy.

Insecurity from a pin without enough entropy meets “parallel reconstruction” and “reality distortion field”. Most people can’t do the math.

But why should people who can do the math bother to play along?

kallethen says:

Re: Not bothering to play along

You’re right that a PIN doesn’t provide much entropy. But it’s on the user to choose to use a PIN or password (or an even weaker swipe pattern or nowadays there’s fingerprints).

Apple has helped to mitigate this entropy with other security features such as delays between attempts and “self-destructing” data after too many attempts. Those features reintroduce entropy into the mix by stretching out how long it takes to crack that PIN or by forcing them to give up as it becomes unrecoverable.

kallethen says:

Re: Re: Re: Not bothering to play along

The standard of “bits of entropy” means it takes longer for the encryption to be cracked.

Delays between attempts makes it longer for the encryption to be cracked.

Data self-destruction makes it longer or impossible for the data to be recovered.

At least that’s been my understanding. Where am I wrong in that? (And I ask that not out of spite, if I’m wrong, I do want to know how.)

Anonymous Coward says:

Re: Re: Re:2 Not bothering to play along

Where am I wrong in that?

You’re not thinking outside the box. (Or, in this case, the cellphone enclosure.)

Look, there’s the data to to be decrypted. That encrypted blob can be captured and preserved.

There’s the weak pin. That can be brute forced.

There’s the algorithm to derive the key from the pin and a hardware secret. That’s known. Or at least sufficiently knowable.

All that’s left is the hardware secret. You’re telling me that you can’t obtain the hardware secret from the hardware? Bullshit. If worst comes to worst, you can pull out every functional block except for the key derivation, and probe against that, not worrying about destroying the data which you preserve elsewhere.

streetlight (profile) says:

Is it possible for Apple to perfectly secure their phones?

It seems the conventional wisdom has been that no one, not even Apple, could break into one of their phone’s encrypted data. I guess that’s not the case. It may be Apple can’t guarantee such a level of security and this knowledge will one of the most important results of this episode. Perhaps the best way to prevent anyone getting at your data is to physically destroy the phone with an industrial strength shredder and/or a high temperature blow torch focused on its parts.

Anonymous Coward says:

Re: Is it possible for Apple to perfectly secure their phones?

It may be Apple can’t guarantee such a level of security

Apple cannot guarantee that you can memorize a secret that can’t be guessed.

Most people may not be willing to memorize something like:

3Ieftfy:Ti5R_fr:mY95oIo

(Just generated with 126 bit strength.)

Even if people are willing to memorize a meazly 21 characters (modified base64), they may not be willing to type it in on a smartphone keypad.

So where does that leave us? Apple could make it possible for you to carry around a secret like that on a second piece of hardware. Perhaps a micro-USB dongle. But if that hardware falls into the wrong hands, it’s still game over.

Uriel-238 (profile) says:

Re: Re: Is it possible for Apple to perfectly secure their phones?

Apple could make it possible for you to carry around a secret like that on a second piece of hardware. Perhaps a micro-USB dongle. But if that hardware falls into the wrong hands, it’s still game over.

What the iPhone does instead, is make the user key in her password on phone startup and then she can log in via thumbprint.

That’s when the fridge-logic hit me: you never want your extremity (or an eye) to be worth more than you are.

Anonymous Coward says:

Re: Re: Re: Is it possible for Apple to perfectly secure their phones?

she can log in via thumbprint.

Not the iPhone at issue in this case. It’s an older one. See Trail of Bits Blog:

The recovered iPhone is a model 5C. The iPhone 5C lacks TouchID and, therefore, lacks a Secure Enclave.

Crosscheck with the various court documents to verify model 5C. Also crosscheck with Apple docs to verify that 5C lacks TouchID.

Anonymous Coward says:

Re: Re: Is it possible for Apple to perfectly secure their phones?

Get it firmly into your mind that Apple’s code signing key is not necessary for NSA to simulate the device on different hardware.

Neither is Apple’s code signing key necessary for China, or Russia. Probably not needed for the UK, Germany nor France, as well. And who knows who else? I don’t discount Arab contributions to mathematics, although that was mainly in the midieval period, when Europe was stagnant. Oh, yeah, don’t forget India. There have been some very good Indian mathematicians, and their engineering is good enough to get to Mars these days.

Anonymous Coward says:

Re: Re: Re: Is it possible for Apple to perfectly secure their phones?

