I personally don't think there is anything on the phone that helps the government in any way.

A public agency owned this phone. They should have provided a way to access the information, not Apple.

Terrorism: getting Governments to screw the people they serve so you don't have to.

Isab, I agree, and there are plenty of tech people making this point. I can't remember who said this, but the personal cell phones were smashed (and probably digitally smashed as well). This was the murders-for-Allah dude's work phone -- in contrast to their personal ones, left pristinely intact.

Just to make sure this is understood: the individual phone in question CAN be cracked.
Do not accept decrypting a single phone as the reason for this government fishing expedition.

So much to discuss here. Let's recap where things stand right now:

The Justice Department has obtained a warrant requiring Apple to provide assistance in cracking Farook's iPhone. In this particular case, this can be done without attacking the encryption per se. What the government wants done is for Apple to find a back door into iOS and disable the system feature that erases all data on the phone after 10 consecutive unsuccessful unlock attempts. The phone is protected only by a simple four-digit passcode, so if the data self-destruct can be defeated, the FBI can find the code to unlock the phone by exhaustive search, simply starting with 0000, 0001, 0002, etc.; finding the right combination will take a maximum of three days.

The problem is that it is simply not possible to build an attack tool that only works against one specific phone, as the government is requesting. If it can hack one phone, it can hack all iPhones running the same version of iOS. Once the code gets out into the wild (and it will), Apple will have to immediately start trying to get everyone off of that version of iOS because it will no longer be secure. Presumably, the FBI and/or CIA have already gone through all of the black-hat materials they could get their hands on in an attempt to hack the phone, and didn't come up with anything. And on the flip side, it's not clear to me that Apple can do what the government is requesting. After all, if the black-hat community has come up dry, it's not likely Apple is going to come up with anything, unless they somehow hid a back door that no one else has found. (And that's very unlikely.)

Here's the story behind the story. The government is using this case to lay down a marker, one that says that all operating systems will be required to contain a government back door. Apple already offers "complex keys" as an alternate to unlock PINs; you can't get a complex key by random guessing (if the person who set it wasn't totally stupid), and so it doesn't matter how many attempts the operating system allows. The only way to get it is to crack the encryption itself. Designing secure encryption algorithms, ones that don't contain undesired back doors, is a very hard problem. Putting an intentional back door in, and making it secure, is a problem that's so hard that mathematicians have made no headway on it. If an algorithm contains a back door, unintentional or not, eventually cryptanalysts will find it, and then the encryption is no longer secure. Just assuming that no one will try to crack it because the U.S. government threatens them is hopelessly naïve. Putin, China and Iran very clearly don't care about U.S. laws.

To steal something I saw on Ars Technica: Obama is a politician, and so he assumes that there is a political solution to everything. Math, however, doesn't give a damn about politics. The government's pretense is that the problem can be solved if "the nerds nerd harder". But it's like telling the mathematicians, "You keep saying that two plus two equals four. However, there are times when the government, in order to keep people safe from terrorism (plus make IRS investigations easier), needs for two plus two to equal five. And when mathematicians refuse to go along with this, they are refusing to compromise. We must all compromise in order to keep the nation safe, and absolutist mathematicians are being obstructionist and are hindering progress."

Of course, the issue behind the issue is the government's expectation that everything on line should be searchable, at any time. They'll yammer on about "safeguards against abuse" and "multiple layers of protection". In the cell phone metadata case, we saw how easily those "multiple layers of protection" were bypassed, and the warrantless data collection was abused. Universal surveillance is clearly the goal.

The ironic thing here is that Apple is a pretty leftist organization, as is most of Silicon Valley. They have been happy in the past to donate money and expertise to a plethora of big-government issues and causes. Now they've suddenly realized that the tiger that they raised and fed wants to eat them. Will this stop them from feeding other tigers? Probably not. They'll still expect that the tigers will eat everyone else but leave them alone. Because they're special.

"Presumably, the FBI and/or CIA have already gone through all of the black-hat materials they could get their hands on in an attempt to hack the phone, and didn't come up with anything."

Nope. It is quite clear the NSA can get at the data. Even that nutjob over at McAfee has offered to crack the phone in three weeks or eat a shoe on live television.

This was always about creating a precedent. They couldn't even hold off till this court case was decided. It isn't one phone anymore. There are over 10 phones different levels of government are pushing for Apple to crack.

JohnZ is also a pretty mean photographer... lotsa good thoughts in that post.

