Apple vs FBI: Popcorn time

This is getting funny.

Common Software Would Have Let FBI Unlock Shooter’s iPhone
The county government that owned the iPhone in a high-profile legal battle between Apple Inc. and the Justice Department paid for but never installed a feature that would have allowed the FBI to easily and immediately unlock the phone as part of the terrorism investigation into the shootings that killed 14 people in San Bernardino, California.

If the technology, known as mobile device management, had been installed, San Bernardino officials would have been able to remotely unlock the iPhone for the FBI without the theatrics of a court battle that is now pitting digital privacy rights against national security concerns.

So the county was paying for a service that would have gotten the FBI into the phone and cloud, but never bothered installing it. Instead, they screwed up and reset the cloud password, locking themselves out of what they want. Then they went to a federal judge and lied about how it happened.

And the judge ordered Apple to fix everyone else’s mistakes.

Did I miss anything?

The story changes

When last we visited the FBI iPhone fiasco, it appeared that some county IT guy changed passwords on the phone all on his own, while the evidence was in FBI custody. Today…

San Bernardino Shooter’s iCloud Password Reset With FBI Consent, Agency Says
“Since the iPhone 5C was locked when investigators seized it during the lawful search on December 3rd, a logical next step was to obtain access to iCloud backups for the phone in order to obtain evidence related to the investigation in the days following the attack,” said the FBI statement.

The FBI added it worked with county technicians to reset the iCloud password on December 6, which differed from court filings made by the Justice Department that said “the owner [San Bernardino County Department of Public Health], in an attempt to gain access to some information in the hours after the attack, was able to reset the password remotely, but that had the effect of eliminating the possibility of an auto-backup.”

So the guy wasn’t working alone. The FBI wanted it. And they screwed up.

Apple: Investigators ruined best way to access terrorist data
According to senior Apple executives on Friday, the FBI might have been able to obtain data from an iPhone 5C belonging to Syed Farook, one of the San Bernardino terrorists, by connecting it to a familiar Wi-Fi network and having it create a new backup on Apple’s iCloud service.

The idea was foiled, the executives say, because the password to the terrorist’s iCloud account was reset shortly after the FBI took possession of the phone. That meant iCloud and the iPhone couldn’t recognize each other, the executives said.

So, as this is now being reported, we have two issues. First, the Feds lied in their brief to the court. My guess is that they thought admitting that they screwed up might cause the judge to question whether that imposed an obligation on Apple to create a whole new forensic/surveillance tool.

Second, do we really want to give that to bumblers who bungled somthing so basic?

Glad I’m not that guy

So how did the FBI/Apple kerfluffle really start?

San Bernardino Shooter’s iCloud Password Changed While iPhone was in Government Possession
The filing states, “the owner [San Bernardino County Department of Public Health], in an attempt to gain access to some information in the hours after the attack, was able to reset the password remotely, but that had the effect of eliminating the possibility of an auto-backup.”
[…]
The auto reset was executed by a county information technology employee, according to a federal official. Federal investigators only found out about the reset after it had occurred and that the county employee acted on his own, not on the orders of federal authorities, the source said.

 

Questions, questions.

  • If he changed the password to access information, why isn’t the FBI rubber-hosing the password out of him?
  • What information did this guy suddenly need when the Feds took the phone?
    • Was he merely curious?
    • Did he not realize the Feds would notice?
    • Was he looking for incriminating information?
    • If so, why not leave it to LE?
  • If there was incriminating data he knew about, what kind? Was he an accomplice in the attacks, or merely lower level county corruption?

Seriously. At the very least, he had to realize resetting the password on evidence in a federal investigation would be felony “impeding an investigation.” At a minimum, he had to know he’d be suspected as an accomplice in a terrorist attack. What did he need to see so badly to make it worth the obviously inevitable consequences?

If he was deliberately hiding something, what could be worse than a definite felony, and being a terrorist suspect for the rest of his life? At best.

Maybe he really is just a curious dumbass with an IQ lower than whale shit. He is (was?) a government employee, after all.

Look, either the guy knew the new password, or he deliberately randomized it to keep investigators out. If the first, the Feds shouldn’t be making demands of Apple.

In related news:

DOJ would allow Apple to keep or destroy software to help FBI hack iPhone
The Obama administration told a magistrate judge Friday it would be willing to allow Apple to retain possession of and later destroy specialized software it was ordered to create to help federal authorities hack into the encrypted iPhone belong to Syed Rizwan Farook.

