Apple CEO Tim Cook: FBI's Backdoor Would Be 'Software Equivalent of Cancer'

[techwhiz]

As a military member, supporter of the Constitution, Apple user, and American I support Apple and Tim on this issue. My father also died of cancer and many people in my family have.... so please people... if you're crying about him calling what the Gov wants them to do a cancer ffs why? Would you prefer another word that denotes an insidious problem that could cause wide spread damage? Or should he make up a word?

My grandfather dies of cancer, have friends with cancer. Had a tumor as close to cancer as you can get without it being the "C" word.

I guess the guy the guy would like us to use Hep-C or something else that is insidious and slowly kills?

Agree. Apple continues to use the straw man strategy. FBI isk asking to get into THAT phone, not every phone.

They are also asking about 11+ still in the pipe.
They are also not just asking to get into the phone.
They are asking Apple to CREATE a way to get into that phone that does not currently exist.

 

[\-V-/]

The FBI didn't "go public". They got a court order to force Apple to help them because Apple refused to cooperate in a national security investigation involving a phone which was owned by a local government which said government couldn't access. The media took it from there and Apple chose to put themselves front and center with the media in responding. Frankly, Tim Cook is not doing his company any favors with this though I'm sure he thinks he's trying. Ultimately, Apple isn't going to win this. They should have helped the FBI in secret when they had the chance and no one would have known.

Apple isn't doing the company any favors? You mean with the massive support they're getting because their stance is logical? I want what you're smoking.

 

[sudo1996]

No. Apple holds the keys for encrypted iCloud backups. They can access almost anything stored in iCloud. They have already turned over information on prior backups of the iPhone in question.

Uhh... I would really hope that is not the case because that would violate the number 1 rule of server-side account security.

 

[gnasher729]

The FBI didn't "go public". They got a court order to force Apple to help them because Apple refused to cooperate in a national security investigation ...

Stop right there. The FBI wants to get information for a criminal investigation. The FBI knows nothing about national security. The people who know about national security are at the NSA. And the ex-chief of the NSA has declared publicly that opening up the iPhone encryption puts national security at risk.

As far as national security is concerned, what Apple is doing is exactly the right thing.

 

[dk001]

Agreed.

By the way, for those who haven't seen it, this 30 minute interview is worth watching for a change. Tim Cook gives a great performance.

On the subject of iCloud backups, surely Apple need to make them more secure. Why should they hold a key? That is a weak point in their security. If you want a safer backup, only backup to iTunes and turn off your iCloud backup for all your devices.

Suspect we will be seeing encrypted iCloud backup sooner than later.

 

[BaldiMac]

Uhh... I would really hope that is not the case because that would violate the number 1 rule of server-side account security.

It's true. See my follow up post.

I doubt that is the number one rule considering almost all popular sites allow you recover your account password should you forget it. That requires that they are holding the key (or not encrypting.)

 

[sudo1996]

The problem is once it's made its made. What if that copy got into the wrong hands?

You think this code will be used once and deleted? Haha. No way! The FBI would ask apple to keep it for other cases. Apple doesn't trust all its employees either.

This is why this issue is so important. And to know that half of America sides with the FBI is scary. I don't think people honestly know the big picture here. It's not about one phone. It's about public safety and privacy.

Yeah, I understand the slippery slope argument. There are a few ways I can think of that Apple can go about this:

- Decrypt the information for the FBI without giving them the software. Apple is already trusting the employees who hold the source code not to make the software themselves. It's probably one line of code that needs to be changed.
- Make it so the software encrypts the data with a key that only Apple holds so that only those who are authorized can use it.
- Make it so the software only works on the specific phone that the FBI gives them (this one I'm not sure about).
[doublepost=1456430121][/doublepost]

It's true. See my follow up post.

I doubt that is the number one rule considering almost all popular sites allow you recover your account password should you forget it. That requires that they are holding the key (or not encrypting.)

