Sorry to keep things so short, folks. But I’m two Manhattans (really good movie*, you should see it) into my evening and I don’t have any strong opinions about anything (except the idiocy of wanting to make Daylight Savings Time permanent) so let’s get straight to the music. Thanks to Entropy for putting Request Line together last week – this is a fun one.
*Am actually talking about the movie Metropolitan.
UPDATE: RANT
So here’s a brief mini-rant I want to post about the whole Apple vs. FBI business
Preface: I enthusiastically support Apple’s position here.
There’s been a lot of debate about how fulfilling the FBI’s (court-ordered) demands would “break encryption” and “create a backdoor” into iPhones. Apple has said as much themselves, and the tech press has enthusiastically run with it. But that’s horseshit.
Proper security design generally requires a strong password (you all know what this is by now) and employs a series of hashing rounds in order for the computer’s processing ability to limit the speed at which “guesses” can be tried. There’s a balance here – if you send it through too many hashing rounds, it could mean the computer is tied up for a time while authenticating, leading to user frustration (in the case of an iPhone, imagine having to wait thirty seconds for authentication every time you unlock your phone). Send it through too few, and it becomes feasible to brute-force a password – guesses can be made and tested at an extremely high rate and the limiting factor is the strength of the password. A four digit passcode is a TERRIBLE password – so using a hardware-based solution (i.e. trillions upon trillions of hashing rounds) to resist brute force attacks isn’t feasible. Instead Apple employs a software-based solution – a lockout process. After a certain number of incorrect guesses, the device must wait for a set amount of time before another guess is processed.
What the FBI is demanding is that Apple make it possible (in some way, shape, or form) for them to make unlimited guesses at the passcode that’s protecting the device. The idea has been pushed very heavily that it would be prohibitively expensive or difficult for Apple to modify its operating system to make this possible – this the REAL horseshit of the matter. Since the security is a software-based solution, all that needs to be changed is the software – specifically, one of two variables needs to be changed. The first variable is the number of guesses before enhanced security measures are employed (i.e. something low-level like increased lockout time up to something high-level like erasing the device’s contents). The second variable is the duration of the increased lockout time. The first can be set to a high number. The second can be set to a low number. Either of these steps, or both, would make brute-forcing a four-digit passcode into a relatively trivial matter (even if you’re still required to punch in the guesses through a hardware interface).
So the question doesn’t become one of whether the software can be “written” to do this – all that takes is changing a couple of variables. The big question is whether it’s possible for Apple to push out software updates (i.e. modify the operating system to absorb these changes) without user confirmation. If that’s not possible, Apple would have said so IMMEDIATELY and the issue would be moot – what the FBI wanted simply wouldn’t be possible. Apple’s silence makes it clear to me that they already have this capability – meaning that this supposed “backdoor” already exists. So really this boils down to a very familiar problem – security vs. convenience. A four-digit PIN is too weak to allow for a hardware solution. But customers would hate having to enter a strong password every time they wanted to access their device. And solutions based on “something you have” (i.e. biometrics, key fobs, etc.) can’t stand up to a determined attack because the attacker can simply take that thing.
Does this mean I think Apple should accede to the FBI (and the court’s) demands? Absolutely not. From a business perspective, it’s catastrophic. Their devices would be perceived as insecure, and countries such as China (or the United States!) would demand to be able to access devices at will. But I want to put to bed the notion that what the FBI is asking would technically unfeasible (or even difficult) to do. It’s not, and it bugs me to see so many words wasted on the insistence that such is the case.
—
So I have a question for the more technically apt among us.
What is preventing the government from physically removing the memory (NAND, right?) from the phone, copying it, and then installing that memory into a computer with a virtual OS installed, so they CAN brute-force crack it?
Is the physical memory encrypted? And if so, is encrypted memory impossible to copy?
Let’s say the answer to both of these is “yes.” Why not still remove the memory and install it into a computer with a virtual OS installed, but the OS has the “memory wipe” killswitch disabled. Or, if they cannot get Apple to write a copy of the software to disable the memory wiping, surely there is some way to prevent, with a virtual OS, that command from being executed.
This seems like a bunch of legal fighting over something that shouldn’t be fought over. The government should be able to do this (I don’t mean “should” as in “they should be allowed,” I mean it as in “they likely already have the capacity”) already. Conspiracy theorists guess that the government brought this case based on a 200 year-old law so they can get the courts to rule in the government’s favor, and thus avoid having any legislative involvement. To me, that seems like a pretty big gamble, especially with the way the Supreme Court ruled not too long ago regarding the legality of searching someone’s smartphone.
(By the way, did you know getting your passcode to a computer or cellphone requires a warrant, but if your computer or phone is unlocked with your fingerprint, no warrant is needed?)
Anyway, it seems to me that the government made a serious mis-step. The publicity surrounding this case is going to remind “the bad guys” to use strong passwords that can’t be brute-forced in a short amount of time.
Sorry for taking so long on this one – I think the problem they’re dealing with is that yes, the memory is encrypted, and they can make a copy of it, but it’s encrypted using the passcode PLUS the device’s UID (a nicely complex alphanumeric string) and without that brute forcing the encrypted data is unfeasible. And I think it’s tough to get the UID without potentially destroying it.
That’s a rock solid playlist.
Apart from Lenny Kravitz.
THERE IS ALWAYS ONE!!
I thought Journey of the Sorcerer sounded really familiar and it hit me it was used the BBC TV version of Hitchhikers Guide to the Universe as the title music. Not sure why I never made that connection before.
Aw, this reminds me of the process WE went through, except most of our prospective names were, actually, you know, good.
http://deadspin.com/the-rejected-names-for-bill-simmonss-new-site-1764774065
I guess to me the analogy would be if a builder made a house and sold it, then later the police come back with a warrant and asked the builder to break down the door and search for them, then allow them to enter other houses warrant or not.
With the security hacking process I believe once Apple does it could potentially be done for all those devices with the same or similar process, and by governments or other entities with resources anywhere. You know way more than I about the technical issues, but the process itself would open a Pandora’s Box of even more government scrutiny of individuals without a warrant or due process. The three letter acronym agencies are already breaking the laws both and technically in spirit; I don’t think we should make it easier for them to do so.
Oh, absolutely, that’s why I don’t feel Apple should play ball. I don’t believe that this is a case of something “getting out into the wild” – it’s a case of Apple being constantly strong-armed into doing dirty work for disreputable governmental agencies. There are really two things that bug me so much about it, though: the misperception of the technical aspects I talk about above, and the idea that Apple is taking its stance because it “believes in doing the right thing” and “cares about its customers privacy”. Like all corporations, what it cares about is its customers’ MONEY – and the best way to get that is by maintaining a reputation as being mindful and protective of its users’ privacy.
What company doesn’t say that though?
I love the threads that lead to the formation of these playlists, lots of stuff I already love with some great new stuff thrown into the mix. Gives me a great soundtrack for playing SWTOR later today.
This one’s got quite a different flavor to it, which I really like.
Agree with RTD that entropy did a great job building in some hobo storyline for last week’s solicitation. I look forward to listening to this while I’m walking around thinking of hopping on a random train and seeing where it takes me.
Here’s a good one:
https://www.youtube.com/watch?v=5X5v8xrPwI0