 

Looks like someone finally took cognizance of the point I’ve been making: Letting the Feds get that FBiOS is dangerous. I’ve said all along that the correct way to do this would have been to turn the phone over to Apple for forensic extraction. They unlock it, then return the unlocked phone without the security breaking code installed to the Feds.

The FBI absolutely should never get their dirty paws on the countdown bypassing and remote access code. They can’t be trusted.

The wrong question

Update: My first analysis was based on excerpts from the judges order published in the media. I’ve now read the whole order. And it’s worse than I thought. See edits below.


In response to the federal judge’s order that Apple create code to disable the countdown timer on iPhone’s password input routine (thus, allowing the FBI to mount a brute force attack without fear of the security routine wiping everything), people have asked — in a properly sarcastic manner — “What could possibly go wrong?”

They should be asking, “What could possibly go right?”

In case you have kept up, if one enters the wrong password into an iPhone too many times, it assumes the phone is in the wrong hands and self-wipes. The FBI has a phone that belong to one of the shall-not-be-named San Bernardino terrorists, but the password is set.

Enter an idiot judge. The Honorable Dumber N. Boxofrox ordered Apple to develop new code to disable the countdown feature, and to tailor it to work only on the single terrorist’s phone by hard coding it to only work with a couple of identification strings associated with that phone, and install it there. Sounds nice, right? Limited scope.

Correction: The ordered change to disable countdown (and eliminate delays in entering password attempts) is not limited to the terrorist’s iPhone. In addition to the new “FBiOS,” Apple is required to provide a separate data recovery/backup/”Software Image File” application to copy everything in flash memory. That application is the only thing required to work only on the single instrument.

Now let me explain what would really happen. Apple would basically be writing a new variant of the operating system. They would install it (as an update) to the phone in the FBI’s custody. FBI eventually unlocks phone, images everything on the phone.

Everything.

That is inevitably going to include the operating system, which means the FBI would now be in possession of the security-bypassing OS. They could turn it over to hackers to decompile the code, then scan for the two hard-coded ID strings. At this point, they could either type in two new strings for whatever other iPhone they might have laying around in an unrelated case, or change the code to not require the IDs at all. A brand new electronic forensic tool, provided free of charge by Apple.

Correction: No need to reverse engineer anything. Plus, the FBiOS must allow the Feds to enter passwords via WiFi or Bluetooth; i.e.- remotely, just as the FBiOS would be uploaded remotely. Once they have the OS in hand, the FBI can do it to anyone without even the need to reverse engineer the FBiOS. They’re demanding a turnkey mass covert surveillance tool from Apple.

But the Feds would never steal some company’s code, would they? Or go sneaking around spying without a warrant. And it would never occur to them to use a variant of a Stingray to generally access other phones and surreptitiously upload their little bit of malware.

Hell, you know they would. Personally, I suspect that’s exactly what they want. Since the terrorists were savvy enough to kill their data trail by disappearing their computer hard drive, I doubt they left anything useful on the iPhone. At most contacts, which the FBI can already get by subpoenaing their billing records from the phone company.

So let’s assume for the sake of discussion that they do this. We’ll even give the Feebs enough credit to say they don’t get hacked by another 16yo kid who steals data from them… you know, like new OS code.

But in this hypothetical scenario, they’ve released the code into the wild. Into iPhones whose security has been crippled by definition. Don’t lose your phone or get it stolen Correction: With remote acccess, no one has to physically steal your iPhone; whoever ends up with it can get any data…just as easily as the Feds. Or install malware (keystroke loggers, audiovisual bugs, GPS tracking, etc.) on it and return the iPhone they “found.”

I suspect jealous spouses and significant others would be a ready market, as well.

And recall that Apple programmers say that what the Feds are demanding would work on newer iPhones, too; not just the older generation terrorist’s smartphone, of which there are probably millions in use anyway.

What with people jailbreaking phones anyway, it would only be a matter of time before some hacker generated his own malOS. For that matter, maybe the FBI should hire that 16yo to hack that phone for them.

Oh. Wait. Then they’d have to pay him. When they can force Apple to do it free.

Judicial Idiocy in Misssouri

MO Nonviolent Offenders Cannot Possess Guns
An amendment to the state constitution guarantees citizen’s right to bear arms and ammunition, and explicitly states that “nothing in this section shall be construed to prevent the general assembly from enacting general laws which limit the right of convicted violent felons [to bear arms].”

The Missouri Supreme Court in a 5-2 decision ruled against Clay on Tuesday, finding that the state constitution is silent as to the right of nonviolent felons to possess firearms.

Wrong. It explicity recognize the right of every citizen to bear arms, and then explicitly carved out a very specific exception. Clay did not fall in that exception, therefore he is still part of the larger set with recognized rights.

