How Apple Could Lose By Winning: The DOJ's Next Move Could Be Worse
from the we-can-do-this-the-easy-way-or-the-hard-way dept
Since the conflict over smartphone security, long simmering between Apple and the FBI, burst into the headlines last month, many of us who advocate for strong encryption have watched the competing legal arguments advanced by the parties with a certain queasiness. Many of the arguments on Apple’s side?whether offered by the company itself or the myriad groups who have weighed in with friend-of-the-court briefs?have turned critically on the government’s unprecedented invocation of the hoary All Writs Act to compel the company to write and authenticate a novel piece of software effectively dragooning Apple engineers into government service.
But there has always been an obvious alternative?a way to achieve the FBI’s aim of circumventing iPhone security features without requiring any Apple employees to write a line of new code: the Lavabit Option.
That is, instead of asking Apple to create a hacking tool that would permit the FBI to attempt to brute-force a phone’s passcode without triggering escalating delays between guesses or deletion of encrypted data, they could simply demand that Apple turn over the source code and documentation the FBI would need to develop its own custom version of the iOS boot ROM, sans security features. Then, they require Apple to either cryptographically sign that code or provide the government with access to its developer credentials, so that the FBiOS can run on an iPhone.
That hypothetical possibility is raised explicitly by the Justice Department in a footnote to its most recent motion in its ongoing litigation with Apple, which explains that the FBI had not gone that route because it “believed such a request would be less palatable to Apple.” Having tried it the easy way, the FBI suggests it’s happy to do things the hard way: “If Apple would prefer that course, however, that may provide an alternative that requires less labor by Apple programmers.”
Apple’s latest reply brief clearly registered the company’s dismayed response to this legal shot across the bow:
The catastrophic security implications of that threat only highlight the government’s misunderstanding or reckless disregard of the technology at issue and the security risks implicated by its suggestion.
Such a move would signal a race to the bottom of the slippery slope that has haunted privacy advocates: A world where companies can be forced to sign code developed by the government to facilitate surveillance. In this case, that means software to brute force a passcode, but could as easily apply to remote exploits targeting any networked device that relies on developer credentials to authenticate trusted updates. Which is to say, nearly any modern networked device. It entails, quite literally, handing the government the keys to the kingdom.
What’s particularly worrying is that, while this approach is massively more troubling from a security perspective than funneling such requests through the company itself on a case-by-case basis, it would likely stand on a less shaky legal foundation.
Apple’s arguments throughout this case have stressed the unprecedented nature of the FBI’s attempt to conscript the firm’s engineers, noting that the All-Writs Act invoked by the government was meant to enable only the particular types of orders familiar from common law, not grant an all-purpose power to “order private parties to do virtually anything the Justice Department and FBI can dream up.” The trouble is, an order to turn over information in the “possession custody or control” of a private party is just such a traditional order. Such demands are routinely made, for instance, via a subpoena duces tecum requiring a person or company to produce documents.
It’s likely that Apple’s developer keys are stored in a Hardware Security Module that would make it difficult or impossible to produce a copy of their firmware signing key directly to the government. But that might not be much legal help. In a separate iPhone unlocking case in New York, magistrate judge James Ornstein recently rejected the government’s argument that a previous All-Writs Act case, New York Telephone Co., required Apple’s compliance. In that case, Ornstein noted, the government’s
agents would normally have been able to install the authorized pen register without the company’s assistance but for the fact that the subject telephone’s wires were so placed as to prevent the agents from gaining surreptitious access. The agents thus needed the telephone company not to provide technical expertise they lacked, but only to step out of the way and let them perform their authorized surveillance on company property.
But that sounds much closer to what would be involved in a case where Apple is required to authenticate government-written code: Just “step out of the way” and let the FBI access the HSM containing the keys used to sign updates.
Similarly, many of the First Amendment arguments raised by Apple and the Electronic Frontier Foundation?to the effect that “code is speech” and the requirement that Apple create new software amounts to “compelled speech”?would also fall by the wayside. They might still advance such arguments with respect to the “endorsement” implicit in using company credentials to sign software, but a court may not find that as intuitive as the idea that “compelled speech” is involved in requiring engineers to devise wholly novel and potentially complicated software.
Many of Apple’s other arguments, of course, would remain untouched: There’s the idea that Congress has established a comprehensive statutory framework specifying the means of law enforcement access to digital content via laws like the Communications Assistance for Law Enforcement Act and the Electronic Communications Privacy Act, making the All-Writs Act an inappropriate mechanism to seek authority withheld by Congress. Nor would a “sign our code” approach affect any of Apple’s claims about the broader security harms inherent in the creation of developer-authenticated tools to break security. But the long list of legal barriers to the FBI getting its way would surely be significantly reduced.
That means it’s not just important that Apple win in this case?it matters how it wins. If the company emerges victorious on grounds fundamentally tied to the mandate to create software rather than the demand to authenticate it, it could prove a pyrrhic victory indeed, opening the door for the government to insist on doing things the “hard way,” and inaugurating an era of government scripted malware signed to look like genuine updates.
Filed Under: all writs act, doj, encryption, fbi, going dark, key
Companies: apple, lavabit
Comments on “How Apple Could Lose By Winning: The DOJ's Next Move Could Be Worse”
Nothing could possibly go wrong
Yeah, I’m sure Apple and any other company would have no problem whatsoever handing over the source code of their products to the government to use.
I mean it’s not like various government agencies have ever been hacked and had highly valuable data grabbed, or had someone almost literally just walk out the door with sensitive files, I’m sure the government would secure all that insanely valuable data in a way that no-one could ever gain access to it.
Re: Nothing could possibly go wrong
Would the government even know how to use the code, let alone secure it? Or would they end up contracting out the work?
