I don't like what the FBI has done, but I'll say what I always say when "responsible" disclosure comes up, for consistency.
Responsible disclosure is a courtesy. Exploits are valuable. Information asymmetry is the name of the game. Apple is not entitled to free labor. If they don't like it they should hire researchers, as the FBI has.
> Responsible disclosure is a courtesy. Exploits are valuable. Information asymmetry is the name of the game. Apple is not entitled to free labor. If they don't like it they should hire researchers, as the FBI has.
This seems a lot like saying, if someone pays you to do a structural analysis of a parking garage because they want to know if they can profit by shorting the company that owns it, and you discover that the garage is likely to collapse, you don't have any obligation to disclose the vulnerability.
> This seems a lot like saying, if someone pays you to do a structural analysis of a parking garage because they want to know if they can profit by shorting the company that owns it, and you discover that the garage is likely to collapse, you don't have any obligation to disclose the vulnerability.
There is a vital difference in that scenario: You paid the engineers who did the structural differences and thus have an expectation that they would disclose that information to you.
If someone comes around and pokes at your building without you having paid or told them to do so, I don't think there's any legal expectation whatsoever for them to tell you about any faults. (Ignoring the code of ethics professional Engineering societies have.)
What magic are you using to predict that this communication tool is never be used by someone in "imminent physical danger"?
Depending on how this exploit works, a simple denial of service when someone needs to call for emergency services may indeed represent an "imminent physical danger". People rely heavily on their phones, both for connectivity and to store important information. As this reliance increases in the future, the probability of a phone being part of a life threatening situation will approach one.
I didn't imply that it's inconceivable that the vulnerability eventually leads to danger. The point is that the safety issues at a garage directly lead to harm, while the safety issues with a phone don't. (Note that the garage doesn't require anyone to actively exploit it to harm people.) Also, there's no way for the garage collapsing to help people, while selling an exploit to the FBI can conceivably help people (not difficult to imagine scenarios).
> I didn't imply that it's inconceivable that the vulnerability eventually leads to danger. The point is that the safety issues at a garage directly lead to harm, while the safety issues with a phone don't.
Then why is the CFAA still a law?
> Also, there's no way for the garage collapsing to help people, while selling an exploit to the FBI can conceivably help people (not difficult to imagine scenarios).
What do you mean? I laid it out already. You can short the company that owns it. Quite profitable. And maybe you donate the money to cancer research. If the garage happens to collapse at night when it only damages millions of dollars worth of cars but no people then it's not difficult to imagine that could come out as a net positive (it's clearly a personal positive for the short seller), and of course we won't know the extent of the harm ahead of time in either case.
I'm not even convinced that this should create a legal obligation to disclose it, especially in the cases where the most likely harm is financial or property damage. Otherwise that would pretty much ban half the stuff Wall St does. But not disclosing a vulnerability still makes you a jackass, which kind of implies that at least the government should not be doing it with tax dollars.
Plenty of things are illegal without directly causing physical harm to people. This is irrelevant.
I think I've made it clear what the relevant ethical difference between garage and exploit. If you think one still informs our ethics regarding the other, fine; I disagree.
And the reaction on HN at the time was very critical. Iirc they disclosed it to the company soon enough, but I would certainly be upset if they auctioned it to the highest bidder.
If hacking tools didn't facilitate access to industrial control systems, personal health and financial information, private communications and photos, then I would probably agree. A vulnerability in a criminals hands leads to very real life damages.
The issue is with the software the has a vulnerability not the software that exploits it. It would be fine to sell gangs guns if we could patch that pesky 'bullets kill humans' bug.
• mining equipment: not dangerous :: enriched vein of uranium discovered using mining equipment : dangerous
• chemistry equipment : not dangerous :: nerve gas, napalm, etc. : dangerous
It's a strange situation where the equipment has a set of very legitimate uses, but once you allow it into people's hands, they now have complete unmonitored autonomy in how they use it, and might very well use it to bring about something dangerous with no-one the wiser.
This is unlike most experience we have with dangerous tools. Cars, for example, can easily be used as weapons—but that danger only applies in public where others can observe you using the car, and your driver's license can be revoked. Similarly, a HAM operator could, on a whim, pollute the RF spectrum around them with noise—but that's also an action that by its very nature is observable, and so their broadcast device could be tracked down and shut down, and their operator certification revoked.