Licensing

So I decided to sell my truck to a neighbor. We went down to the town hall and applied for a license to sign a contract, did the blood test thing…

Oh. Wait. No, we didn’t. That kind of thing doesn’t need to be licensed by the state. -whew-

Anyway, after that I went to the big box store to buy a bike for transportation. That being an implied purchase contract, me and the Wally World manager arranged to go get our bike purchase contract…

Oh. Wait. No, we didn’t. That kind of thing doesn’t need to be licensed by the state. -whew-

I got a job offer to do another book cover design. We worked up the contract, and I told the client we’d have to get a contract license. He said he’d never heard of such a thing. Funny; so did the clerk’s office. Again. (I think they’re getting tired of seeing me.)

Well, I’ve been more interested in TV lately, so I decided on a long-term satellite contract to get a good price. That’s an on-going commitment, so I knew it would require a contract. Down to town hall again.

They laughed at my naive ass. How was I to know?

Then there was the headhunter looking for a telecom tech. I’ll bet you’re seeing where that’s going. I didn’t.

Turns out you don’t need a license for regular employment either. Shoot, I was going to be responsible for millions of bucks of equipment and services for thousands of people; you’d think that would be regulated. They regulate the heck out of everything else.

So I finally learned my lesson. We actually live in a libertarian utopia where the state does not license private contracts between consenting adults. I was surprised but pleased to discover that. That was good to know when I got the marriage proposal from the lovely lady. We headed over to her church and asked the minister to marry us.

He asked to see our license. WTF? Turns out that the most private contractual agreement between two private individuals frickin’ does require a license. I pointed out that both of us were the same race, so the state shouldn’t be worried about a marriage license for us.

Wrong. Apparently we have to be state-certified and approved non-interracial, or something. But the Rev helpfully mentioned that we could save some bucks on the license itself if we show the town clerk a certificate of having completed a state-approved premarital education program. Conducted by a licensed professional.

The hell? I figured we’d just make it a common-law marriage; we don’t need Big Brother (or the Rev) sharing our bed.

Turns out common-law marriages are out, too. Something about needing state certification for tax purposes. Yeah, they tax that, too; more or less. Subject to change depending on the mood of whatever party controls the government this year.

OK, all kidding aside, I hope you’ve figured out that this is about last week’s SCROTUM ruling on same sex marriage. In case you were fortunate enough to miss it all, the short form is that the majority ruled that you have to marry someone of the same sex by July 31st states have to issue marriage licenses to same sex couples and recognize SSMs licensed by other states, which resulted in fire, famine, plague, EMP, the Zombie Apocalypse, the end of civilization as we know, lambs banging lions, sexually insecure guys losing their wives to pretty lesbians down the street pretty much nothing.

Which was a bad call. I don’t give a damn who marries who (or how many). I don’t have a dog in that fight; never met a guy I wanted to marry, and I never convinced any woman to marry me. At 54, I’ve given up and I’m not even in the dating game any more. But

This was the perfect opportunity for SCROTUM to note that their alleged Constitution doesn’t actually give the feds any supposed power over marriage (a purely personal arrangement) at all. What the cross-dressing dipsticks should have ruled is that state licensing of any marriage is a perpetuation of evil eugenics, based in the worst forms of racism, and that all such licensing violates the the 14th Amendment regarding due process and equal protection.*

Problem solved. Except for the Christians who do want to impose their own versions of Sharia law. That would be fine if they limited it to themselves. But what about folks who aren’t adherents to their particular version(s) of faith-based tomfoolery? Well, that would be the “impose their beliefs on others” part. When do I get to impose my beliefs in the sanctity of the individual, MYOB, and KYFHO on them?

Could be worse, I suppose. We could be under said sharīʿah law, where the state doesn’t make you get permission. Instead, we have a separation of chuch and state where the Christian denominations don’t get to impose their personal religious standards on eve… ry… one… else. Oh.**


* I could be missing something. Would the legal eagles educate me concerning any other private contract that requires a license for that contract? I don’t mean professional licensing like a medical license to practice law in general, but a specific license between said doc and a particular patient just to be in that specific physician/patient relationship. Ditto lawyer/client, etc. And while the design/construction of a house may require permits and code inspections, the contract between the builder and prospective homeowner does not.

** That is included for ironic contrast. I don’t approve of a system that permits involuntary marriage, marriage of those too young to give informed consent, and sex with a little girl so long as it doesn’t physically damage her (no doubt that little restriction was only included to prevent damaging broodstock — property — rather than any benevolent ideals about defending children).