I think we could file the whole thing under giving a mouse a cookie... or give 'em an inch and they'll take a mile.

I agree that this is about setting up a precedent. I do NOT believe that this is about THAT phone.

However, here's where most of you will disagree with me; but, that's okay:

I do NOT believe Apple on this because Apple, in order to sell products in China, has already agreed to have the government of the People's Republic of China review ALL electronic products before they can be sold in China to undergo a "security review." If any company refuses this "security review" then China does NOT allow that product to be sold. Period. No exceptions. (Piss off a government that can ban your product and you've lost access to a market of a potential 1 billion customers)

Just what this "security review" involves, who knows? Both, China and Apple are very tight-lipped about it.

So, I believe that Apple may have already supplied such "back door" entries; but, they have done it "under the table" with China. They can deny it and China will deny it as well.

But, this case in the US will cause this "backdoor" access to become an open secret; because, despite our complaints, the US government is way more transparent than China.

So, in my opinion, this isn't about Apple defending our rights, however, much they talk and make such "noble" gestures - it is about Apple trying to keep its market share. Whichever company blinks first and gives a transparent government this "back door" access will get a black eye in the view of consumers. And, therefore, lose market share.

Lastly, I do have to wonder would Apple and others be so firm in standing their ground if this were to access a phone that belong to a bunch of rightwing wackos that were attacking gays or other minorities? Maybe, but, maybe not as well.

But, I don't believe that Apple is doing this out of noble, protecting-our-rights, idealism. It is about money. period.

Amy, there are no privacy issues here. The owner of the phone is the local government, and it has consented to disabling the security lock erasure program so law enforcement can hack the password. Also, Apple has done similar things for the Fed gov't about 70 times in the past. I'm awaiting an explanation from either side that makes sense in light of the facts, and isn't rhetorical posturing (e.g., we need help protecting us against terrorism vs. it's about protecting our privacy- which most IT businesses will sell to any marketing outfit whose check can clear the bank). So far, Ben's comment appears to be closer to accounting for the facts than any other I've seen.

Mobile test

"Amy, there are no privacy issues here. "

I believe there are. I think, but maybe I am remembering it wrong, that Apple had no problem unlocking a single phone for law enforcement, which they have done at least ten times before.

What Apple objected to was the court case, which would give the government a legal basis to compel them to unlock * any phone* and therefore *every phone*

You don't go to court unless you want to establish a legal precedent to give the government the right to do something wholesale later.

And I don't really care that Apple probably fought the case to protect their market share. That is merely a smokescreen argument by those in favor of handing back most of their constitutional rights to the government.

Eventually these morons will find a right that don't want to give up, but by that time, it will be far, far too late.

"Presumably, the FBI and/or CIA have already gone through all of the black-hat materials they could get their hands on in an attempt to hack the phone, and didn't come up with anything."

I don't buy this. My source is a retired senior enlisted spook, once in Army Signal Corps.

Don't miss this angle: when the consumer is the sole controller of the data on her phone, Apple has no liability at all for its content.

Idiots already think that libraries can actually prevent people from viewing things the idiots think are inappropriate, because idiots think that nasty pictures always have certain file names and suffixes. They also want to hold the library liable for little Johnny's effort to see tits.

Who wants to be a part of any government witch hunt when this comes to your phone?

Actions, not information or communication, need to be the core of any definition of a crime. If this principle is abandoned - or even unrecognized, it enables the Thought Police.

Cousin Dave, there are all sorts of suppositions going on here. I'm not picking on you, since as far as I know neither Apple or FBI/DoJ have provided real information about the relevant passcodes.

The phone is protected only by a simple four-digit passcode, so if the data self-destruct can be defeated, the FBI can find the code to unlock the phone by exhaustive search, simply starting with 0000, 0001, 0002, etc.; finding the right combination will take a maximum of three days.

Maybe it's a simple 4 digit passcode. It could be 6, but that only lengthens the time needed to brute force the passcode. It gets interesting if a custom alphanumeric was used. Also, that whole "10 times your data goes bye-bye" must be set in the user preferences.

Who is to say that those assholes didn't set it that way, and then trigger the delete as well?

But that's just handing waving details. From a forensic point of view, the first thing I would do is make an image of the phone's ROM, copy that to a server, make a checksum so I can verify any copies made from that image are accurate, and then put the phone back into the evidence locker. If that image is lost, destroyed or otherwise damaged I don't care because I can make as many copies as necessary.

