AuthorTopic: Judge orders Apple to access iPhone belonging to San Bernadino shooter  (Read 14996 times)

Offline RE

  • Administrator
  • Chief Cook & Bottlewasher
  • *****
  • Posts: 32539
    • View Profile
http://appleinsider.com/articles/16/02/16/judge-orders-apple-to-access-iphone-belonging-to-san-bernadino-shooter

Judge orders Apple to access iPhone belonging to San Bernadino shooter

By Mikey Campbell   
Tuesday, February 16, 2016, 05:39 pm PT (08:39 pm ET)
A U.S. magistrate judge on Tuesday ordered Apple to comply with FBI requests to help extract data from an iPhone owned by one of the shooters involved in December's terrorist attack in San Bernardino, Calif.


Judge Sheri Pym informed Apple that it must provide specialized software that will allow law enforcement officials to thwart iPhone's built-in security measures, specifically a feature that automatically erases handset data after a certain number of unsuccessful login attempts, the Associated Press reports (via ABC News).

It is unclear whether the iPhone in question is running iOS 8 or iOS 9, both of which feature so-called "strong encryption" that even Apple can't break. The report is also vague on the level to which Apple must participate. From the AP's wording, it appears Apple could be forced to hand over a software package that might be copied and later applied to similarly locked devices, undermining the company's encryption efforts.

Today's ruling comes less than a week after FBI director James Comey said law enforcement technicians have attempted, but so far failed, to access information stored on an iPhone owned by the county, but used by Syed Rizwan Farook. Farook and his wife Tashfeen Malik fatally shot 14 people in a terrorist attack last year before being killed in an ensuing police shootout.

"We still have one of those killers' phones that we haven't been able to open," Comey said at a hearing of the Senate Intelligence Committee last week. "It has been two months now and we are still working on it."

The iPhone model in question has yet to be identified, but Apple's iOS operating system has for years provided password-based and remote data wipe options as part of its security suite. The ability to erase phone data is just one facet of a comprehensive encryption system built to secure a highly sensitive personal information, including passwords, contacts, biometric data, financial data and more. Apple took an extra step with end-to-end encryption in iOS 8, a protocol the company claims even it can't break.

Update: The Washington Post adds detail to today's court order, saying the phone in question is running Apple's latest iOS 9 operating system. Once the auto-wipe feature is deactivated, technicians can conduct a brute force attack to unlock the code, but it is not clear that Apple is capable of such a feat.
SAVE AS MANY AS YOU CAN

Offline RE

  • Administrator
  • Chief Cook & Bottlewasher
  • *****
  • Posts: 32539
    • View Profile
Apple faces down the FBI & DoJ
« Reply #1 on: February 17, 2016, 02:49:53 AM »
Apple is facing down the FBI & the DoJ.  This is about the first time I can support Apple on anything.

RE

http://www.macrumors.com/2016/02/17/cook-open-letter-backdoor-fbi-san-bernardino/

Tim Cook: Apple Won't Create 'Backdoor' to Help FBI Access San Bernardino Shooter's iPhone

Wednesday February 17, 2016 1:35 am PST by Husain Sumra
Apple CEO Tim Cook has posted an open letter to Apple customers announcing that the company would oppose an order from a U.S. Federal judge to help the FBI access data on an iPhone 5c used by San Bernardino shooter Syed Farook. Cook says that this moment is one for public discussion, and that the company wants its customers to understand what's at stake.

appleresponse
Cook starts the letter noting that smartphones have become an essential part of people's lives and that many people store private conversations, photos, music, notes, calendars and both financial and health information on their devices. Ultimately, Cook says, encryption helps keep people's data safe, which in turn keeps people's personal safety from being at risk.

He then goes on to say that Apple and its employees were "shocked and outraged" by the San Bernardino attack and that Apple has complied with valid subpoenas and search warrants from federal investigators. Apple has also made engineers available to advise the FBI in addition to providing general advice on how they could go about investigating the case. However, Cook says that's where Apple will draw the line.

    We have great respect for the professionals at the FBI, and we believe their intentions are good. Up to this point, we have done everything that is both within our power and within the law to help them. But now the U.S. government has asked us for something we simply do not have, and something we consider too dangerous to create. They have asked us to build a backdoor to the iPhone.

    Specifically, the FBI wants us to make a new version of the iPhone operating system, circumventing several important security features, and install it on an iPhone recovered during the investigation. In the wrong hands, this software — which does not exist today — would have the potential to unlock any iPhone in someone’s physical possession.

Cook says that while the government is suggesting that bypassing a feature that disables an iPhone after a certain number of failed password attempts could only be used once and on one device, that suggestion is "simply not true." He says that once created, such a key could be used over and over again. "In the physical world, it would be the equivalent of a master key, capable of opening hundreds of millions of locks -- from restaurants and banks to stores and homes," Cook says.