But nobody sees you when you decide to mine for uranium, or produce chemical weapons, or develop software exploits. These aren't the tool being used as a weapon, being used to attack; these are instead cases of a tool being used to create a weapon, to create the potential for future violence, violence that—until it ever comes to pass—has no observable effects out on the world that will hint that this person is acting with malicious intent.
It really seems like the law doesn't know what to do about that category of things, generally.
FWIW "enrich" in the context of uranium is the thing done by centrifuges. You don't get enriched uranium out of the ground.
And Napalm is basically styrofoam and gasoline. You don't need much in the way of chemistry equipment to make it.
> It really seems like the law doesn't know what to do about that category of things, generally.
The main problem with the concept is that it doesn't end. A person with malicious intent can cause quite a lot of destruction with only the stuff everybody already has. There is no point in restricting chemistry equipment when people already have gasoline (or olive oil or lard or alcohol or ...)
The only way to separate a person from the means to cause trouble is to eject them naked into the vacuum of space, and even then it's mostly because you can expect that to kill them.
[...] they now have complete unmonitored autonomy in how they use it [...] It really seems like the law doesn't know what to do about that category of things, generally.
You can use a hammer to construct something, or to bash someone's skull. That's human nature, and freedom. To not have that choice would mean we have lost a lot more than we'd have gained.
This moral ambivalence makes it (luckily) nearly impossible for any form of authority to make a definite statement or prevent usage. It ensures freedom.
And sometimes bashing someone's skull might be the "positive" action, and using a hammer to construct a building the "negative" result, as when the building is used predominantly to harm people. One could use hacking tools to get around totalitarian governments or locked-down operating systems, or even to get into a former lover's device but at the same time prevent that exploit to be used anywhere else because of the bug's exposure. Even the "criminal" might be the good guy in the long run – morality is highly complex.
IT security really ends up most often in ambivalent, shades of grey territory, and not in the clear black/white contrast preferred by many people and especially law- and policy-makers.
This discussion is about vulnerabilities, not tools like nmap, etc that can be used for other constructive purposes. Please explain how you think having an undisclosed vulnerability is useful to build something.
No, 'nmap' is not a vulnerability. I'm advocating to hold people responsible that sell vulnerabilities to the highest bidder under the full knowledge that the bidder will not tell the manufacturer and will use it for nefarious purposes.
It's nearly impossible to enforce something like this because of anonymous markets and crypto currencies, but we should at least shame people that advocate for it or admit to doing it.
What we need is to destroy the idea that somehow vendors can expect others to do their security work for them. Full disclosure all the way, and put the pain with those who are the root cause: customers who don't want to pay what it costs to develop secure software, or what it costs to implement secure processes (i.e., airgapped infrastructure).
Hackers and state actors. Whatever tools the used where just that. If someone uses a wrench destroy the enrichment devices, did the wrench destroy the device or the person using it?
...uh huh. I thought later about explicitly adding that. A device that can rapidly flick a power switch is also not a weapon. You can get that on amazon in the electronics section, and trivially add remote control.
Think of the people with home automation systems, where they can press a button on their phone to turn the lights on and off in their living room. You are saying that they have installed a weapon. That is crazy. It could damage their washing machine, but so could a 2-liter of soda.
Responsible disclosure, despite it's name is often not the most responsible course of action to take.
And in any case, what does the FBI even have to disclose here? An exploit that they may or may not have that wold undoubtedly be contractually obligated not to share. In any case, everyone already knew that the crypto on that particular iPhone model was broken.
"... according to people familiar with the matter."
There is absolutely no proof of an exploit here. There are a lot of people 'familiar with the matter' that talk BS. For example I heard some expert say that they just bought 1000 iPhones and copied the ROM on each phone to try each pin combination.
Edit: to be clear: I'm talking about a software exploit. I think it's more likely the phone was cracked via a hardware exploit.
Apple used the FBI hearings as a public relations project. They lost all sympathy from the Feds after that. They really should have played their card differently but instead wanted to rally the public against a federal law enforcement agency so they can prove to customers that they take privacy seriously.
I'm not sure if Apple intended to rile up the Snowden/tin-hat wearing crowd who thinks the government is out to get everyone, but that sure didn't leave a nice aftertaste in the FBI's mouth.
