Interesting conundrum

[asmo]

If anyone cares on the technical side of the encryption here are some high level descriptions specific to this case:

None of these get into the actual cryptanalysis - e.g. no math required. If anyone wants to talk about the math we can do that in a different forum.

High level
http://blog.cryptographyengineering....ur-iphone.html

Slightly lower level
http://www.darthnull.org/2014/10/06/ios-encryption

And more importantly, for anyone that is thinking of voting for Trump:
http://www.nbcnews.com/news/us-news/...hooter-n522031

[asmo]

Oh and one last one - from the Demi-god of encryption himself (and an incredibly cool human being at that):

https://www.washingtonpost.com/poste...o-iphone-case/

[Aloha_Shooter]

...How is that not adding a back door? That's providing a way to skip the normal rules. Even if such a thing were created that would leave the data encrypted but make it so you can have unlimited tries to break the encryption, such a thing can and would get into the hands of bad actors, who would exploit it. Hence, backdoor.

You need to check the definition of a backdoor. Adding a global key that would give them entry would be a backdoor. This is creating a vulnerability they had fixed but that's not the same thing AND it's not being applied to every iPhone.

In this case, what they are asking for is a software update to a single phone. I have two problems with this, the first being compelling a private entity (person or corporation) to make something and the second being opening the door to other prosecutors and investigators wanting the same thing. OTOH, I don't buy the arguments coming from Apple either -- clearly they can produce a new software version and they would know exactly where in the code to stop it from auto-wiping after exceeding the built-in counter. Saying they can't do that is a whole lot of hooey. I'd be far more inclined to believe them if they said they were concerned the government would replicate the special software for illicit use on other iPhones or something else -- but that's NOT what they've said - and they could have proposed ways to ensure the special software load doesn't get out into the wild.

[Irving]

I have a question about the comments about the government requiring a company to create something that doesn't exist. How is that different than requiring seat belts, air bags, anti lock brakes, catalytic converters, etc on vehicles. Those things used to not exist, now they are required and exist because of it. I imagine this can be applied to every single related industry. So what's the difference?

[Aloha_Shooter]

I have a question about the comments about the government requiring a company to create something that doesn't exist. How is that different than requiring seat belts, air bags, anti lock brakes, catalytic converters, etc on vehicles. Those things used to not exist, now they are required and exist because of it. I imagine this can be applied to every single related industry. So what's the difference?

To me, there isn't any difference. I don't think companies should be REQUIRED to put those in either. However, the implementing legislation and regulation were founded on the fact the devices already existed (this special FBIOS presumably doesn't exist yet -- I was simply arguing against those who said it couldn't be done or that it was a "backdoor") and contributed substantially to overall safety. The attempts to force biometric handgun safeties tried to follow a similar pattern in requiring the devices once an effective design had been proven; IIRC at least one locality has actually passed the legislation but has not yet mandated the requirement BECAUSE no such effective design has yet been proven.

[Irving]

Seems like the government can "backdoor" those safety requirements by saying, 'you can make whatever vehicle you want, but in order to be used on public roadways, these features must be present.'

[Aloha_Shooter]

Seems like the government can "backdoor" those safety requirements by saying, 'you can make whatever vehicle you want, but in order to be used on public roadways, these features must be present.'

Yes, that's the way they're doing it. The one difference is that they generally do it only after an effective device has been proven to exist. Apple is saying FBiOS doesn't exist and they have concerns about the general safety if it were to exist. Very distinct concerns:

1. Does a version of iOS doing what the FBI wants exist? I think even the FBI agrees the answer to this is no.
2. Can a version of iOS doing what the FBI wants be created? Disputed.
3. If this special version of iOS is made, can it be protected from dissemination in the wild? Disputed.
4. If this special version of iOS is made, can the government be prevented from copying it?
5. If this special version of iOS is made, can the government be trusted to use it only for the one instance they have cited? Disputed.
6. If Apple complies with the FBI request, what's to prevent other LE or state prosecutors from making similar requests?

More esoterically,
7. Does FBiOS constitute a "backdoor" for all iPhones?
8. Is Apple being asked to "break" the cryptography on iPhones?

I add the last two esoterically simply because that's what some people are saying in their writings but note that a "backdoor" is a specific type of security vulnerability, usually involving installing one or more special keys or passwords that allow entry at will. This is more along the lines of circumventing rather than breaking the encryption. A laymen's analogy would be if I, as an architect or security company, purposely designed one or more blind entries into a bank or installation so I could get in at will -- that's a backdoor -- versus an Ocean's Eleven or Mission Impossible team breaking in by attacking how security was implemented or just brute forcing it with a Panzer round (ala Kelly's Heroes).

[Skip]

They (the gubment) aren't asking Apple to "break" their encryption in the traditional sense (e.g. decryption). They are asking Apple to make it easier to brute-force by not auto-destroying after a given number of invalid attempts. e.g. send the phone a special 'software-update' that changes the phones behavior. This is doable by Apple, but would require an amount of effort that I don't think the gubment understands or cares to understand. Its akin to asking MS to re-do a special version of Windows. Could MS do it, yes. Is there a lot of effort involved in the development and testing of such a thing - more than most people who have never seen the soup being made actually realize.

The encryption that Apple uses is sound, and I do not believe that it has been backdoored by Apple. Therefore I don't believe Apple can 'decrypt' your phone on a whim. Could there be flaws in the cryptosystem that an attacker, or the gubment, could use to exploit the system? Always.

So this is more about a permanent "back door" then the exceptional need to decrypt the terrorist's device? That is reason enough to oppose it. The Fourth Amendment is blanket protection that can only be violated with due process (exception) and we shouldn't be willing to give that up because TERRORISM!!!

It's interesting how gov overreach has turned this (and other things) into a boolean decision. Thinking of an example in meatspace where a lock company designs a file cabinet/lock that in impenetrable and a terrorist buys it. It's hard not to think of ways the company could satisfy the exceptional need (gov interest) to open that lock while maintaining the integrity of their product/privacy of other customers who have done nothing wrong.

[snip]

And more importantly, for anyone that is thinking of voting for Trump:
http://www.nbcnews.com/news/us-news/...hooter-n522031

I think Trump just lost a lot of support, particularly from Independents and Libertarians.

[hatidua]

5. If this special version of iOS is made, can the government be trusted to use it only for the one instance they have cited? Disputed.

Can the government be trusted not to snoop once they have the technology to do so….. -That's pure unadulterated comedy right there.

[asmo]

So this is more about a permanent "back door" then the exceptional need to decrypt the terrorist's device?

Except in the digital realm - once it is created, its out there forever. All it takes is for a copy to get loose and now we all get to have fun. There is absolutely zero difference between a one-time/just-this-once/just for this device and a permanent backdoor for everyone. Once you get into the security of how the actual protections work you will see why that is the case.