You seem to be living under the assumptions of years past. With the increased focus on security in recent times, manufacturers have implemented security methods that are truly unrecoverable. In the case of the iPhone, it is possible that one could extract the encrypted data (without the key), but that does no good. It's not a matter of brute-forcing a simple PIN or even a password. It is a 256-byte key that would take decades with an array of supercomputers to crack. The PIN/password is only used to unlock the internal KEY (which is now gone). It is the KEY that does the encrypting/decrypting.

[/QUOTE]

I understand perfectly how keys and encryption works (just to clarify such things ...), but I simply don't believe that Apple actually engineered a system such that they could not "clone" a non-working phone into a replacement device. And this necessarily means extracting the data from the phone. Also, although I've never opened-up the case of such a thing, on many phones the memory is more or less removable.

Presumably, the key-file is still in there: it might well be encrypted by a passcode, but the OS still has to be able to verify the code and use it to decrypt the data. These are things that government engineers would know.

Apple certainly can make the data "unrecoverable" to the casual thief, but if this seriously stymies FBI, and/or the other three-letter agencies that FBI can call upon, then I want to know why my tax-dollars are being wasted. I'm sure that it doesn't, and that it never did.

Again, as I've mentioned in post #44 and #88... You can have complex passwords on the iPhone. Please pay attention to detail. It is not limited to 10k combinations.

Also, I don't buy your original argument of hitting it a little more personally. In general, if there's a way to hand over the government data related to an incident then it should be handed over. However, purposefully weakening future security is not only unethical it puts more people at risk. Here's a summary of what has been argued so far as I see it within this thread and beyond.

• #15 dugan shares an interesting article showing that in this instance Apple is definitely wrong in not providing a brute force routine to bypass the 10 passcode wipe. In future phones, Apple could do a redesign which no longer makes this possible. However, right now they should.
• #59 rknichols shared an article which promotes proper device management of government assets could have prevented the whole fiasco.
• And there's a whole bunch of misinformation on the Internet about the subtleties between a back door and a brute force attack on encryption within the iPhone. Most of it is speculation because we don't know what we don't know and Apple's proprietary nature means we'll likely never know beyond what they share. e.g. the iOS Security Guide.

Beyond that there's also the recent attack on the iPhone of which the FBI has yet to release any details. They're not likely to either. An attack which is supposedly safe enough that the FBI used it without harming existing data and with limited risk.

I stand by my earlier statement that purposefully weakening encryption and security is unethical. However, if there's a known vulnerability which can get law enforcement the data they need... then exploit said vulnerability and do a re-design or patch to make it no longer possible.

"The US Department of Justice has said it will pursue its request for Apple to help unlock an iPhone that is part of a drugs case in New York."

http://www.bbc.com/news/technology-35996566

Reality is that everyone has always known that there was nothing on that phone. Just as everyone knew from the start that there were no WMDs in Iraq. There were people who might have thought or pretended they didn't, but they actually did.

(And if you actually didn't, then that's not something to admit in public).

http://www.cbsnews.com/news/source-n...ardino-iphone/

Yes, this.

Are you freaking kidding me? In dugan's link, FBI Director actually admitted intentionally not disclosing the vulnerability so Apple doesn't fix it.

Whose side are they on? The criminals? To actually admit you want Americans to be vulnerable. It gets my blood boiling.

And remember: "It's just one phone"

I expect that everyone, at this point, is looking to save face ... both with the public and with the Federal Court.

As I've said before (and most recently in this blog post, I don't see in this "a government conspiracy to drill a hole through all civilian encryption, to require secret (sic ...) back doors, and to impose a duty upon the vendors of electronic products to furnish on-demand a plaintext copy of any encrypted data that the device owner might have stored."

I also do not believe that the government is asking, or Constitutionally can ask for, "a way to transform the security of the device into an illusion." The rights of government are set forth in the second half of the Fourth Amendment, but the rights of citizens, as set forth in the first half, remain. The government can't ask you to remove the lock from your front door, and they can't demand that you stop posting letters in envelopes. If the Constitution says that "The right of the people to be secure [...] shall not be violated," then it follows that they are entitled to be "at least as secure as they think they are, and not to be deceived in this."

In other words, I don't think that the sky is actually falling.