Now I can feed that image to an iPhone emulator. With a high speed network, I can easily feed copies of that image to 10,000 servers. At 10 pops a crack, that's 100,000 numeric pass codes in the matter of minutes.

Rinse, lather, repeat. The Alphabet Soup Agencies don't bloody need a crack. They just have to work at it.

What they really want is a backdoor into iOS devices. That's what this is about. As Charles points out, Apple isn't doing this out of sense of duty to the rights of the people.

They want to make sure that their US customers aren't tempted into going to Android where you can get full disk encryption.

http://www.engadget.com/2014/03/05/how-to-set-up-a-complex-passcode-on-your-ios-device/

Another thing that is rather important: the moment Apple makes any modification to that phone its value in a criminal investigation goes out the window since you can not prove beyond the shadow of a doubt that new data wasn't introduced onto the phone.

It has been materially altered. And if you think Apple is pitching a fit now, wait till a defendant's lawyers ask for a copy of the program so that their forensics experts can review.

Apple will pitch a fit. So will the FBI and DoJ.

Apple did not unlock 70 iPhones for law enforcement.

http://techcrunch.com/2016/02/18/no-apple-has-not-unlocked-70-iphones-for-law-enforcement/

Just to be clear on the specifics of this:

1. The phone is full disk encrypted IRA. What goes kablewie after x number of tries is the long form password for that encryption stored in a chip on the phone, not the standard ROM all the data is stored on. Copying the ROM doesn't help you.

2. In order for Apple to defeat this encryption a modified version of IOS could be created. It will then be released as an update to the phone. Apple has indicated that this change is fairly insignificant (a few weeks of programmer time).

3. As Isab points out, there are no privacy issues with this phone. It is owned by San Bernardino County. They have OKed any and all attempts to unlock the phone.

4. Yes, Apple has opened other phones to law enforcement. But not in this fashion. Someone (FBI or local PD, I don't know) screwed with the phone making the standard unlock method no longer viable. I can't say if that was incompetence or intentional. And as Parabarbarian notes not all of the phone data is available that way anyways.

I agree that Apple's main concern is market share. Their encryption is a major selling point. Being forced to put back doors into their phones will really hurt their advertising. But why Apple is objecting is irrelevant to me. Should the government be able to force companies to put back doors into their devices? I say no. If they want to do so voluntarily that is their choice. But I am against using force. Should the government be able to force people to do work? Can the government go to a safe manufacturer and force them to invent tools to break open their safes?

" Should the government be able to force people to do work?"

Many people have already insisted that the government can tell a business what they must pay, and what their health care plan must be.

We have already stepped onto the slippery slope.

I agree Rad. The people who are for free speak but against hate speech (yes they are stupid and yes they are numerous) are also for freedom . . . to do exactly what they want you to do. If you don't want to do what they want then the knives and guns come out.

We have already stepped onto the slippery slope.

Stepped? hell, we're sliding down that slope at an ever increasing rate of speed. Road rash is a given at this point. It will be the sudden and inevitable stop at the end that will really hurt.

"This was always about creating a precedent. They couldn't even hold off till this court case was decided. It isn't one phone anymore. There are over 10 phones different levels of government are pushing for Apple to crack."

Certainly, they are doing this to create a legal precedent. Basically, they are trying to get through judicial activism what Clinton's administration was unable to get through Congress, with the Clipper program. And yes, there are all kinds of government agencies who are interested in this. I saw a list the other day of about 25 county sheriff offices who say they are watching this case and have subpoenas ready to roll if the JD wins. Police in many jurisdictions can pretty much get a warrant on their say-so these days. Apple will be besieged with unlock demands.

The petard on which Apple, and the rest of Silicon Valley, are being hoist upon: See what Charles wrote above. The tech companies have, for the most part, been more than willing to go along with Big Intrusive Government in the past. It is known, for example, that Cisco puts censorship-enabling software in the network gear it sells to China. Cisco has acknowledged it and very few people seem to have a problem with it. The Snowden revelations exposed the fact that all of the phone carriers had (with varying degrees of willingness) cooperated with the government and built into their systems the interface that passed phone call metadata willy-nilly to the CIA systems. When that happened, Apple realized that the credibility of their products, from the privacy standpoint, was threatened. (Android phones were threatened too, but Android is open source, and so there are all kinds of security-hardening extensions available.) They had previously offered as a service to customers the escrowing of keys, so that if a customer got themselves locked out of their phone, they could call Apple and get it unlocked.