I saw the followup post, and that's troubling. Really, Apple should not be doing that. But password recovery doesn't require that they hold your key. To recover your password, you should need to answer some security questions and/or provide some other information that's not stored anywhere, and Apple should be encrypting the passwords with that information.

By the way, these security questions with online services in general are often really dumb, way easier to guess than the password itself. Why are they making us create a complex password with upper-case and numbers when anyone can get in by finding my birth date, my mom's name, and my dog's name? Someone broke into Sarah Palin's Yahoo! email account using information from Wikipedia to answer the questions.

 

[CalWizrd]

... It's probably one line of code that needs to be changed...

You've been involved in software development for how long?

 

[gnasher729]

The phone is currently designed to allow the user of the phone to set it up so that 10 incorrect passwords wipes the phone. That is a security feature of the phone. It is also designed to force a delay between password attempts. That is another security feature of the phone.

I think the delay is actually not a security feature. You can't turn on the delay on its own, just the "wipe after 10 attempts". The delay is there so that some idiot cannot go and erase your phone by tapping in the wrong passcode 10 times in a row as a "prank". If you left your phone unwatched but locked, I cannot erase it in a minute, but it takes me over two hours.

 

[sudo1996]

You've been involved in software development for how long?

3 years, why?

 

[tgara]

1) Your premise this is an ideological driven case is off. None other than Ted Olsen is representing Apple here. Yes, the same Ted Olsen that represented the Bush 2000 campaign in the Bush vs Gore case and later became Bush's Solicitor General.

2) Investors understand the value of security built in to products. It makes a product very valuable to business against industrial espionage, governments (political espionage), and ordinary people who want to protect their financial and other information. Privacy is a selling point and a differentiator against rivals. THAT is why Apple is defending it so hard.

I understand your points, but would offer:

1. Yes, I know who Ted Olson is. He and Ted Boutrous are both excellent lawyers, but I think they will have their work cut out for them on this case. As I see it, the facts and the law are not in Apple's favor.

2. Perhaps, but investors also understand complying with lawful legal requests and court orders. But instead, Cook & Co. insist on going through legal Armageddon in order to prove a point. Not a good approach IMHO.

 

[CalWizrd]

3 years, why?

Because of your naive "... probably one line of code" remark.

 

[tongxinshe]

Oh I'm sorry, I do apologise for being sensitive to his pathetic tagline and your apparent objection to MY OPINION in this free speech world we live in.
I seriously suggest you do NOT reply to anyone who dislikes the comment he made as it is their opinion, not yours and it's certainly not yours to object to mate. You have NO idea how some people feel about the disease.

Perhaps I should bend over for Apple no matter what like some on here seem to? Would that be acceptable? To NEVER EVER object to anything they say or do? Would that make you happy?

"Open speech" means that everyone have the rights to speak.

A suggestion, on discussion boards, please use logics to discuss, not emotions, because as you said, emotions are for private lives, not for public discussions. Logical discussion help everyone in the discussion group gradually understand the truth better, while personal emotions only creates noises.

 

[techwhiz]

I think it is all about marketing. Legally speaking, Apple is in a pretty weak position. I've read the court filings and orders, and I have to say the government has the better arguments under the current laws. They've followed the law at every step, and they have a lot of precedence to back them up in this particular situation. Tim's public letter is very misleading if you know how the current law works. His argument is simply "We won't help because we think its wrong and don't like what you're doing". Sorry, but that doesn't get you off the hook. My guess as to why others in the tech community are not voicing more support for Apple is because they know Apple is in a weak position that is hard to defend and they don't want to be associated with it.

Actually Apple didn't say they wouldn't help.
Apple tried to help. The FBI made this public. Apple found out about it in the press.
What Tim Cooks said is that (I'm paraphrasing) Apple will not develop custom software that will allow the government to brute force open a locked iPhone. They won't because that software is dangerous.