Looking at this objectively, Apple shouldn't expect the curtesy of responsible disclosure. If this makes the public wary of Apple ability to protect their privacy, well, so be it. The FBI's duty is to actually protect the public, not to protect the customers of a single corporation.
I think this is brilliant counter-marketing on the part of the FBI and a real "fuck you" to Apple for turning a criminal investigation of a mass murder in to some fucking sideshow circus where they could show the public just how much more they care about privacy than the government.
EDIT: I'm sorry, but I have a rate limited account because my conservative opinions are not valued by the HackerNews community. I have some follow ups to your comments:
---
> That includes protecting the public's communication from criminal eavesdropping, which they are undermining when they keep an exploit secret instead of responsibly disclosing it.
As far as I'm concerned and as far as the US government is concerned, as soon as you broadcast radio and electrical signals from your private person or property, it's been published. That's how it's been since the beginning of the country and that why Apple and Facebook are even allowed to sell your information to third-party marketers. Everything that leaves your devices legally has to be made public so our data can be legally sold.
This is also related to credit reports, doing-business-as, and many other kinds of public record keeping. You should not expect privacy when buying and selling goods in a public marketplace. How could you possible stop someone from monitoring what you're buying and selling? Consumer reporting, public record keeping, and public census data are incredibly important parts of our institutions.
We're going to need a newly defined set of laws and regulations to actual define what I've been calling "privished" works, that is, information that a third-party is liable to both the individual as well as the government, to make sure that the 4th amendment is still a two-way contract.
I suggest you brush up on some of your constitutional and common law interpretations of what privacy actually means with regards to mass communication. I think most of the HN threads are missing half of the social contract and fail to see the importance of granting the government the right to warranted search and seizure.
It's FBI who was pushing the polemic, and that's the same polemic you are now pushing.
Also, this isn't a show. These are legitimate privacy concerns that require active protection. The FBI is hardly in the business of protecting information from hackers. If they were, they probably wouldn't need Apple's help in the first place to penetrate their security. They simply don't have the expertise.
Again, I'd like to point out that it was the FBI who took to the PR stand to address the public directly in a political manner.
Allegedly Apple wanted this request from the FBI to stay under seal, and it was the FBI who pushed to make it public. If that's the case, then it may have indeed been the FBI not Apple who turned this into a PR situation.
Somebody inside the FBI was greedy for a raise and took the risk to try to take a bite out of the Apple. I doubt they got demoted or took a salary hit. The career upside for the individuals involved would have been huge. Perhaps they believed in their anti-terrorist cause but no more than an Apple employee proud to build the next version of iTunes.
> the Snowden/tin-hat wearing crowd who thinks the government is out to get everyone
Insults are not good discussion.
> The FBI's duty is to actually protect the public
That includes protecting the public's communication from criminal eavesdropping, which they are undermining when they keep an exploit secret instead of responsibly disclosing it. The idea that they can keep it secret and nobody else will rediscover the exploit - and the "nobus" (nobody but us) attitude in general - is hubris.
> not to protect the customers of a single corporation.
I suggest reading older HN threads on this topic, because the fight against the FBI's order was not about a "single corporation".
>I'm not sure if Apple intended to rile up the Snowden/tin-hat wearing crowd who thinks the government is out to get everyone, but that sure didn't leave a nice aftertaste in the FBI's mouth.
I prefer the theory that they wanted to improve their reputation in the international market with a show of defiance demonstrating that they weren't going to act as a front for US intelligence.
Although I have no idea whether Apple's reputation has actually been damaged overseas by increased awareness of American spying, it seems likely that American technology companies in the post-Snowden age will face a PR problem in the international market that Apple and other US tech companies should have a strategy for.
Am I the only one who reads the quotes in this article as "see Apple, if you don't give us what we want then we may just have operational reasons to not disclose vulnerabilities to you, wouldn't that be a shame..."?
It does come off a bit like a multidimensional pissing match - with the FBI alternately saying, "We can force you to break this phone", "We can break it ourselves if we want to", "We will break it and not tell you how", "We can insert a succession of stories in the media that will call your security into question."
It is of course a territorial pissing match. Apple, and most of Silicon Valley, thinks and acts like they are more important and powerful than the country that granted them a corporate charter and the public infrastructure with which to do business.
> Apple, and most of Silicon Valley, thinks and acts like they are more important and powerful than the country that granted them a corporate charter and the public infrastructure with which to do business.
