Earlier this week I started to write a post on the conflict between the NSA, FBI, DNA and others regarding encryption and what users should be allowed to do. It’s pretty complicated as there are multiple players. Then came the story yesterday and today about Apple and iPhone decoding. If you haven’t caught it yet, don’t worry: I have some resources listed below.
There is a lot of information about the players, their positions, national security, the applicable Apple technology, and the courts. Rather than summarize it all, I’m providing a list of links to resources around the web. I have some comments on the order itself after the list.
Apple’s letter to its customers on February 16th about the government’s demands to Apple.
An image of the court order compelling Apple to assist the FBI. (At least it purports to be that order and I believe it to be so, but there is no digital signature for the image.) This link from the “Trail of Bits” post cited below.
The text of the motion requesting the court order cited above.
A post on the “Trail of Bits Blog” about the technology involved in the Apple case.
Opening Statement by Hon. James R Clapper, DNI before the Senate Armed Services Committee Feb 9, 2016.
US Senate Select Committee on Intelligence hearing on worldwide threats (video) Feb 9, 2016.
Worldwide Threat Assessment presented by DNI Clapper on Feb 9, 2016.
More on DNI Clapper’s testimony including some important quotes such as, “Encryption is a good thing, for all kinds of reasons, for security and privacy and all that. But at the same time it is enabling nefarious activity of all sorts”.
Director of the NSA says that “encryption is foundational to the future” [emphasis mine].
To be clear, the Court did not order Apple to break any encryption. In fact, the technology may make that very difficult. What the order does ask Apple to do is disable some security features with which system administrators and users are familiar: anti-password guessing measures. That’s right, the FBI just wants to make its efforts at brute-force password guessing easier. They are asking (and the Court has ordered) for Apple to disable any time-based account lockout for the phone. The iPhone will even wipe itself clean if there are too many guesses so they want that disabled, too.
I am in favor of catching terrorists and of law enforcement, in general. I am also in favor of people being able to protect their valuable information. There will always be a trade off. I think that in this case, Apple is being ordered to create a tool that could be used to attack other phones, were it to get out into the wild. We’ve seen lots of security breaches recently and it makes me wonder how long such a tool could be kept secret.
In Learning Tree’s System and Network Security Introduction we discuss these brute-force attacks, account lockout, and the related issues. I hope to see you in one of our classes. Whether you’ve been or not, I’d love to hear your views on this issue in the comments below.
To your safe computing,