Re: Nothing could possibly go wrong
less we forget when a high ranking government official leaks sensitive info he gets his actions ignored, as opposed to when the average citizen leaks sensitive info they get prison time in the decades.
Not a chance I would trust such treasonous scum with access to what they are demanding here. They sell it off for profit and they know they will not be punished for those actions. there is no benefit to trusting anyone in the government with this until they clean up the corruption in their systems.
Re: Nothing could possibly go wrong
Surely the government would build responsible golden key back doors in their security, on the off chance someone needs to access it via All Writs or FOIA request.
So, since the government is looking to seize the assets of Apple how much is the government going to pay as compensation for these assets?
Re: Re:
We the tax payers get reimbursed via a fancy new iOS patch. Features include easier password recovery, Government data-center backups, with possible chances to win a free ride to a state run housing in Cuba.
Re: Re: Re:
don’t forget the added benefit of having your home attacked in the middle of the night by jack booted thugs who kick down your door, wave loaded guns in you’re children’s faces and scream at you.
Re: Re: Re: Re:
For anyone who thinks the jack booted thugs in the middle of the night sounds like a crazy conspiracy theory, I would just point out the following.
How many of the following items does America now have:
Secret courts.
Secret court orders.
Secret laws.
Secret interpretations of laws.
Secret arrests.
Secret evidence that can not made available to the defense for national security reasons.
Secret convictions.
Secret prisons where torture is practiced in secret. (But it’s okay because it’s not done on American soil.)
Americans should feel safer than ever.
Now does it still seem so far fetched that you could be arrested in the middle of the night by thugs kicking down your door?
And the Going Dark problem MUST be solved. We cannot allow there to be secrets we cannot read.
If you’ve done nothing wrong, then you’ve got nothing to hide (no secrets).
Re: Re: Re:2 Re:
Secret prisons where torture is practiced in secret. (But it’s okay because it’s not done on American soil.)
Hey now, say what you will about Chicago, but it is definitely American soil.
Now does it still seem so far fetched that you could be arrested in the middle of the night by thugs kicking down your door?
Far fetched? No-knock warrants are commonplace these days, aren’t they?
Re: Re: Re:2 Re:
For an entity regularly using the claim “If you’ve done nothing wrong, then you’ve got nothing to hide (no secrets).”, this government sure has a lot of secrets to hide.
Re: Re: Re:
Possibly an indefinite stay in Moscow.
Re: recompense
The compensation is small beans compared to the IPV6 number sized payouts that can claimed by every Apple subsidiary in countries that have an ISDS-like treaty with the US.
Don’t know whether to laugh or cry.
All is fair right? If they hand the source code over the the U.S., then they will have to hand it over to China, Russia, France, and any other country that demands it.
I personally, would never buy another Apple product. I would never trust them again.
Re: Re:
But it’s not limited to Apple. If they can make Apple do it, they can make anyone else do it too. Further, they could probably do it while requiring everyone involved to keep it a secret.
It means that you could never trust commercial platforms of any sort at all. Commercial platforms aren’t terribly trustworthy as it is, but this would ensure that a trustworthy one is impossible to create.
Re: Re: Re:
Red Star Linux is looking more attractive by the minute, as north Korea has a much shorter reach that the USA 🙂
Re: Re: Re:
Commercial platforms aren’t terribly trustworthy as it is, but this would ensure that a trustworthy one is impossible to create.
It would be quite an interesting development. You’d have people who care about privacy and security looking for companies outside the normal reach of the various big governments, or going to the various platforms like CyangenMod.
I’m not sure how much it would hinder Apple and other US technology companies. When it became clear that ALL governments would be issuing the same orders for custom surveillance versions of their own subjects the impact would be far less. It would take someone like the EU declaring a “right to privacy” to give that region an economic advantage.
Re: Re: Re: Re:
It’s an interesting question for sure. Lots of variables and unknowns in there. For example, I assume that most people who highly value security are already avoiding commercial services as much as possible. Even things like CyanogenMod have become less trustworthy with a lot of people since Microsoft became an investor.
I also suspect that most criminals above the petty variety would not be impacted by this sort of action as they would already be using platforms out of the reach of governmental power.
Re: Re:
Yeah but just think it wouldn’t be long before the source code is available everywhere and you would be able to make your own version… oh wait except youd need the key to sign it…But the government wants that to so that’s be available. So yeah you would be ale to cook your own os.
Re: Re: Re:
So, basically, iPhones would become “Open source” devices?
I kind of like that idea…
Re: Re: Re:
i think the government just kicked all those bright minds into gear except the problem their trying to solve isnt how to best backdoor encryption.
I know I'm stretching here
Is there a copyright angle that Apple can use? If I were to modify (make a derivative work) and use Apple’s code, I would be in violation of their copyright (I think?). Does a court order allow the FBI to get a copyright pass?
Re: I know I'm stretching here
I’d say it’s more a DMCA violation – the government is circumventing a security restriction. At that point, it DOESN’T MATTER if what the government is doing is legal or not, circumvention is illegal even if the underlying act is legal. Sauce for the goose and all that.
Imagine the government being forced to petition for a three year exemption on cracking phones for surveillance. 😀
Re: Re: I know I'm stretching here
Remember, the gov’t isn’t covered by the same laws you and companies are. Just try enforcing a patent case against them, for example.
Re: Re: I know I'm stretching here
That only applies if done for commercial or personal financial gain, so this would not apply to the government.
Re: Re: Re: I know I'm stretching here
“That only applies if done for commercial or personal financial gain”
That’s simply not true. The DMCA makes circumvention illegal even if the activity you’re trying to engage in is otherwise 100% legal.