Apple was defending the fundamental rights of the public - "we the people" (i.e. country that granted them a corporate charter) - against an agent of said country who tried to overstep the bounds of the power the country (again "we the people") granted them.
The court was the way for the agent to prove what they don't overstep the boundaries of the power that the public granted to the agent, and for all we know the agent failed to do so.
to the "venomsnake" below : i didn't say Apple always defends the fundamental rights, i even didn't say that Apple in this case was motivated by the defense of the fundamental rights. The fact that we do know is that Apple in this case defended the fundamental rights - for whatever motivation, probably for profit as a corporation and that would be my guess is that Tim Cook was doing it for the fundamental rights really or may be just to piss off FBI for fun.
If apple believed in any form of fundamental rights for their users they would have given root, unlocked boot loader and alternative appstores to the people.
Unless you have a staff of experts, you're not going to be able to secure the device yourself. So Apple has to be involved in almost everyone's security whether you like it or not. Putting the user in charge is good for freedom, but it takes you from one failure point to two failure points.
If they had given root access, the following things here would be up to the community to create. I don't know why you listed all of these things as if Apple owes them to us.
I'm sorry, but I don't buy the collective security reasoning. I'm not convinced that there aren't large custom databases of shared private keys that can be used to grant individual, time adjusted master keys that would allow the FBI to enforce their 4th amendment duties while making it impossible for a single master key to be discovered and instantly break every devices encryption.
Apple would be very liable for keeping this giant database of individual private keys safe. So would tbe FBI. But I have no doubt that it could be done. It would just take political will and perhaps a bit of novel cryptography, but if Bitcoin has shown me anything, it is that there are lots of remaining solutions to existing problems using crypto.
Your issue is that you're starting with a first principle based on what applied technology can currently do instead of starting with the first principle based on the relationship between an individual, the government, and public.
We should be thinking about how we can use new cryptographic technologies to assist humans instead of insisting that humans must be subjected to the technological limitations of a consumer electronics company.
The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.
This clearly states the government has the right to warranted search and seizure for cases in which it needs to protect the public at large.
This is what takes precedence, not what Apple's current crop of cryptographers can come up with.
---
EDIT: I'm sorry, but I have a rate limited account because my conservative opinions are not valued by the HackerNews community. I have some follow ups to your comments:
---
> However, I also don't think Apple has a responsibility—even as a "citizen" of the country—to explicitly allow government access.
First, please see my other comment related to the third-party doctrine for reference:
I would argue that if we are to allow publicly chartered corporations to store and maintain access to privished works that they would have to be held liable to both the individual as well as the government. Just as banks are liable to both individual customers as well as the government.
Apple clearly doesn't want this responsibility. They don't want to be liable to both the individual and the government. Or perhaps anyone. They sell shiny toys. They're really not that important and perhaps they don't really care that much about privacy beyond how it affects sales.
---
> That it does. But what it does not state is that the government has a right to create laws mandating that free citizens, not accused of any crime, must only create or possess items that the government can obtain access to.
Again, please see my comment related to the third-party doctrine.
We're going to need some new laws related to privished works. Right now you don't really have the right to privacy outside of your private person and private property. A bank will let the government open safety deposit boxes. The bank has the keys to the vault and you don't so I think we have already have some historical precedence with which to base these new legal fundamentals.
---
> Whilst I don't know whether I agree, this is an argument that needs more exposure on HN.
Yeah, I wouldn't hold your breathe... I don't think you realize just how dogmatic this place is. If you say anything about being in support of the government, intellectual property, or dare question the values of the open source community, you're just immediately downvoted to fucking oblivion.
Also, I kind of like being a prick to who I imagine are a bunch of stuck up yuppies, so there's that as well.
But where the fuck else am I to go in San Francisco? Everywhere I am I'm just surrounded by a bunch of fearful techie drones with their fucking athleisure clothing. Everyone always has fucking headphone on and is glued to their god damned phones, I can't start a conversation with anyone anyways. There's no discourse happening anywhere!
All I can do now is just fucking rant and rave on HackerNews comments in the hope that someone out there might be fucking listening for a god damned change!!!!
---
> However, your last three paras are quite insufferable and if I were you I would reconsider your relationship with the HN community.
I have considered my relationship with HackerNews to be over for quite some time. Right now I'm just seeing how far I can push it before I get banned.