Apple have buried one part of the actual encryption key inside a special device, and that cannot be extracted from that device. The passcode is protected by a mechanism that prevents brute force attacks, limited tries with increasing delays between tries. Apple could write new code to remove that protection, but that just allows the FBI to try and brute force the passcode. If the owner of the phone is has used a long passcode, they could still be out of luck.

nasch (profile) says:

Re: Re: Re: Is it possible for Apple to perfectly secure their phones?

Get it firmly into your mind that Apple’s code signing key is not necessary for NSA to simulate the device on different hardware.

Neither is Apple’s code signing key necessary for China, or Russia. Probably not needed for the UK, Germany nor France, as well.

References for any of that?

Anonymous Coward says:

Re: Re: Re:2 Is it possible for Apple to perfectly secure their phones?

References …?

Do you have a technical degree, or equivalent experience and learning?

Sorry, but I can’t take you through a CS or EE education in a few comments. I’m not even going to try. It takes a few years of hard work to learn the basics.

If you don’t have the fundamental background, then you’re just stuck with taking things on faith here. In which case, you might as well just believe the marketdroids. The vast majority of people will anyhow. And I guess there’s safety in numbers for y’all.

Otoh, if you’re comfortable with emulation and simulation and so on, then here’s a comment from someone over at Ars. I don’t know that guy, and maybe he does what he says he does, and maybe he doesn’t. But read the comment.

Uriel-238 (profile) says:

Re: Re: Re:3 TPMs

I’m now very curious about Trusted Platform Modules, one of which is the black box with the AES key to which the FBI can’t get on its own.

I figured that on start up it checks its own flashmem and if blank creates a pseudo-random UID, and the idea is that no-one ever gets to see the UID. You just enter the user’s PIN and it creates an AES key if all other conditions are nominal.

So (and this is just a guess from an old-timer) the matter is tricking the TPM to think conditions are nominal after you drop it in an emulator…or to trick it into thinking you’re just doing some diagnostics.

That’s the thing. Computers can’t tell if you’re an Apple tech, and FBI tech or a black hat, which is why I expect any given TPM design will only be secure for a limited amount of time before someone hacks it.

Uriel-238 (profile) says:

Re: Re: Re:7 TPMs

Soo…doable but expensive.

Which is usually considered an acceptable level of security.

Though this guy was inventing the process as he went, so it raises the question of how slow it will be with a functional process.

Still, it gives us hope that we can have difficult-to-unlock data storage where even the manufacturers can’t bust in.

But I think an actual going dark would be a benefit to society.

Uriel-238 (profile) says:

Re: Re: Re:9 TPMs

True. Generally, for us ordinary shlubs, we want it to be difficult enough for the police or the Chinese hacker army to get our data that they won’t bother for a meager fishing exhibitions. Maybe we want it tough enough to stop the district attorney on a bender.

If you’re not an ordinary shlub, say a VIP or a terrorist, then your data is worth more, and agencies / hackers might be more inclined to go the extra mile.

The problem is when robust security becomes easy to crack, due to an exploit or a new technique… which is exactly what Apple is trying to prevent by refusing to cooperate with the FBI.

If we can’t live in a society in which justice prevails, I think we at least want consistency.

Uriel-238 (profile) says:

Re: Re: Re:11 Misstating the state of the art

Maybe, but I was referring to their refusal to write signed code to bypass their security features.

Apple can cooperate with the FBI in one way, and refuse to cooperate in another way without it being inconsistent.

I may agree with Hitler that every family should be able to afford an automobile, yet disagree with him that some people are unworthy of living and should be massacred.

Anonymous Coward says:

Re: Re: Re:12 Misstating the state of the art

Apple can cooperate with the FBI in one way, and refuse to cooperate in another way without it being inconsistent.

In general, sure. But, given the specific situation at hand, no.

If Apple really doesn’t want to write and sign code for the government’s hack in this case, then it would further that interest to point out that the government doesn’t require Apple’s assistance to obtain the decrypt.

Uriel-238 (profile) says:

Re: Re: Re:13 [Apple could] point out that the government doesn't require Apple's assistance to obtain the decrypt.

Doing so would reveal that the agency is being pretty dense.

I am not privy to all of Apple’s motivations nor how conscious the company is being. I do know it has neither moral obligation nor community-related cause to give FBI any help.

Rather, Apple has plenty of reasons to avoid helping the FBI in any way (or US law enforcement in general), except when it is forced by law and gunpoint to do so.