The real reason the DMCA doesn’t apply is because it’s the government.
Re: Re: Re:2 I know I'm stretching here
“That only applies if done for commercial or personal financial gain”
That’s simply not true. The DMCA makes circumvention illegal even if the activity you’re trying to engage in is otherwise 100% legal.
Which is yet a separate question – whether something is copyright infringement does not hinge (entirely) on whether it’s done for financial gain. The DMCA doesn’t care about either point – legality or profit.
Re: I know I'm stretching here
apple just takes the government to an investor-state proceding under some trade agreement and the government ends up paying apple hundreds of billions of dollars. then apple buys its own country.
This would result in a legal battle the likes of which not even Trump has seen. It would be years before it gets resolved.
FBiOS
Brilliant.
Why now?
Why is the FBI doing this right now? Does the San Bernadino “terrorism” give them that much public approval that they can get away with this?
Why is the USA creating a secret police out of the FBI? Did the FBI always want to be the secret police?
This whole episode is very puzzling. Ordinarily, I can attribute some weird government behavior to “lobbying” by special interests, or turf wars between two TLAs or stupidity by a minor agency that blows up on them. This is the FBI, a major agency, and it seems to be doing this with full DoJ, if not Oval Office, approval. I can’t make it come out as a turf war, dumbness, or due to lobbying. WTF?
Re: Opportunistic government agencies is why
From a previous article on TD:
“But what concerns me, Mr. Chairman, is that in the middle of an ongoing Congressional debate on this subject, the Federal Bureau of Investigation would ask a federal magistrate to give them the special access to secure products that this committee, this Congress, and the administration have so far refused to provide,” he said. “Why has the government taken this step and forced this issue?”
He went on to speculate that the reason could be found in an email from “a senior lawyer in the intelligence community,” obtained and published in part by the Washington Post in September 2015. The email said that the “the legislative environment [with respect to mandating backdoors] is very hostile today,” but that “it could turn in the event of a terrorist attack or criminal event where strong encryption can be shown to have hindered law enforcement.”
Re: Why now?
“Why is the FBI doing this right now?”
The Dems need big $$$ in campaign contributions to ensure Prez Hillary; thus the Apple shakedown.
But Apple is merely the beginning: look what the Dems did to the big banks to get Obama elected.
Re: Re: Why now?
This isn’t a partisan issue.
Re: Why now?
They THOUGHT it would have enough approval. They where sorely mistaken.
Re: Why now?
A police state is the disireable outcome for those that crave absolute power over their fellow citizens.
America is more than halfway there imo.
Re: Re: Why now?
We are ALREADY THERE. Gestapo Lite is still what it is.
The Police can murder with little to no justification, laws are being applied and people being jailed under State Secret, courts regularly disregard law, and trying to exercise your rights only gets more of them removed. The President is Openly saying you should have no privacy in the face of Government overreach.
We are in a police state by the facts alone!
And since a lot of people still Love Obama and Bush, this is apparently what America wants!
Re: Re: Re: Why now?
Gestapo Lite?
Has anybody asked Vicki Weaver?
Re: Re: Re: Why now?
We are in a police state by the facts alone!
If you are in America, ask your DA’s conviction rate. At 95%+, how is it not a police state?
i’m telling you there are piss-ant little outfits all over the world who are hoping this goes badly for apple and the rest of us here. this would open the door for tech to move to places the u.s. govt can’t touch and would signal the beginning of the end of such here.
cisco products would someday soon sit alongside black and white philco tvs in dark corners of the smithsonian, saying, in effect, look at me, please, i used to be somebody.
It means that American commercial platforms become
unprofitable altogether. Trust is too much a central part
of the market to be compromised in this way.
People stop buying American.
American corporations emigrate.
Trillions in taxes disappear within a decade.
FBI’s plans become an unreasonable burden after it’s too
late to fix. The court might realize this in time to stop it.
Re: Re:
It’s already started. Cisco saw a drop in sales after the pictures of the NSA intercepting their boxes in transit were released. If the FBI goes that route and wins, then the NSA don’t even need to intercept shipments. They can just modify the source code and secretly demand Cisco sign it. Same goes for Windows.
It’s been shown before that they can man-in-the-middle just about any network traffic. The next over the air, or mandatory windows update might contain all sorts of goodies from the NSA.
Re: Re:
And to think I came here to say, goodbye Apple. Maybe the Irish will welcome you.
RIP US tech industry.
Impossibility
Difficult? Sure.
But impossible? The attacker is a major nation-state. To make it impossible, the physical HSM can’t be the only line of defense.
Rather, one would hope that use of Apple’s signing keys also require a ceremony which requires information contained within the physical HSM combined with information known only to multiple, trusted(*) personnel.
In a certain sense, the problem isn’t that much different than the hardware uid + passcode problem with the iPhone.
(*) “Trusted” is more-or-less a term of art in this context. “Trusted” means having the capability to subvert security. It doesn’t necessarily imply “trustworthy”.
No TAC you’re crazy, we aren’t sliding towards a dystopian future where we are constantly under attack by our own government. People would never let that happen, we have freedoms guaranteed to us in the law. They would never use terrorism to push further and further into ‘innocent’ peoples lives.
I do hope to have a seat with a view the day President Trump signs the bill mandating the implantation of GPS enabled trackers that record everything we say and do so we can FINALLY be safe from terrorists. It’ll be fun to watch the mark of the beast people finally be proven right as it all goes pear shaped.
We let them take to much, to push to far, and this rock is rolling down the hill very fast. One has serious concerns about how many will have to be crushed to try and stop it… if we even can at this point.
Re: Re:
You mean Donald Trump is the Antichrist? It all makes sense now.