Also Apple has plenty to stand on. The FBI is demanding a new invention.
They are not just saying "give us the key you have".
They are saying go out and "make me a new way to open a lock".

If Apple loses this battle, and I think they will, I think a lot of shareholders (me included) are going to be very angry with Tim Cook and Bruce Sewell (Apple's General Counsel) for going down this road in the first place. Unlike the community here that is largely made up of politically liberal young tech geeks jaded by the Edward Snowden revelations, the investors are regular everyday people and institutions who I think will draw the line at challenging court orders to make a point.

You seem to generalize the people here.
I have been doing chip development for a variety of industries along with implementation of network security.
I'm not jaded by Edward Snowden.
I'm jaded by the following and more:
Tuskegee Bad Blood Experiment - https://en.wikipedia.org/wiki/Tuskegee_syphilis_experiment
MkUltra - https://en.wikipedia.org/wiki/Project_MKUltra
Allan Dulles - http://www.abovetopsecret.com/forum/thread210739/pg1
San Francisco Biological Experimentation - http://www.sfgate.com/health/article/Serratia-has-dark-history-in-region-Army-test-2677623.php

The FBI is just plain wrong.

 

[sudo1996]

Because of your naive "... probably one line of code" remark.

Alright, expert, who the heck writes software where the constants for something simple like retry attempt delay time are scattered all over the code? You? Do you get hired to write software and do stuff like that? Is your logic flow also so messy that nobody can disable a feature without editing large chunks of code?

 

[BaldiMac]

Yeah, I understand the slippery slope argument. There are a few ways I can think of that Apple can go about this:

- Decrypt the information for the FBI without giving them the software. Apple is already trusting the employees who hold the source code not to make the software themselves. It's probably one line of code that needs to be changed.
- Make it so the software encrypts the data with a key that only Apple holds so that only those who are authorized can use it.
- Make it so the software only works on the specific phone that the FBI gives them.

And then you have the next phone and the next phone... And then they'll have to use it in an actual trial where the defense will by allowed to examine the software. Rinse. Repeat. It's going to get out. (Let alone how this would give Apple the chance to mess with evidence.)

I saw the followup post, and that's troubling. Really, Apple should not be doing that. And to recover your password, you should need to answer some security questions and/or provide some other information that's not stored anywhere, and Apple should be encrypting the passwords with that information.

Again, for Apple to reset the password, they would need to hold the key. Same as any other company the allows for password resets on encrypted data.

They are said to be looking at options. The problem that they have is that there are going to be a whole lot of angry people that lose all of their pictures because they forgot their password.

 

[rdlink]

Plainly wrong. No cloud service companies do that.

If it's like what you described, it doesn't matter whether the password had been changed or not.

So much lack of understanding. No wonder nobody gets the importance of this case.

Apple does, in fact have access to the iCloud backups of the terrorist's phone. Yours and mine too. They gave the government what they had. But the last backup was on October 19th, 2015. And the FBI contends that there may be more data on the phone that was not on the phone when the last backup was made.

Apple actually recommended to the FBI that they should plug the phone into AC power while in the proximity of the terrorist's home network, and allow the phone to connect and perform an iCloud backup, so that they could extract that information and give it to the FBI. But when they made that recommendation they did not know that San Bernardino County, and the direction of the FBI had already changed the iCloud password of the terrorist, thereby "disconnecting" the phone from his iCloud account until such time as the iCloud password is updated on the phone.

 

[techwhiz]

Alright, expert, who the heck writes software where the constants for something simple like retry attempt delay time are scattered all over the code?

But even if it is just a constant.
You left out the hack that allows them to load a new OS on a locked phone.
Normally you would approve an OS install. THis would bypass that and the bypass would need to be a found exploit on the exiting phone.
Also the new OS version would also need to have the input method for password entry modified so that it can take the information from the lighting connector, bluetooth or WiFi.
Any of those would require Apple to bake into the OS a promiscuous WiFi or Bluetooth method to input passwords.