So with iOS 6, they did some things. First, they put in stronger encryption. Second, they ceased escrowing keys for customers. Apple reasoned that they can't be subpoened for keys that they don't have. There was some consternation in the user community over this; some people were worried that they'd lock themselves out of their phones and be unable to ever get back in. But Apple decided that, in the face of the Snowden revelations, that this was what they had to do in order to keep their customers.

So now that Apple can no longer respond to key requests, the government is now demanding a back door. Of course, the presence of such a back door and how to unlock it would probably become public knowledge in fairly short order, and Putin and China would have it before then. So, from a privacy standpoint, that's no good at all. Remember that open source Android system, that users can security-harden themselves? That's what Apple is competing against. Not just their product but their entire business model is threatened.

Now that we've mentioned it: if the government succeeds in the Apple case, what happens to Android and other open source systems? There isn't much point in the government demanding that Google put a backdoor into Android, since third party developers will quickly figure out how to lock it. Is open source and third party development going to be banned? Will it become illegal to code without a license? Will programmers be required to get security clearances and work under government supervision? What about software from overseas, where the U.S. government has no influence? Will all computing devices become sealed, and will it be a felony for an unlicensed person to open one? Will it be illegal to import non-government-approved computers?

And what about the U.S. military -- will it have to go back to producing its own hardware and operating systems, because the COTS products can't be secured? What does that do to the defense budget?

Cousin, COTS is already a nightmare in Federal hands, but this is camouflaged by the Feds' endless appetite for money, and their ability to insist that (name here) employee is vital to agency interests.

Where I work, there is a filthy hodgepodge of COTS "security" measures, the principal effect of which is to prevent the standard desktop PC from opening a MS Word file bigger than about 6MB. It takes a few minutes for any PC to start up (seconds at the house, of course). Hmm. Disk encryption is required for all laptops, and the version selected even encrypts pagefile.sys whenever it is written, so your laptop speed is halved.

Custom software doesn't have to be crippled to keep it from calling the Internet, it lacks the "hooks" hackers use and it's more compact.

Today, your tax $$ are paying for a staff to monitor the performance of Emerson controls installed as a replacement for D/3, one-fiftieth its size. It seems nobody gets paid to simply maintain a 20-year-old OS which simply does the job.

Raddy, ironic laugh here... the problem I have is with Excel. Our project generates a bunch of big CSV data files. The copies of Excel we have access to won't open them. Really inhibits my ability to monitor what the software contractors are doing. Do you guys use CAC cards? We all learned a while back not to use our laptop disk to store anything important because the encryption is keyed to your CAC card, and when the card fails, everything you encrypted becomes unrecoverable. Everything goes on the server, which slows down performance and makes the laptop useless when you're offline.

Thanks for the tip about the cards - we are being forced this year into using them.
They are NOT more secure than the ID procedures we once used at work. Only the card itself is "better". They can be obtained easily under false pretenses.

So far as Excel goes - I don't know if it has its own network access scheme... Explorer doesn't (didn't?) have priority when talking to servers. Filemaker Server establishes that priority between your machine and a server, because the company found that Explorer would NOT call a server and communicate the data in big databases reliably - even in the correct order. So Filemaker doesn't ask Windows to do anything but write to the screen.

What the government is asking for here is the equivalent of asking a major manufacturer of door locks to make a master key that would work on millions of locks sold worldwide, in order to unlock one door... except that, unlike a physical master key, this master key can be sent across the internet and electronically duplicated by anyone who downloads the file. Once the secret leaks, not only can NSA, the FBI, and their rival agencies in China and Russia crack any iPhone of that generation, but so will third-world government intelligence agencies, industrial spies, and hackers everywhere.

The problem with keeping a back door secure is mainly nontechnical; it creates a secret that must be distributed to a few trusted people, but can _never_ go further - it will be eternally at risk of not only being revealed deliberately or accidentally by it's holders, but also of being stolen in a break-in. No public or private agency has ever been that good at maintaining secrets. There's no technical solution to that.

As Ben Franklin said, "Three can keep a secret, if two of them are dead." But that isn't where this demand from the FBI would stop. The secret won't reside only within the skull of one Apple engineer, but as a set of files on disk. Once it's been used once, the government will find more cases where it could be used. The files will be copied and more people briefed on how to use them.