This is a two-way street, and both sides have Constitutional protection. At the same time that citizens have a Constitutionally protected right to privacy, the government also has a Constitutionally protected(!), albeit tightly constrained, right to search and seize. Law-enforcement agencies, and the Court, do(es) have the right to compel the production of evidence. and to conduct limited searches "whether you like it or not," as an intrinsic part of their public duty to solve and punish crimes. Therefore, in my view, it isn't wrong to ask ... or to compel, if need be ... the vendor of a device to provide technical assistance to law enforcement to the full extent that they can do so. This does not mean that "you provide the citizen with a set of 'the Emperor's clothes,' and decline to tell him that his derriere is 'in the air.'" If you are "searching" and/or "seizing," then the party in question has the legal right to know.

I think that it's high time that the parties on both sides realize that they cannot accomplish anything by camping-out on one extreme or the other. Instead, they must work together to find what is the middle ground. "Yes, you have a valid, Constitutionally-ordained point. But, so do I." There are computers to be developed and sold, there is a law-abiding public whose privacy must be upheld, and there is a gruesome crime to be solved. The only way to accomplish all three lawful aims is: "somewhere in the middle ground." And, it's up to both of you to find it, so that everyone can stop wasting public time and money, and get on with their work.

The flaw in your analysis is simple; the government can regulate the stream of commerce, and forbid corporations (and people) from offering encryption programs/systems that cannot be broken into easily. How well that could be enforced is another matter, but regulating interstate commerce IS lawful for the government to do. The effect on commerce would be devastating, as Silicon Valley lost jobs/sales/people to other countries.

Providing readily readable files means one of three things -- back door, collect keys in a central place so the government can demand them, or cripple encryption so that the FBI or local constabulary can break it easily.

Next would be to ban the possession of strong encryption tools.

I wonder when the new Clipper Chip is to be announced?

Announced?

https://en.wikipedia.org/wiki/Clipper_chip

Basically, an encryption device made by the NSA with a built-in backdoor.

While I understand your paranoia concerns, and I am aware that you are an attorney, I do not share them. I think that they are valid concerns, but I do not share them in this case.

Yes, the Government has the right to regulate Interstate commerce, imports and exports. But, people also have a guaranteed right to privacy if they did not murder fifteen people. Also, we have this new thingy called "the Internet," which allows data to be sent anywhere (and which dynamically routes that data). The Internet would be rendered useless if people could not encrypt what passes through it. Personal computers etc. would also be rendered fairly useless if people could not encrypt what is stored on them. We cannot have "commerce," in our modern world, without (strong) encryption. All of this is known.

An "extreme" position is similar to this analogy: No, that is very-precisely the opposite of what the Fourth Amendment clearly states. But the government can walk up, show you the warrant (thereby clearly informing you that they have one, and that a limited search has been ordered), ask you politely to open the door ... and, if necessary, break it down. (Perhaps after arresting you for obstruction of justice.) If the door is secured with an unusual type of lock, I think that the government can ask the vendor of that lock for schematics and any special service tools, and to consult with them about the proper way to open the door.

I prefer to adopt a much narrower interpretation of what is being asked-for here, and not to see it as a bellwether of "the end of encryption as we know it." A very violent and gruesome criminal act was committed, and the FBI's public duty is to figure out what happened, so as to prevent it from happening again. It is within their prerogatives to seize and to search evidence. Apple's duty to assist, IMHO, begins and ends with extracting the data from the device and with providing full technical details as to how it was protected, cooperating with the Federal agents (who are law-enforcement officers, not programmers). I do not choose to interpret this mandate so strictly as to say that the vendor must circumvent the key and render it moot: if subsequently there is now a job for government code-breakers, so be it. (it is in fact quite sensible that this would be a next step.) But, a Federal agent does not have to wear-out his fingers, and the Agency does not have to risk the evidence being destroyed by a mechanism meant to stymie a bathroom thief.

There is a middle-ground here, upon which the sky is not in danger of falling. Neither party can reasonably say, "the US Constitution trumps 'my' viewpoint over 'yours,'" because it very clearly doesn't. The two-part Fourth Amendment guarantees(!) both at the same time.

I also think that it's important for both sides to be publicly saying this, and to be working together with reasonable and expeditious cooperation. There's a murder to be solved here, and it isn't going to be the last one. Criminals will continue to possess and to use our wondrous electronic gadgets, and it is not our public purpose to give them an impregnable hiding-place! So, "given that a middle-ground position exists, what and where should it be, and why? What is the most appropriate compromise?" That is the discussion that we need to be having right now, with both sides represented.

