Posted on 03/30/2016 4:20:27 PM PDT by Swordmaker
The battle between the FBI and Apple ended on Monday with “no clear winner,” according to The New York Times. Not so. The clear winner is the American people, and the clear loser is Apple.
The FBI had requested Apple’s help in unlocking a cell phone used by the San Bernardino killers--Apple refused. The Justice Department took the dispute to court, arguing that a search warrant required Apple to program a “backdoor” into Syed Farook’s password- protected iPhone5. A judge initially decided in favor of the government, but Apple appealed the ruling; the case was expected to end up at the Supreme Court.
Monday, everything changed when the FBI announced it had gained access to Farook’s phone and didn’t need Apple’s help after all. Several issues in the case remain unresolved, but for the moment, the Justice Department has the information it sought.
Apple, on the other hand, looks foolish. Now we know that their much-vaunted privacy settings are not so private after all. By literally making a federal case out of its refusal to comply with the government, Apple CEO Tim Cook meant to show the world that his company was willing to buck the system to protect customer security. Instead, the world has learned that iPhone passwords can be hacked.
(Excerpt) Read more at finance.yahoo.com ...
Being dependent on a single application to remember all your passwords is not a good practice.
I was interested in how the discussion on this thread shifted from “Apple lost its Privacy Fight” to the software sucks.
I guess people couldn’t defend the indefensible, that is, giving the government carte blanche to your data because they want to see a company (they often harbor an irrational antipathy towards) get its nose rubbed in the dirt.
Of course it does. That is part of the security. It has done that for the last several updates. Pay attention. YOU need to know your AppleID password, not the same device that may get stolen. SHEESH!
Those "losers" as you call them is a company called "Cellebrite", an international company with hundreds of employees, with offices on four continents, a Division of Sun International, a Japaneses company. The are one of the most respected forensic IT companies in the world. Losers??? The only "loser" here is you, as usual.
Your reading comprehension is really terrible. Someone else called them “losers”.
I don’t know what makes you so stupid but it really works.
Horsefeathers.
Normally, I consider Apple to be a bunch of loathsome toads. In this case, I tip my hat to them ... they did right.
I see what you did there. . . you clipped the cited article before the money quote in the article:
"We found a way to do a man-in-the-middle attack on an iOS mobile device and replace an original command such as 'query device' with one to install a malicious enterprise certificate application," Bobrov says.
That means for this to work, they'd have to have stolen the involved company's Enterprise Certificate. There is why it won't work. Good try.
As for the rest of your post, Apple's Law Enforcement Guideline page available on its website outlines exactly what it can and cannot do for such devices. It states that it has never "unlocked" iOS devices, but has been able to retrieve un-encrypted data for law enforcement pursuant to legal search warrants on devices prior to devices which were fully encrypted to which Apple does not have the keys. The ACLU article included a survey of devices back to 2008 which included devices that did not have any encryption at all and were only protected by the passcode with no lock-out.
If you use a password manager like Dashlane, your passwords are encrypted and available across several (all of your) devices.
The failure here is not Apple’s, it’s yours for not understanding how to manage your personal security.
The only loser on here is you. . . and the only stupid one is also you. I just reviewed the entire conversation thread to which you were replying, and the only one who referred to the IT forensic company Cellebrite as "losers" was YOU! You have the terrible reading comprehension problem and you have a terrible response problem to project it onto someone who calls you on it. Asshat. Typical. You seem to work at it.
Did Apple actually claim Cellebrite couldn’t hack into it, or did Apple either stay silent or openly decline to assist in the cracking process?
Roflol...
Uh as I said I do use a password manager, But, when apple prompts for the password, in that little modal dialog, you can’t get to it. So, if you aren’t warned ahead of time, you can’t have it on the clipboard. So what do you do? Go to another machine that might have been sync’d and get the password. Possible, but a 20char password is easy to mess up.
If was simply a flaw in Apple logic and judgement to surprise users after an update and not give them a chance to enter later. Much like their recent flaw with the FBI.
I tried Dashlane, but don’t like keeping my passwords in the Cloud. I’m still using 1Password because it’s all local storage. Dashlane has better features, but Cloud kills the deal.
1Password pretty much sucks on Windows compared to OSX.
Apple did win. They didn’t have to make a back door and the FBI realized they would lose that fight in the court room. The FBI never needed a back door to obtain the data in the phone.
If was simply a flaw in Apple logic and judgement to surprise users after an update and not give them a chance to enter later. Much like their recent flaw with the FBI.
I tried Dashlane, but don’t like keeping my passwords in the Cloud. I’m still using 1Password because it’s all local storage. Dashlane has better features, but Cloud kills the deal.
1Password pretty much sucks on Windows compared to OSX.
I'll ignore your digs at Apple because they're misinformed and I'm really tired of explaining things that are easily disproved with a bit of googling.
I tried Dashlane, but don’t like keeping my passwords in the Cloud.
You need to understand that, with Dashlane, your info is only unencrypted on your device. Any time it moves between devices it's in an unbreakable package. That package is only usable on your device, after you authenticate. It's not cloud-based.
“Did Apple actually claim Cellebrite couldn’t hack into it,”
Read swordmakers comments here on FR. He posted all kinds of garbage making claims that not even Apple could hack the system.