Re: Re: Re:
He doesn’t have enough class to be the Antichrist
Re: Re: Re: Re:
You talk about Trump, but tell me… which other Candidate that is running for Office that will be any different?
It’s is pretty clear how completely and despicably mentally dishonest you are.
None of these candidate give a flying fuck, they are all in it for the power, and each one is saying what they think will get them elected into power!
Re: Re: Re:2 Re:
HEY GUYS I FOUND THE TRUMP TURFER!
Re: Re: Re:2 Re:
You talk about Trump, but tell me… which other Candidate that is running for Office that will be any different?
http://www.wired.com/2016/03/heres-tech-report-card-candidates-guess-got-f/
Re: Re: Re:2 Re:
Picking a politician is always about picking the least worst option, so don’t think you’re educating anyone here. But you’d have to have had your brain removed to not see how much more damage Trump would do to the US (and further abroad) compared to all the other candidates.
Re: Re: Re: Re:
I’d say he’s the Super-devil. He just hides the marmalade in public. http://familyguy.wikia.com/wiki/Super_Devil
Ironically, once the DOJ and FBI succeed in destroying the trustworthiness of every American communications device, no offshore company making secure devices will allow those devices to be assembled in the US, for the obvious reasons. Maybe we can go back to building tractor parts and clothing.
Thanks, DOJ. Thanks a pantload.
Re: Re:
This could signal the start of the end for technology as people will result to use tools that don’t use technology for fear that any tool that uses technology will be spying on them.
How is giving out the certificate so that FBI can impersonate Apple not a free speech issue? With this action they force Apple to confirm everything the FBI “says” to an iPhone as correct, since the iPhone must handle it as confirmed from Apple. This is after all what a certificate does.
Re: Re:
It is. The question is “Can you convince a technophobic judge that it is?”
There is a big difference between the Lavabit case and this case.
In the Lavabit case, the encryption key was just a number. Probably a prime number generated in a matter of minutes by some program.
Apple’s source code is the result of millions of man hours of effort and is worth millions, perhaps billions, of dollars.
Clearly I’m not a lawyer, but I find it odd that Apple could be ordered to hand over their source code with no legal proceedings and no compensation.
And the thought that the FBI even entertains the belief that they can just take the millions of lines of Apple source code and just “tweak it” to accomplish their goals in my lifetime makes me laugh.
Re: Re:
Well there’s an obvious argument to that. The FBI can take just the signing key (the key that tells all apple devices that an update is legit) and make the program themselves.
Re: Re:
A mind-bogglingly huuuuuuge number.
Well, the source for any specific build can be represented as a single natural number. If we consider the sources for different builds as a set of natural numbers, we can then map that set into another, even larger number.
Not sure where I’m going with this, but you said, “In the Lavabit case, the encryption key was just a number.” So tell me again what work the “just a number” argument does?
Re: Re: Re:
True, both the Lavabit encryption key and Apple’s compiled source code are “just numbers”.
The obvious difference is that the encryption key was generated by a program and the computer power used to generate it was probably cost less than a penny.
While Apple’s source code is the product of millions of man hours over years of effort.
They are scarcely equivalent.
It’s like saying a doghouse and the Taj Mahal are equivalent because they’re both “just buildings”.
Re: Re: Re: Re:
Not just the compiled source, but the uncompiled source, whether ASCII or UTF-8 or —god help us— EBCDIC.
Well, then why did you bother to state that the “doghouse” is just a building?
If your argument is about the semantics of the numbers, then maybe you’re saying that Lavabit’s number was meaningless and Apple’s number is meaningful? You sure that’s the direction you want to go?
Re: Re: Re:2 Re:
I see, you’re just trolling and I fell for it. My mistake.
Re: Re: Re:3 Re:
No, your mistake is in neglecting the importance of equal justice for all, under the law.
If the law is that the government can wipe out Lavabit, then it’s no answer to say that Apple is different ’cause they’re a big, rich important, meaningful company.
Re: Re:
There is plenty of precedent of taking without compensation. Basically the same as civil asset forfeiture except the value of the item is much greater. if 10k in cash is suspicious, millions must be so suspicious that there can be no doubt of guilt.
Re: Re: Re:
ever since i read doj’s plan b, i’ve been wondering which crime apple is being accused
without a crime, which laws allow the us government to walk in like gang busters and just start stealing shit?
Who could do this?
The FBI doesn’t have the expertise. Even if they contract it out, it would take a long time to get the necessary team up to speed on the intricacies of the details. Another trick would be to have off-shore entities (i.e. let’s say Apple Inc is in Ireland – they have subsidiaries AppleUSA and AppleIreland, and for good measure AppleIceland and an independent contractor AppleSwiss; all four subsidiaries must authenticate a piece of code with private keys before it can be valid. Where do you serve the warrant and how do you force compliance?
If the solution to USA bullying is to move offshore, well, mission accomplished.
Re: Who could do this?
“The FBI doesn’t have the expertise.”
They’d contract it out to Apple.
Don’t know how the lavabit precedent can stand as that was to monitor activities of someone who was alive and was actually able to create something to be monitored. In the apple case the subject to be followed cannot create metadata nor can cause any damage to society anymore as the subject is deceased so the DOJ standpoint is still mute.
Sounds like an interesting case though.
Say goodbye to American tech companies
Assuming that SCOTUS actually bought off on this bit of stupidity, it would be economic suicide for the US. Every tech company in America would relocate to another country.
We would then be forced to fall back on our manufacturing sector to generate GNP. Oh, wait…
Re: Say goodbye to American tech companies
No doubt. That is exactly what would have happened if the Commercial Felony Streaming Act had become law. All the streaming providers would have moved their companies, and their servers, outside of the country, where they could not be subpoenaed and/or would have quit keeping logs.