Yeah, one line of code.
You haven't done much system design.

 

[sudo1996]

Again, for Apple to reset the password, they would need to hold the key. Same as any other company the allows for password resets on encrypted data.

No, it depends on how the password reset works. If it's "verify your email address by clicking a link", then sure. If it's "answer security questions", they can encrypt your information or password with the answers.

 

[BaldiMac]

By the way, these security questions with online services in general are often really dumb, way easier to guess than the password itself. Why are they making us create a complex password with upper-case and numbers when anyone can get in by finding my birth date, my mom's name, and my dog's name? Someone broke into Sarah Palin's Yahoo! email account using information from Wikipedia to answer the questions.

No one says you have to answer the questions honestly! How secure they are is up to you.

Q: What's your dog's name?
A: dfadio4898ht78dd)gjjgGG

 

[CalWizrd]

Alright, expert, who the heck writes software where the constants for something simple like retry attempt delay time are scattered all over the code? You? Do you get hired to write software and do stuff like that? Is your logic flow also so messy that nobody can disable a feature without editing large chunks of code?

And do you think the cpu is just sitting there dead for 80ms? Do you think that some screen refresh logic, or some reinitialization code, or anything else for that matter might be interleaved within that delay period?

Have you ever written any operating system code?

 

[sudo1996]

But even if it is just a constant.
You left out the hack that allows them to load a new OS on a locked phone.
Normally you would approve an OS install. THis would bypass that and the bypass would need to be a found exploit on the exiting phone.
Also the new OS version would also need to have the input method for password entry modified so that it can take the information from the lighting connector, bluetooth or WiFi.
Any of those would require Apple to bake into the OS a promiscuous WiFi or Bluetooth method to input passwords.

Yeah, one line of code.
You haven't done much system design.

I was only referring to the delay time. I don't know exactly what the FBI wants as the input method or how Apple approves the OS install. The other features are more involved, but one programmer could probably implement them.

 

[tongxinshe]

Was a good interview, I think Tim put his point across well.

One thing I found interesting though is a few years ago Tim said in an interview, I believe with Walt Mosberg or some such. Where he said with regards to governments forcing Apple to put backdoors in their products that they (meaning the government) would have to wheel us (meaning Apple executives/employees etc) out of the building before they did anything like that.

And yet at the end of this interview he says we like any company in America have to follow the law. So he just went back on what he said, he is not willing to be arrested or be in contempt of court for his beliefs like he said on the record previously.

Maybe he said it this way to get some favor with judges in the future as he did say in the interview that they would take it to the supreme court if they had to and he doesn't want anything he says in this interview to hurt their judgements later on down the line but I was a bit disappointed he didn't reiterate what he had said in that prior interview when asked by ABC if he would follow a court judgement to put a backdoor in the iPhone software.

The only logic loophole in your whole analysis -- you are assuming FBI, or one judge's one-time decision, as the law.

1. The lawyers and everyone in the related business bend the real meanings of the laws all the time.
2. There had been a lot of mistakes made during law creation, there are laws outdated and need modification from time to time, there had been many occasions laws being misinterpreted.
3. Laws are written in human language, and human languages often carry ambiguity, that's why courts debates are necessary.

Just one person in one law enforcement entity said something, doesn't make it golden doctrines no one could challenge.

 

[sudo1996]

No one says you have to answer the questions honestly! How secure they are is up to you.

Q: What's your dog's name?
A: dfadio4898ht78dd)gjjgGG

I know, I always do something like that now if I really care, ever since I found that my Apple ID could be unlocked just using security questions.

 

[BaldiMac]

No, it depends on how the password reset works. If it's "verify your email address by clicking a link", then sure. If it's "answer security questions", they can encrypt your information or password with the answers.

Nope. That's not how it works. The encryption key is generated from the password. Without the password or encryption key, you can't decrypt the data. The only way to create a new password would be to decrypt the data and re-encrypt it with a new encryption key generated from the new password.