That you vehemently disagree with me is WHY I AM SO FUCKING PISSED OFF! Everyone here uses the downvote button for disagreement because they're lazy fucking assholes who can't really approach my arguments.
This is the number one place for discussion about technology on the web, or perhaps anywhere. I'm very well qualified to talk about tech and tech policy. Yet my ideas are constantly shit on by a bunch of ignorant and dogmatic cocksuckers. I want to see just how long YOU could put up with this abuse before you FUCKING SPRUNG A GOD DAMNED LEAK IN YOUR BRAIN!
This whole "community" is insufferable and my actions are really a quite logical reflection of the kind of discourse that takes place in these forums.
I have considered my relationship with HackerNews to be over for quite some time. Right now I'm just seeing how far I can push it before I get banned.
That you vehemently disagree with me is WHY I AM SO FUCKING PISSED OFF! Everyone here uses the downvote button for disagreement because they're lazy fucking assholes who can't really approach my arguments.
This is the number one place for discussion about technology on the web, or perhaps anywhere. I'm very well qualified to talk about tech and tech policy. Yet my ideas are constantly shit on by a bunch of ignorant and dogmatic cocksuckers. I want to see just how long YOU could put up with this abuse before you FUCKING SPRUNG A GOD DAMNED LEAK IN YOUR BRAIN!
This whole "community" is insufferable and my actions are really a quite logical reflection of the kind of discourse that takes place in these forums.
At this point you're well past where going on tilt is indistinguishable from trolling, so we've banned your account. If you don't want it to be banned, you're welcome to email hn@ycombinator.com.
I don't like banning users with minority/contrarian views (assuming you've described yourself accurately) because it's important for HN to have a wide spectrum of opinion—but only among users who can contain themselves within civil bounds and follow the rules here. You're doing neither, and it isn't the community who's to blame.
I was going to upvote you even though I vehemently disagree with you and your technical assessment of the crypto at play, simply because I don't think the downvote should be used as a disagree button. However, your last three paras are quite insufferable and if I were you I would reconsider your relationship with the HN community.
However, I also don't think Apple has a responsibility—even as a "citizen" of the country—to explicitly allow government access. From a cost, liability, and product standpoint it is in their interest to build themselves out of these legal middleman situations. If you hold this against them that's your right, but it's exactly that reason why I own an iphone. I suspect I'm not alone.
I'm firmly of the camp we should be aiming to reduce terrorism by becoming a smaller target, NOT by treating everyone like a potential terrorist. Technology can certainly help with this: look at TOR, twitter, end-to-end encryption, etc. fostering open and fearless conversation allowing us to improve generation over generation.
Also, I would be much more sympathetic to the FBI if it seemed like there was something relevant to national security on the phone. I don't recall them ever attempting to convince anyone of that. The San Bernadino incident seemed like a couple going postal rather than a deep-rooted international religious conspiracy.
Response to your EDIT (I value your conservative viewpoint, <3): I do not hold Apple liable for writing infallible crypto. In fact, I fully expect them to be hacked. But the stronger their crypto, the more value they have, regardless of their intentions or what they care about. It's kind of beautiful, in a way that makes me uncomfortable: their profits from me are directly correlated to their dedication to crypto. The more energy they put into it, the more money I want to give them. You are exactly correct. I see this as a very efficient free market transaction—something I would expect a (fiscal?) conservative to value.
Finally, I view the guarantee of privacy as finally having some kind of bulwark against the arms race governments have been waging against their citizens since the invention of the standing national army. Just because governments have had the luxury of violating my privacy does not mean they should.
Social conservative. And kind of a redneck motherfucker as well. Christian but without believing in the miracles of Christ. I guess that makes me agnostic. I support the idea of a local community church. I tend to think of the Bible as a mixture of good story telling and timeless moral lessons. I'm also a country musician and songwriter and I'm the CTO of a Bitcoin startup. I'm moving from San Francisco to Texas in June for what should seem like pretty obvious reasons. This fucking city, these fucking techies, and just about everyone on HN is constantly shitting on everything I hold dear. Ya'll hate rednecks, country music, the government, Christians, and moral lessons.
I think the people who despise my way of life will eventually see the error in their ways. Us conservatives have been holding this shit together before, during, and after the revolutionary split from our British forefathers. We kept all of British common law and their liberal political inventions, we just changed the flag and where the taxes went. We kept the country intact after Marxism ravaged the planet and directed the working man in to unions that I'm a proud supporter of. We're most definitely going to keep the ship on course through these troubled times of technocratic buffoonery that's coming out of Silicon Valley these days.