Apple should move overseas in search of freedom.
Re: Re:
Where? Syria? Iraq? China? North Korea?
Re: Re: Re:
Any country that will tall the US to take a long walk off a short pier.
Wouldn’t it be a crying shame if they accidentally turned over a copy of their code that just happened to be missing a single, crucial, punctuation mark without realizing it until too late?
Re: Re:
“Wouldn’t it be a crying shame if they accidentally turned over a copy of their code that just happened to be missing a single, crucial, punctuation mark without realizing it until too late?”
You mean, like Apple’s “goto fail” bug?
https://en.wikipedia.org/wiki/Unreachable_code
An option already exists to limit this...
I imagine that Apple’s software signing key approach would then evolve to use the model developed for HDCP where by existing keys can be invalidated and replaced with updated ones such that upon being compelled to turn over signing keys to the government after a nastly legal battle, the government will be able to compromise the particular device in question, but immediately afterwards that key is invalidated and a new one is created such that it no longer works for any other devices requiring the process to be repeated every time.
“How Apple Could Lose By Winning: The DOJ’s Next Move Could Be Worse”
Yes, because the DOJ always quits while they are ahead right?
The DOJ will stop at nothing to get all the power it can muster, lie, cheat and steal to gain.
Re: Re:
The technology industry is not the same as other adversaries the government goes against. Most adversaries are not sufficiently prepared to handle a persistent, ever-present attack and will eventually give up the fight in a war of attrition such as this. However, security in technology is an unending battle where every threat that is mitigated is replaced with a new one. This is no different. However, with every attack that is mitigated, future attacks become more difficult. This concept is completely lost on the government.
Re: Re: Re:
Indeed, which is why the price of liberty is eternal vigilance.
Sadly far to many Americans have forgotten this and are fine with voting in any of the current gaggle of maggots that are currently running for president.
What is interesting, is that each of the current candidates D or R (including our past 3 presidents) would be considered an anathema to the founders on issues of liberty.
Re: Re: Re: Re:
I mostly agree but I think Bernie is a little different.
Re: Re: Re:2 Re:
The EFF and 46 technologists’ amicus brief in the CDCal case sets forth the proposition that Apple Inc. has a first amendment right at stake in this matter. Going beyond the brief, EFF has a DeepLinks blog post about the position, “What We Talk About When We Talk About Apple and Compelled Speech”.
Bernie’s opposed to that idea, isn’t he? In fact, the centerpiece of his whole campaign is opposition to that idea that Apple, Inc. might have any first amendment rights, isn’t it?
Re: Re: Re:3 Re:WTF?
disingenuous at best
Re: Re: Re:3 Re:
I don’t think so. He’s more against the first amendment being used by corporate interests to legalize what is effectively bribery of public officials. If it were rich people using their own wealth to pay off officials he would be against it. It’s not merely the fact that they are corporations.
Re: Re: Re:4 Re:
Bernie’s nuance then, has been lost on me.
Afaict, he’s against the idea that people have a right to organize themselves for political purposes, and to distribute a movie using video-on-demand.
After hearing that, to be honest, I mostly quit listening to Bernie himself. Here at Techdirt, though, I have heard a number of his ostensible supporters argue roughly that “corporations R teh evil”. I did come away with the impression that Bernie felt that people’s right to organize and distribute core political speech ought to be infringed by the Congress.
Re: Re: Re:5 Re:
The issue is the rich using their money to buy influence with publicly elected officials which is bribery and should remain illegal regardless of whether a corporation or an individual does it. The problem with Citizen’s United is that the basis for it was that giving money was speech and therefore bribery of a public official is a 1st amendment protected act that “Congress shall make no law” to abridge. The movie part doesn’t really matter that much.
Re: Re: Re:6 Re:
Yes. I understand that the movie is unimportant to you. Beneath consideration.
Frankly, I didn’t watch myself, and wouldn’t pay to see it on video-on-demand. I’ve heard the piece of garbage. I don’t really like movies, anyhow.
But people still have a fundamental right to organize. Organized citizens still have a fundamental right to seek to pursuade their fellow citizens. They have the right to make the movie, and to distribute it to people who want to watch it.
So, you can tell me —until you’re blue in the face— that censoring the movie is not a big deal. But you just lost me there.
Re: Re: Re:7 Re:
So you approve of the Citizens United decision?
Re: Re:
the DOJ always quits while they are ahead right?
Crooked lawyers are still crooked at the end of the day.
Look at what little happened to the crooked lawyers in United States VS Riggs.
Germany
Well, looks like Apple is moving it’s operations out of the US to Germany. I hope German is easy to learn.
the good news is we can get the business back once the govt realizes how stupid it is.
excuse me, please, i just remembered i was going to head downtown to look at that new philco tv everybody’s talking about.
This just has such huge implications for consumers, investors, and pretty much every other sector of American life. It is almost like the FBI doesn’t understand, or care, that this could truly ruin America.
Corporate refugees flee the U.S. in overcrowded boats
Picture of small drowned SW company lying dead on the beach inflames international opinion…
worse than having the head of the DoJ get away with openly committing perjury. Or the DoJ ignoring the laws and rights of citizens and doing what they want without any oversight?
The endgame -- if this plays out
Suppose this happens, and that FBI modifies Apple’s code as specified. Here are some questions to ponder:
1. What is the value of that (new) code on the open market?
2. What countries would be ready, willing, and able to pay that amount?
3. What countries would be ready, willing, and able to coerce, steal, kidnap, suborn, and kill for it?
4. There are, of course, a nonzero number of foreign intelligence agents inside the FBI (just like there are a nonzero number of US intelligence agents inside other countries’ agencies). Given that that the USG does not know who they all are, how will the FBI ensure that one of them isn’t on the team directly involved in this work?