The US Congress will act ... is already working on a new Act ... to legally define that "middle ground," and we'd better have our hand in now, guiding what the new legislation says. If we instead are truculent, we're gonna get what we get ... and deserve it.

- - - - -

It would be even better if Apple would publicly disclose the mechanisms by which data can be extracted from an iPhone, and the details of how the data is protected, to one and all, in the spirit of "no 'security through obscurity.'" (Why not disclose "the source-code" to this?) If their mechanism has been properly designed ... and I presume that it has ... then there really should be no secret of "how it works." Corporately, Apple could publish a policy of exactly how and under what circumstances (law-enforcement and otherwise) it will extract and furnish the data that is on a device made by them. If their system is well-made, this will not compromise a customer's interests, and will further affirm that their interests really are being protected by Apple's technology. All other vendors should follow suit. "No security by obscurity ... no security by obscurity ... the mechanisms are not secret, but your data is, and this statement is available for peer review."

While I understand your paranoia concerns, and I am aware that you are an attorney, I do not share them. I think that they are valid concerns, but I do not share them in this case.

Yes, the Government has the right to regulate Interstate commerce, imports and exports. But, people also have a guaranteed right to privacy if they did not murder fifteen people. Also, we have this new thingy called "the Internet," which allows data to be sent anywhere (and which dynamically routes that data). The Internet would be rendered useless if people could not encrypt what passes through it. Personal computers etc. would also be rendered fairly useless if people could not encrypt what is stored on them. All of this is known.

An "extreme" position is similar to this analogy: No, that is very-precisely the opposite of what the Fourth Amendment clearly states. But the government can walk up, show you the warrant (thereby clearly informing you that they have one, and that a limited search has been ordered), ask you politely to open the door ... and, if necessary, break it down. (Perhaps after arresting you for obstruction of justice.) If the door is secured with an unusual type of lock, I think that the government can ask the vendor of that lock for schematics and any special service tools, and to consult with them about the proper way to open the door.

I prefer to adopt a much narrower interpretation of what is being asked-for here, and not to see it as a bellwether of "the end of encryption as we know it." A very violent and gruesome criminal act was committed, and the FBI's public duty is to figure out what happened, so as to prevent it from happening again. It is within their prerogatives to seize and to search evidence. Apple's duty to assist, IMHO, begins and ends with extracting the data from the device and with providing full technical details as to how it was protected, cooperating with the Federal agents (who are law-enforcement officers, not programmers). I do not choose to interpret this mandate so strictly as to say that the vendor must circumvent the key and render it moot: if subsequently there is now a job for government code-breakers, so be it. (it is in fact quite sensible that this would be a next step.) But, a Federal agent does not have to wear-out his fingers, and the Agency does not have to risk the evidence being destroyed by a mechanism meant to stymie a bathroom thief.

There is a middle-ground here, upon which the sky is not in danger of falling. Neither party can reasonably say, "the US Constitution trumps 'my' viewpoint over 'yours,'" because it very clearly doesn't.

I also think that it's important for both sides to be publicly saying this, and to be working together with reasonable and expeditious cooperation. There's a murder to be solved here, and it isn't going to be the last one. Criminals will continue to possess and to use our wondrous electronic gadgets, and it is not our public purpose to give them an impregnable hiding-place! So, "given that a middle-ground position exists, what and where should it be, and why? What is the most appropriate compromise?"

The US Congress will act ... is already working on a new Act ... to legally define that "middle ground," and we'd better have our hand in now, guiding what the new legislation says. If we instead are truculent, we're gonna get what we get ... and deserve it.

- - - - -

It would be even better if Apple would publicly disclose the mechanisms by which data can be extracted from an iPhone, and the details of how the data is protected, to one and all, in the spirit of "no 'security through obscurity.'" (Why not publish "the source code," for peer review?) If their mechanism has been properly designed ... and I presume that it has ... then there really should be no secret of "how it works."

Corporately, Apple could publish a policy of exactly how and under what circumstances (law-enforcement and otherwise) it will extract and furnish the data that is on a device made by them. If their system is well-made, this will not compromise a customer's interests, and will further affirm that (and, exactly how) their interests are being protected by Apple's technology. All other vendors should follow suit. "No security by obscurity ... no security by obscurity ... the mechanisms are not secret, but your data is, and we welcome and facilitate peer-review to prove it."