I'm a real conservative. Not those clowns over at the GOP. To be honest a lot of great democrats have been flying a flag that I think properly balances conservative and progressive ideals. I'm not really lopsided in my beliefs, I'll just always want to balance things out. Right now we fucking need a really large dose of conservatism, and I mean in legal and moral philosophy, in order to fight the war against these technological disruptors. Silicon Valley is hyper-progressive and I think incredibly reckless and dangerous to the way of life that I consider good and just.
If I'm sounding like Edmond Burke, good, I think the dude laid great foundations for exactly this kind of legal and moral conservatism that exists within the framework of liberal democracies like the United States.
---
> Just because governments have had the luxury of violating my privacy does not mean they should.
You really shouldn't look at it only in this way. You should also try and look at it from the perspective of what the public gains from transparency, especially related to commercial activities. Capitalism needs open and public marketplaces, as well as public courts enforcing private wrongs, in order to function. We need public credit reports, we need public criminal reports, we need public records for property titles and for public records for asset ownership in publicly chartered corporations. All of these political inventions gave us the world that made a company like Apple possible in the first place.
BTW, one of the reasons I love Bitcoin so much is precisely because it is public infrastructure and precisely because it is completely open and transparent. It is a feature that all transactions are public knowledge!
Government is about these basic arrangements between public infrastructure and private individuals. The social contract. Like any trade or contract, it must be balanced and freely agreed to. To receive these rights we must also cede other rights. This trade-off is the one that is always missing from discussion in this forum.
---
I have no problem with the pseudo-anonymous transactions. I build products that embrace the public and transparent nature of the blockchain because I believe that marketplaces and accounting must be public and open, just like they've been for hundreds of years in prosperous and free societies. Tyrants love to hide private information. I feel if you want something to be private, you're not gonna send it to someone else over the Internet or even let it leave your house.
I'm not concerned with the contents of the San Bernadino phone. I'm concerned with the government's ability to uphold the 4th amendment and be allowed to protect the public interest when warranted. We operate under a system of precedent setting common law and yes, while later legislation and constitutional amendments are going to need to be made for crypto, that's probably decades away and in the meantime we need our courts to interpret and uphold the constitution in the meantime.
I think that there are more racists in San Francisco than there were back home, they just don't realize it here. Back home there just weren't any black people or jews. Everyone was just ignorant. Here, there are tons of different kinds of people but do you ever see some techie making friends with some black dude in the Western Addition? Do you ever see some Chinatown cat kicking it with a Mexican? Racism and classism exist everywhere and social liberals tend to be the group that just wants to ignore the problem. There is very little multicultural interaction in a place this diverse. There was one black dude in my town and he came to the same parties and hung with the rest of us. He pretended to not be a redneck and was all in to this inner city urban culture, at least in his clothes. He had a crew of what we called "wigger" friends as well... but then we'd see all of them out hunting and driving four wheelers around... there's just not that much to do in the sticks, regardless of what magazines you're getting your styles from.
For all the shit going on in the red counties of America at least they can talk about race. I don't know any black dudes who have ever called themselves "african american" yet I know tons of white people who consider themselves socially liberal who are afraid of using the term black and will insist on using the phrase "african american". Also, I've got African friends. They don't want to be called fucking "african american". They're also fine with black. And I'm fine with white. Social liberals are hung up on a battle of words. Trigger warnings and god damned safe zones. Social conservatives are more focused on reality, and there's nothing more real than what was working or what was broken yesterday or the week prior.
I personally think that when people move in to a new community that they should learn the customs, language and traditions of the dominant culture so they can be good neighbors. This is something you see a lot in social democracies like Norway and Sweden as well, cultural indoctrination programs. I bet Bernie Sanders leaves that part out! I love the idea of multiculturalism and I think everyone should have their voice. I love the Chinese New Years celebration and I love the Cherry Blossom Festival. I also love that a bunch of Chinese and Japanese dudes love going to baseball games, voting, and eating cheeseburgers. Welcome to America!