This is an incredibly dangerous path to tread.
Waste of time
anyone can create unbreakable encryption with a PENCIL and PAPER. Just look up one-time-pad, and there are other methods. And then key it into an SMS or tweet. How are they going to backdoor that? The phone companies are already required to keep records that can be subpoenaed, so it’s not about metadata. So is the FBI just ignorant, or have they an ulterior motive? Getting ahold of Apple’s source code so they can look for ways to install surveillance programs on everyone’s device?
Re: Waste of time
Bruce Schneier on one-time pads:
Re: Re: Waste of time
Given the capacity of micro SD cards, and availability of real random data, one time pads are viable to protect communication between two people who meet once every few years. An Arduino based system is capable of dealing with text messageing via one time pads, and can read and write to SD cards, or to and from an Internet connection without exposing itself to attacks via those media. Wile not suitable for mass use, such a system is certainly viable to enable a small group to communicate with secure encryption and stay offline, and rely on couriers to deal with relaying messages via the Internet.
Suicide bombers do not need particularly secure message systems, they are expendable after all, while the puppet masters behind them do need secure communications, as they expect to be around for many years.
Re: Re: Re: Waste of time
while the puppet masters
The best masters are out in the open and unworried.
What did Stalin say…”Ideas are more powerful than guns. We would not let our enemies have guns, why should we let them have ideas. “
Re: Re: Waste of time
“[The one-time pad] is a “solution” that doesn’t scale well, doesn’t lend itself to mass-market distribution, is singularly ill-suited to computer networks, and just plain doesn’t work.”
Scalability isn’t the point. Secrecy is.
Terrorists meet and swap 100 GBytes of random numbers for their one time pad keys.
That allows them to communicate for years without having to meet again.
They’re not trying to build a computer network; they’re trying to commit mayhem.
But the rest of us have to destroy our privacy with weak cryptosystems so that the terrorists can continue to communicate in perfect secrecy?
So the proposed “solution” doesn’t stop the terrorists and does infringe on the rights of the rest of us.
Re: Re: Waste of time
Against any other attacker Schneier is correct. However, the FBI and the intelligence agencies won’t stop until every single encryption system is broken.
Yes one-time pads are a usability nightmare. Yes you will need to be an encryption nerd and an opsec nerd if you want the privacy that was once available to all of us. But it will be the best encryption available, because it will be the only encryption available.
Re: Re: Re: Waste of time
There are secure open source encryption systems available, and they cannot force changes into every available copy, or prevent people taking a diff between source trees before accepting or rejecting changes. You can be sure that their are people keeping a very close eye on those code bases, including foreign governments. Also encryption systems can be run on naked iron, using smaller arm, or other controller orientated processor.
Apple is not Lavabit
Apple probably has more lawyers than Lavabit had dollars. However, if the U.S. Govt. decides to take draconian measures, we’ll find out (or perhaps not) whether Apple has the courage displayed by Lavabit to do the right thing rather than just making “good business decisions”.
The proper response to drastic action (*especially* if accompanied by a gag order) would be for Apple to go public in a huge way, while announcing plans to relocate so it can continue to offer its customers (in free countries) meaningful security.
Meanwhile, I think Apple could afford a few billion for a huge PR campaign that would make it political suicide for any politician to be on the stupid side of this fight.
Apple could also Win by Losing
1. Apple could be forced to write GovtOS.
2. Install it for this one phone. Then another and another…
3. The FBI (at gunpoint) won’t leave the building without it. And the private signing keys. (Even if this step does not occur, the rest follow…)
4. Inevitably, it leaks. Or is hacked.
5. Tens of millions of phones are instantly vulnerable.
6. Overnight it is major national news. Apple security compromised. And nothing can be done about it.
7. AND IT IS BEYOND DOUBT THAT THE FBI IS RESPONSIBLE.
8. Suddenly all doubters are convinced.
9. Apple sets about to build new models with security.
10. Everyone wants the new models at a much faster rate than natural upgrade cycles.
11. Profit.
Re: Apple could also Win by Losing
Sorry danny, but I think you are to foiling in a very big way here.
The “signing keys” are powerful, but they are both easily revoked and also potentially quite indivdualistic. As an example, when you update to ios 9.2, you cannot go backwards to 9.0.x if you didn’t like the 9.2 update. Even with a valid signing key, you have already gone past that update so you are done.
Apple could issue a signing key for the individual phone in question that would be a 0.0.0.1 update on whatever is currently on it, and that phone would update, and that signing key might only be able to be applied on phones with a lower number than that on it.
Further, and this is important: It’s unlikely that Apple will have to write a whole OS. In reality, they need two very small patches (one that disables the 10 counter, one to eliminate speed blockages), and that is it. It’s not going to be a full OS update.
Apple loses no matter what here. It’s very likely that any further attempts to make encryption MORE secure will be met with laws at the federal level to limit it. The desire and the will appears to exist in congress to do such a thing. Apple would also look even more like they are trying to block law enforcement by making such a move, which could in turn land them in some legal trouble.
Most importantly: Apple is going to get ass f–ked on taxes in the next year or so, mark my words. There is a pretty big build up in Washington (and around the world for that matter) to deal with the issues of offshoring profits to avoid paying tax. Don’t be entirely shocked if the federal government doesn’t move to something like a national value added tax or flat percentage of sales for electronic devices, online memberships, subscriptions, and the like. No matter what, Apple is bringing a lot of things to a head and the results generally will not be in their favor.