Anonymous Coward says:

Re: Re: Re:14 [Apple could] point out that the government doesn't require Apple's assistance to obtain the decrypt.

I do know it has neither moral obligation nor community-related cause to give FBI any help.

That’s an awfully broad statement: “any”.

Let me narrow it: Apple has no moral obligation to tell the American people that if they choose a pin from a pinspace with insufficient entropy, that Apple has the power to protect their secret anyway. Apple, as a corporate citizen, has no moral obligation to lie about the state of the art in reverse engineering, nor to lie to people about mathematics.

If the pin is too short, and the hardware falls into the hands of a major nation-state adversary, it’s game over.

Uriel-238 (profile) says:

Re: Re: Re:15 ...if they choose a pin with insufficient entropy...

Ah, but Apple has motivation to stay in good standing with its customer base, not that this has slowed them down (or other companies, for that matter) when they can’t help but choose a jackassier course.

I’m not sure if password hygiene is common enough smartphone protocol that Apple should need to advise those who are likely targets.

My experience since 2013 has been that few people really care that much about being surveilled by the NSA (or by the FBI for that matter) and don’t care enough to concern themselves with encrypting their phones unless they have vested interests in their secrets (such as with a business phone, or paranoids like myself who think state-subversive thoughts).

It took a while to get people aware that they had things to hide. It took them a while to realize that they can, even if not doing anything criminal, can still wind up victims of Law Enforcement.

So the folks in Apple have to guess at what is publicly apt as well as what is good for them as a company.

nasch (profile) says:

Re: Re: Re:3 Is it possible for Apple to perfectly secure their phones?

Do you have a technical degree, or equivalent experience and learning?

Yes.

Otoh, if you’re comfortable with emulation and simulation and so on, then here’s a comment from someone over at Ars.

I don’t do hardware so I didn’t totally follow everything, but interesting. And reading the article and some of the other comments gives a clearer picture of what’s going on (for me at least).

Anonymous Coward says:

Re: Re: Re:4 Is it possible for Apple to perfectly secure their phones?

I don’t do hardware

But you’re comfortable with emulating a machine’s instruction set on another machine? (which perhaps has a completely different instruction set)?

Then too, you understand that a simulation of one machine is not necessarily an exact emulation of that machine? So that if one machine has a check for signed code, a simulation might leave that check out?

nasch (profile) says:

Re: Re: Re:5 Is it possible for Apple to perfectly secure their phones?

But you’re comfortable with emulating a machine’s instruction set on another machine? (which perhaps has a completely different instruction set)?

The difficulty in this case is not making or using an emulator, it’s in getting the secret out of the target device.

Anonymous Coward says:

Re: Re: Re:6 Is it possible for Apple to perfectly secure their phones?

The target in this case is an “Apple make: iPhone 5C, Model: A1532, P/N: MGFG2LL/A”.

iOS Security Guide, p.7

The Secure Enclave is a coprocessor fabricated in the Apple A7 or later A-series processor.

The target device has an A6, and thus, no “Secure Enclave”.

Anonymous Anonymous Coward says:

Not Destroyed, Data Recovered

I was surprised to learn from an article yesterday on http://www.emptywheel.net which referenced another article on Slate also by Marcy Wheeler that the personal phones may not in fact have been destroyed and that statements by Comey suggest they have all the data from them.

Since they apparently attempted to destroy those phones and not the one owned by SBC, THEY thought those had all the stuff they wanted to hide on them, and not this one. The logical conclusion from that information is that yes, Comey wants a precedent and does not actually expect to learn anything from breaking into this phone. Being allowed to get into this phone then allows them to get into, well, any phone with like issues.

Anonymous Coward says:

Can you imagine what sort of rights citizens would have if there was no 2nd amendment.

I look at how law enforcement treats the rights of it’s citizens with open contempt. care almost nothing about the laws they enforce but constantly break themselves.

That’s third world country stuff right there. If there was no chance at all law abiding citizens could be armed I think things would be worse than soviet style russia for the average american.

Wothe (profile) says:

Moot Point

I would think the FBI would select a better target device for this charade. The perps are dead. The perps took great pains to destroy their personal tech devices.

We all know “metadata” is there for the FBI’s taking — they already know who they communicated with –even on the destroyed devices.

What could possibly be in existence *only* on that employer-owned device that could be useful?

Add Your Comment

Your email address will not be published.

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...
Loading...