I'm also pro-immigration but mainly because I can't see how free trade can function in a global economy without having a mobile labor force to follow the jobs around. I believe we will one day have a world government based primarily on Anglo-American liberal democracies. I could see the USA, Canada, the UK, Ireland, Australia, New Zealand, and South Africa all starting this process within our lifetimes. This is basically what things like NAFTA, TTP, and other free trade agreements are headed towards. I do not understand the knee-jerk fear against a global government. It has just have a very small executive body with a ton of governance left to the states and hopefully most to local communities. I believe that most government duties for housing, social welfare, education and general infrastructure should be local and community oriented and that the federal and future world governments should have very limited rolls. Perhaps there is room for some global income redistribution, but I think that once we have completely open borders across the globe and equal access to advancements in digital contracts and strong intellectual property rights that we can get capitalism working for just about everyone on the planet as we transition to a global knowledge economy. Next stop, Mars, as a United Earth! Fuck it, The United Federation of Planets has a nice ring to it, doesn't it? :)
All that being said, there are big issues with ignorance, and you can say as much about ignorance in Silicon Valley as you can about rural Mississippi. I empathize with the people of the South and I know they are carrying around a lot of shame. It certainly doesn't help to have people questioning their "racial/ethnic/immigrant attitudes". Everyone remembers why there was a civil war and who lost. Put on "The Night They Drove Old Dixie Down" by The Band and I'm balling like a fucking baby... Southern identity is a very complicated and beautiful thing and there's a reason why most of the best art, food and culture in American comes from down there!
Civil rights trump religious rights and that's been the case since the very beginning. Whatever the fuck is going on in Indiana and North Carolina is not conserving any of the ideals that I hold dear.
> I'm not convinced that there aren't large custom databases of shared private keys that can be used to grant individual, time adjusted master keys that would allow the FBI to enforce their 4th amendment duties while making it impossible for a single master key to be discovered and instantly break every devices encryption.
To what end?
Even if such a thing could be built, if anyone that wanted to hide something knew about this, they wouldn't rely on this encryption and they'd do something on their own (with a 3rd party app, or offline, or whatever).
Encryption is a thing that can't be un-invented, which for some reason everyone that seems to side with the FBI seems to completely forget. Even 100 years ago, there was unbreakable encryption[1] (that could be done without computers).
If Snowden taught us anything it's that you can't keep the existence of this type of thing secret forever.
So, all you end up doing is making it easy to violate regular citizens' privacy, introducing a very real and very serious potential security risk if the database were ever to be compromised, and still not actually being able to decrypt any of the data you are actually (supposedly) trying to get at.
> This clearly states the government has the right to warranted search and seizure for cases in which it needs to protect the public at large.
That it does. But what it does not state is that the government has a right to create laws mandating that free citizens, not accused of any crime, must only create or possess items that the government can obtain access to.
I don't think you actually disagree with how Apple responded, but you do realize the privacy of more than a few billion people was in jeopardy during this 'fight'. I would consider that more important than the wishes of the FBI and our country allowing them to do business here.
...public infrastructure with which to do business.
Wait, I thought your opinions are supposed to be "conservative"? What's with this parroting of Elizabeth Warren's very lamest "you didn't build that" cant?
You can tell that buy the whole "we're not bringing that money in, just to pay tax on it, are you crazy ! We're going to spend millions lobbying for us to be able to not pay that tax instead". And people support them !
Missing from TFA: any consideration of whether the "work phone", which was subject at all times to repossession and inspection by San Bernardino County, stored any information about terrorism, particularly information worth overturning fundamental assumptions about the duties of electronic device manufacturers.
Iirc comey said in one interview that they wanted to know which path they went on during missing minutes on the day of the shooting when the phone was with them, and hoped the phone had location data.
Do towers record past telemetry data? Assuming they do, the granularity of knowing that a particular tower handled a phone ping is comparatively useless. A guessed location (stored on the iPhone) based off of cell tower triangulation and the occasional GPS calculation is far more valuable.
I do agree that we should consider the FBI's statement with skepticism.
> the granularity of knowing that a particular tower handled a phone ping is comparatively useless.
No, it's not. A simple correlation with other phones tells you who is traveling together (co-travelers). This only requires knowing which phones are near each tower, at a fairly low temporal granularity.
I'm sure there are additional ways to analyze that data, too. The travel and relationship map that COTRAVELER discovers is merely the project we know about.
Where does this show that "the iPhone tracks my location every time it discovers a wifi network"? Sure I can have given permission for tracking to an app but if I haven't where does the iPhone/iOS store my location data? ps: downvotes?