Re: Re: Tax minimisation Vs Tax avoidance
There is a huge difference between tax minimisation and tax avoidance. The first is completely legal, the second is generally illegal.
What the politicians and others don’t want the the general public to know is – the difference.
Any company worth its salt will always be looking at the tax legislation to minimised its tax burden. That is why they employ good tax accountants for.
The problem is that the politicians don’t like sensible and intelligent people looking at the legislation for all the ways that are there for minimising their tax burden.
So the politicians invariably go to the sad sack place of accusing these companies of tax “avoidance” when these companies are only minimising their tax burden.
The tax legislation is created by the politicians who are so completely clueless that they do not understand what it is they are legislating. Those of them that do understand, do so because they know the various loopholes for minimisation are there and they are associated with the beneficiaries of those loopholes.
There are various ways to ensure that government is appropriately funded, including ensuring that overreach doesn’t occur. But you will not see these proposals see the public light of day, simply because there are too many special interest groups who will be disadvantaged by these kinds of system (including paying their fair share of the costs of running government).
So,to claim that Apple or any other business is avoiding tax by following the rules put in place by the various rule-making groups is disingenuous to say the least. If you want to fix the problem, you need to first fix the political environment first (including all forms of bribery of the politicians that are currently quite legal).
One possible suggestion is to have true proportional representation. You represent those whom you can get to publicly back you and you need the support of those backing you to vote on any legislation – in other words you need to discuss what position you are to take on any legislation with your constituency.
Re: Re: Re: Tax minimisation Vs Tax avoidance
“The tax legislation is created by the politicians…”
A small point I’d like to add is that tax legislation is often drawn up and tailored to suit corporate tax minimisation schemes by organisations like ALEC (American Legislative Exchange Council).
http://www.alecexposed.org/wiki/Bills_to_Create_Tax_Loopholes_or_Affect_Budgets_Etc.
A deeply insidious situation allowed to happen by those lazy and inept politicians you mention…
Re: Re: Apple could also Win by Losing
Says whatever, the master expert of everything in the universe. Those puny “experts” that tell you are wrong are just wrong, right?
No matter what, Apple is bringing a lot of things to a head and the results generally will not be in their favor.
Which will then prove the US is deep into totalitarianism.
Re: Re: Apple could also Win by Losing
It’s very likely that any further attempts to make encryption MORE secure will be met with laws at the federal level to limit it. The desire and the will appears to exist in congress to do such a thing.
And what do you think will be the result of that? Do you suppose Apple, Google, and every other US tech company interested in providing security to their customers will just shrug and say oh well, I guess that’s not going to happen? Or will they start making plans to move operations overseas? And before you say they won’t do it, consider how many companies are willing to move huge manufacturing facilities for a tax benefit and then consider how much more important this issue is to a company like Apple.
Not to say that you’re wrong. I wouldn’t be surprised if the FBI, plenty of federal courts, and Congress would be willing to inflict such a gunshot wound on the US. I would say shoot ourselves in the foot but I think it’s going to be more dangerous than that.
Silly question
This is probably a dumb question for the technical minded people but I’m going to ask it anyway.
Would a simple solution be for Apple to code their OS so that it requires the phone password to be entered *before* any upgrade can be installed?
The FBI or hackers (are they any different?) could have their special OS version, but it can’t be installed unless the owner of the phone enters their password. After x failed attempts the phone is permanently disabled.
Once this OS is installed, installing a user unauthorised version would become a lot more difficult.
Re: Silly question
That, and having to unlock the phone and authorize a backup would have kept the door shut. That said, with physical possession of the device, it is always possible to overwrite any writeable firmware with a new version, although that raises issues when it comes to chain of custody with respect to evidence.
Re: Re: Silly question
With the root of the chain of trust burned into ROM on the application processor, rewriting flash is not sufficient to guarantee executability.
Otoh, in a battery-operated, consumer device it’s probably not feasible for Apple to use just-in-time verification on each instruction. Thus, if there is any bus available which makes instruction memory writable by a device external to the application processor, then a TOC-TOU vulneribility will almost certainly exist.
Apple might be able to partially counter that by using symmetric encryption on the contents of ram, decrypting only in the application processor itself, but a bit-flipping attack would still probably succeed in throwing the instruction pointer to a location outside the intended instruction stream.
Re: Re: Re: Silly question
Before doing that, they’d might first go to a pure Harvard architecture, with DMA disallowed to instruction memory.
That would still leave the issue that the ram itself is not on the same die as the application processor. It’s merely stacked in a package-on-package configuration. If they put ram on the same die, I’d expect that yields would probably go down…
Re: Re: Re: Silly question
There’s a larger point here, that I ought to bring out here—
If Apple hardens the device to the point where it can withstand battlefield capture by a major nation-state adversary, then it’s likely that no one but DoD will be able to afford one. And even DoD may not be too happy with the battery life: especially over the -55 °C to 125 °C temperature range they’re going to want.
Re: Silly question
That is widely believed to be Apple’s next iteration, as it would handily close this particular back door for future phones.
One of the problems is that if Apple is forced to write software to the government specifications, the government might be able to mandate backdoors in all future products.
Re: Silly question
That might solve the issue for FBI’s plan A, but I don’t see how it would help with plan B, as an Apple user wouldn’t be able to tell the difference between an OS update from Apple and an update from the FBI.
this is becoming entirely to parallel the plot of atlas shrugged.
then apple buys its own country
apple-asia?
yes
Did the FBI always want to be the secret police?
Have you ever bothered to learn about J. Edgar Hoover? Congress decided to limit FBI heads to 10 years after Mr. Hoover let loose of the FBI leadership position.