Yes, that’s right, encryption can’t be broken...LMAO
"Did what" exactly, leave the MITM mechanism specifics out of the excerpt? Was that so essential to be included for people to understand Apple's "feature, not a bug" attitude? Or does anybody claim that the hack is so "trivial" that anybody could do it? On the contrary, the point is that these issues are not trivial, which is exactly why FBI / LEOs went to court to get a legal warrant to ask Apple to open access to the phone, which they have done before (few times over many years) without the phony "privacy" hissy fits.
No, not exactly and necessarily "stolen," and getting them is not impossible, and because these are aimed at enterprises they are well worth the time to get / fake — and there have been successful MITM with fake or stolen CAs / EVCs in real life (e.g., search "fake certificates mitm attack" without quotes) — but it's a separate subject.
"Good try," really? I am sure some people appreciated the information which I didn't see posted before, and they don't try to attack the messenger, even if they don't like the message. "Don't shoot the messenger, for you may never again be warned of impending danger"
That's a nice fudge of real issues. As you well know, this request / warrant had nothing to do with encryption / decryption (which Apple kept putting emphasis on, to confuse the uninformed) — FBI didn't ask Apple to decrypt the contents of the disk, only to enable the access to the contents of the [encrypted] device bypassing the data destruction mechanism. That the previous devices that Apple helped legally unlock had older technology (duh!) that "included devices that did not have any encryption at all and were only protected by the passcode with no lock-out" doesn't tell us anything about the mechanism Apple used to unlock, nor do we have a need to know.
In other words, it may be 100% correct (especially with fudged language) but it's also 100% irrelevant.
Again, there was nothing about encryption or decryption. Here's what FBI did ask Apple to do in the legal warrant, and it was well within Apple's capabilities to comply, without jeopardizing anyone else's or any of their users' "privacy," any more than their previous [for the time] "state-of-the-art" security measures. U.S. Says It May Not Need Apple's Help to Unlock iPhone (What FBI wants from Apple) - FR, post #47, 2016 March 21
It's time to take the tinfoil off where it's not needed. If anyone's iPhone is lost or stolen, then the data is encrypted and if password / bio security are enabled and applied by user, then that phone is of no use to the casual thief or hacker, so iPhone users' privacy is already very well protected. It's not endangered by Apple cooperating with LEAs to unlock a terrorist's phone (especially if it were done quietly, just like they did before and will surely do in the future with the Chinese or some other governments).
Few dozen cases over decade of federal and state law enforcement agencies obtaining legal court orders and asking Apple or Google to cooperate in unlocking the phones / devices should hardly warrant the hue and cry about "loss of privacy" to the government that Apple decided to generate by going "full Snowden" and obfuscating issues with the phony "backdoor" and "breaking encryption" pretenses.
Our devices are better protected than ever, if we exersise even a modicum of caution and common sense, and Apple and Google and Facebook know more about average citizen or non-citizen than the government. Time to take the tinfoil off where it's not needed.
Hint...They aren't.
I have read Swordmaker's posts in many threads, and I don't recall ever seeing him write something that said that Apple could not even hack into its own system, although hacking into a system to obtain unencrypted data would likely be quite a different thing than hacking into a system to do a number of other things. I did the courtesy of reading this thread completely, and read one of his comments that said "...Apple is making it impossible for them to even KNOW anything about their customers by putting their customers' in charge of their own data and privacy, not Apple. Apple does not have the keys to those data and cannot decipher it. Apple cannot sell what it cannot read..."
This paper explains the details of what Swordmaker stated above is true: iOS Security for iOS9 or Greater
I am sure that it is viewed as Apple propaganda by some (possibly even you) but if so, I would be interested in how you think they can get around this themselves.
Fake certificates will not work. Certificates are registered. A fake one will fail the registration test. This shows you don't know what your are talking about. Those are not the same thing at all. It has to be the Enterprise certificate for the company the device that distributed the software, one that is already on the iPhone, the certificate the ENTERPRISE issued, not some fake cobbled up. Those enterprise certificates are guarded like the crown jewels for obvious reasons. Enterprise updates are PUSHED out, not left to the employees to install at their leisure. This is a proof-of-concept idea, but not worth anything in the real world. . . except in Asia where such shenanigans exist because of these certificates are used with third party App Stores to install their non-Apple App Store apps. You DID notice the dateline didn't you? Asia.
As for "shooting the messenger", I generally post serious warnings on FreeRepublic for the Apple Ping list. This is not a serious problem. As Apple said, it is a feature. The likelihood of someone being able to exploit this is nil.
That's a nice fudge of real issues. As you well know, this request / warrant had nothing to do with encryption / decryption (which Apple kept putting emphasis on, to confuse the uninformed) — FBI didn't ask Apple to decrypt the contents of the disk, only to enable the access to the contents of the [encrypted] device bypassing the data destruction mechanism.
YOU are one of the uninformed. Encryption is protected in many ways, and one of those ways is to prevent access to the keys. The FBI was ordering Apple to unlock the means to the access the keys which WOULD decrypt the iPhone. Learn something before you post your drivel. Apple placed a hardware lockout to prevent that access. Removing it opened the way to getting at the keys to unlock the encryption. Security is always multifold, and removing any of it make it insecure. In fact, CutePuppy, it makes something that was impossible, completely possible. How is that not essential about decrypting the iPhone? That makes you one of the confused.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.