It's implicit, the equivalent of a warrant canary, if there had been anything of remote interest (which nobody expected) there would have been a lot of noise about that.
How come the FBI isn't afraid these guys are going to sell the same exploit to foreign governments which will use them to break into US government phones?
? The FBI probably assumes that yes, other actors do have access to unknown exploitable vulnerabilities.
It's 2016. Any data that hasn't been airgapped for the entirety of its existence needs to be considered if not public, then at least known to the enemy. (if accountants in tax havens would take that to heart, they wouldn't be in the predicament they are in now...)
The FBI is willing to protect you how they see fit only, notwithstanding how that may fit within the bounds of Constitutionality. If you are not willing to give up such rights, the FBI will protect you through any means necessary - through force if it comes to it.
Does any suspect that this might all just be PR posturing? They found a zero day exploit but they don't have to say what it was. They don't have to whether or not more interesting data was found. Nothing. Could it be they are just trying to save face? Granted they've looked quite foolish in all of this but still.
Just had a thought: couldn't you copy the encrypted phone, run it in 10000 emulators and try a different PIN in every emulator? If the problem really is just a 4 digit PIN, that should work?
Or is the flash memory and the flash memory controller doing the decryption entangled on a single chip so that they can not be physically separated?
> "The U.S. government now has to weigh whether to disclose the flaws to Apple..."
Apple is going to find the flaw. They wrote all the code and have some of the smartest people in the world working there. No reason for Apple to even ask the government to disclose the vulnerability to them.
Well, the same smartest people unknowingly put the bug there. It's not as easy to find a security flaw (without someone telling about it) as you think. They'll eventually figure it out, but may be not immediately.
Did the FBI pay for them to hack or pay for the (exclusive rights to the) exploit? The rest of the article implies the latter- but if the former, what is stopping Apple from paying the "hackers" for the exploit?
You copy the storage of the phone (the NAND) and then put it into a bunch of iPhones and try all 10,000 possible pins. If a phone gets locked out, you just restore the mirrored (the copied) NAND.
Yes, yes that's exactly what happened. Apple had nothing to do with it. And that charade they put up about suing then not suing, etc, was not a charade at all. /s
I'm continually baffled by the pathological disdain some people like yourself seem to show towards Apple... Is it the cognitive dissonance that "Google does no evil", therefore if Apple is seen working for the privacy of their users (which they have both sound business reasons and I have no reason to doubt moral convictions to do), where Google does not, then they must have a hidden agenda?
Fair enough, the Google comment was unfounded (and I do believe that many at Google also have strong convictions to protect their customers' privacy but it's a lot harder to do when your business model depends on storing your customers data in clear-text on your servers).
Personally I am disturbed by the continual government assault on the security of personal data and I believe that companies like Apple are our strongest stalwart against it.
I completely understand your Google argument. Whenever I say that I put Google in the same basket as Facebook/Apple/(as of recently) Microsoft, I get lots and lots of people telling me how Google is not bad.
In fact, in my mind, Google is even worse than the rest of the companies, because Google is the only one that has the power not only to collect my data, but to use that data to tweak my online experience. Not just on their products, but across the majority of the Internet (yes, I'm talking about their ads). I turned every single type of Google tracking off and I still feel uncomfortable using their services that are impossible to avoid completely.
It's great that Apple is a company with lots of money that can stand a chance in court and all that, but that also means they're a government-legible single point of failure. Their business model is still "administer our users' devices". While this is much better than Google's "surveil our users", maintaining their privileged access puts their users at risk, as highlighted by this recent battle.
I haven't heard of any plans of making the updating process more self-controlled (eg allowing users compare checksums with friends before updating, or additional third-party signatures), or hardening their firmware against local tampering (since their security model incorporates trusted computing). The references to "secure enclave" seem mostly for comparison rather than any direct analysis, and it seems like another general-purpose easily-updateable chip.
It doesn't seem like it's actually possible to do all that much without releasing source for a TCB, especially with the possibility of NSL (etc) mandating secret backdoors for every device.
I look forward to apple saying that they apply the same stance in the case of investigating miscounduct or if the CWA or Prospect in the UK started organizing apple store staff :-)
https://en.wikipedia.org/wiki/Responsible_disclosure
If the FBI wanted to protect the public, responsible disclosure of the exploit is a first step.
Sigh.