THE DOJ'S NEXT MOVE
ACCORDING TO BRIAN T. YEH, (Yeh, 2014 ),
“[T]HE EEA’S “THEFT OF TRADE SECRETS” PROHIBITION IS OF MORE GENERAL APPLICATION, INVOLVING THE INTENTIONAL THEFT OF A TRADE SECRET RELATED TO A PRODUCT OR SERVICE USED IN OR INTENDED FOR USE IN INTERSTATE OR FOREIGN COMMERCE, WITH THE INTENT OR KNOWLEDGE THAT SUCH [AN]ACTION WILL INJURE THE TRADE SECRET OWNER. IN ADDITION TO CRIMINAL ENFORCEMENT OF THE STATUTE, THE EEA AUTHORIZES THE ATTORNEY GENERAL TO BRING A CIVIL ACTION TO OBTAIN INJUNCTIVE RELIEF AGAINST ANY VIOLATION OF THE EEA.”
Well, Apple can always open source iOS as a last f*ck you to the FBI. Can’t put a backdoor if everyone remove it from their phones.
Work In Progress
I imagine a letter:
We will not rest until American technology is completely distrusted worldwide and the American tech sector looks like the Detroit automotive industry.
Your Friend,
The Federal Government
Sorry but Apple brought this on themselves.
All they would have had to do was take the phone and get the info that was requested and give the phone and the info back. The phone would still be locked and unable to be accessed, Apple would not be in the spot they are in now, and the government would have the information they requested. But nooooo, apple wanted to play hard ball so they cant whine and complain about it now.
And considering they just lost over a half a billion dollar court case that proved Apple stole programs from other companies and then used them in their phones and tablets and claimed them as theirs (http://fortune.com/2016/02/03/apple-virnetx/) and now not only has to pay a 600,000,000 + fine but has to pay a royalty on each and every phone and tablet that these programs are included in, but they are also taking a major hit in sales because of a chinese company that is making better phones with more features and more hard drive space (some of them have up to 600GB of space) and are thinner then the phones and tablets of Apple and cost about a third. Not to mention they are selling like hotcakes in South Korea and the North Americas (Apples own back yard). And the phones are Android based plus allows you to install anything you wish on it unlike apple. AND when you add in the fact that their stock is taking a major hit on costs, its not looking good for Apple right about now. And finally add in the simple fact that Apple has let go close to 10,000 employees to cut costs, and the writings on the wall. Apple is in deep trouble. And NO CEO costs a company close to a Billion dollars because of stupidity and expects to stay CEO, so Cook might be shown the door very soon.
Re: Sorry but Apple brought this on themselves.
Apple is still fighting that decision, I don’t think the story is over yet. And they are quite used to cheaper competition from Android, it doesn’t seem to have slowed them down that much. I wouldn’t be so quick to predict their downfall.
Re: Re: Sorry but Apple brought this on themselves.
Didnt predict their downfall now did I? All I said was Apple is in a pretty bad spot right now and it can get a whole lot worse. The Government hods all the cards and if they was to be an arse about it they can force Apple to unlock the phone no matter if Apple wants to or not as there is already a law that DEMANDS that Apple comply and no judge is going to overturn or rule in conflict of existing law, just as the article said.
Apples best bet is to just open the stupid phone and end this mess as they are damaging themselves each and every time they start spewing their stupidity on TV or in print. Already every poll taken from a national polling company Zogby-Time Warner-USA Today-Ruters-and so on all clearly show that over 58% of the respondents say that Apple should just grow a pair and open the stupid phone. The longer they refuse the longer this is going to be drawn out and the more damage that is going to be done to their reputation, something they cannot afford.
Re: Re: Re: Sorry but Apple brought this on themselves.
Didnt predict their downfall now did I? All I said was Apple is in a pretty bad spot right now and it can get a whole lot worse.
I think you’re splitting hairs since you also said “the writings on the wall. Apple is in deep trouble”.
they can force Apple to unlock the phone no matter if Apple wants to or not as there is already a law that DEMANDS that Apple comply and no judge is going to overturn or rule in conflict of existing law, just as the article said.
That’s your opinion, but the case hasn’t been decided yet. And in fact it may never be decided since the FBI may decide to drop it.
Already every poll taken from a national polling company Zogby-Time Warner-USA Today-Ruters-and so on all clearly show that over 58% of the respondents say that Apple should just grow a pair and open the stupid phone.
That’s not that big a majority, and almost certainly from an audience that doesn’t understand either the technical or legal issues, and some unknown percentage of whom aren’t even Apple customers. So I doubt they’re giving it all that much weight.
Re: Re: Re:2 Sorry but Apple brought this on themselves.
Not splitting hairs at all. When you have just lost a major case and are looking at having to pay out royalties and a court fine that adds up to over 1 BILLION dollars, when you have a chinese company out doing your own phone and tablet; when you have to lay off over 10,000 employees to cut costs, and are looking at at least 16 more theft of property lawsuits like the one you just lost AND your stock price is dropping…then anyone can sugar coat it anyway they want. But it is not looking good for Apple. Especially when the US Government has federal law on their side and can FORCE Apple to open the phone no matter if Cook wants to do it or not as they can hit them with fines of up to $1,000,000.00 a day until they comply. And no company can withstand a drain on their resources like that for long and not correct the matter.
What they do after this will show if they are going to stay innovative, or if they are going to fall into the pack and be an also ran.
Nothing more and nothing less need be said.
Re: Re: Re:3 Sorry but Apple brought this on themselves.
That’s what I mean – your posts are all full of doom and gloom for Apple, so to say “I’m not predicting their downfall” is splitting hairs IMO. Maybe you didn’t explicitly predict that the company would actually go bankrupt, but you pretty much went right up to that line.