The move, Cook says, would undermine Apple's decades of work on security advancements that keep its customers safe. He notes the irony in asking Apple's security engineers to purposefully weaken the protections they created. Apple says they found no precedent of an American company being forced to expose its customers, therefore putting them at a greater risk of attack. He notes that security experts have warned against weakening encryption as both bad guys and good guys would be able to take advantage of any potential weaknesses.

Finally, Cook says that the FBI is proposing what Apple calls an "unprecedented use" of the All Writs Act of 1789, which authorizes federal courts to issue all orders necessary or appropriate "in aid of their respective jurisdictions and agreeable to the usages and principles of law." The chilling effect of this use, Cook argues, would allow the government power to capture data from any device or to require Apple to create a data collection program to intercept a customer's data, potentially including infringements like using a phone's camera or microphone without user knowledge.

Cook concludes Apple's open letter by saying the company's opposition to the order is not an action they took lightly and that they challenge the request "with the deepest respect for democracy and a love for our country." Ultimately, Apple fears these demands would "undermine the very freedoms and liberty our government is meant to protect."

Note: Due to the political nature of the discussion regarding this topic, the discussion thread is located in our Politics, Religion, Social Issues forum. All forum members and site visitors are welcome to read and follow the thread, but posting is limited to forum members with at least 100 posts.
SAVE AS MANY AS YOU CAN

Offline Palloy

  • Moderator
  • Sous Chef
  • *****
  • Posts: 3754
    • View Profile
    • https://palloy.wordpress.com
Re: Judge orders Apple to access iPhone belonging to San Bernadino shooter
« Reply #2 on: February 17, 2016, 02:55:56 PM »
I hope all iPhone users understand that if you fail at entering your password 10 times in a row, the OS will delete ALL your data!  While this is exactly what you want if you are a terrorist with incriminating evidence among that data, it might be more than an inconvenience to most users to have all their data and app settings deleted.

Two implications follow from this.  Either users will choose a password that is easy to remember and key in without mistakes (how about "123456" or "password" ?) rendering the password protection useless, or users will back up their data to somewhere else, protected with less security than iOS provides.

Anyway it is nice to have it confirmed once again that there is encryption that NSA can't crack.
The State is a body of armed men

Offline RE

  • Administrator
  • Chief Cook & Bottlewasher
  • *****
  • Posts: 32539
    • View Profile
Re: Judge orders Apple to access iPhone belonging to San Bernadino shooter
« Reply #3 on: February 17, 2016, 03:43:19 PM »
Anyway it is nice to have it confirmed once again that there is encryption that NSA can't crack.

I tend to agree with that, and it's the first thing I will give Apple the :emthup: for since the original Macintosh.

However, there is another camp on Zero Hedge and here with KD that maintains this is really just a Dog & Pony show and they ALREADY have a back door in to the iOS and they are just using this as a means to get it codified into law that all communications systems have to have a back door for Law Enforcement to go in for cases of "terrorism".

However, if they did that and made it explicit it would absolutely KILL iPhone sales.  Not so much here because you wouldn't have a choice, but in China and Russia.  Nobody over there would buy an Iphone if they knew that the NSA had a back door in, and Samsung and LG would build models for that market.  I'm sure some manufacturer would be willing to sacrifice the 330M potential customers of the FSoA market to provide phones to the 1.3B strong Chinese market instead.  That is a no-brainer.

Then of course there is the high likelihood that App developers would come up with aftermarket encryption systems that circumvent this.  You might say you can't do this because the OS could always have a keystroke recorder, but you could provide an external keyboard that does the encryption and then Bluetooth the already encrypted file over to the phone.  AS long as you can do the encryption on a clean not-web-connected device, I can't see a way to stop this, short of getting rid of BT connectivity.

What I did already in this regard was to install an Android version of GPG4USB on one of the phones I don't use, then after encrypting a file I can BT it over to the phone I do use, which also has GPG4USB on it to do the decryption on that phone if I need to.  I suppose at that point the phone could then send the decrypted file to the NSA unbeknownst to me though.

The Final Decryption Solution is to simply have a MicroComputer dedicated strictly to the task of encryption/decryption which you BT connect to the cell phone.  Only encrypted files go on the cell phone.  When you need to decrypt, you BT it over to the Microcomputer, decrypt and read, answer, encrypt and BT it back over to the phone for transmission over the 4G network or Wi-Fi.

In fact, such a MC/BT/GPG4USB Encryptor would be a nice project for you PY!  :icon_sunny:  It will need a small thumb keyboard, a small screen, BT connectivity and be battery operated.  Let me know when you have a model for Beta Testing!
« Last Edit: February 17, 2016, 03:50:04 PM by RE »
SAVE AS MANY AS YOU CAN

Offline RE

  • Administrator
  • Chief Cook & Bottlewasher
  • *****
  • Posts: 32539
    • View Profile
How to make a Bulletproof and unforgetable, EZ to retrieve password
« Reply #4 on: February 17, 2016, 04:24:46 PM »

Two implications follow from this.  Either users will choose a password that is easy to remember and key in without mistakes (how about "123456" or "password" ?) rendering the password protection useless, or users will back up their data to somewhere else, protected with less security than iOS provides.

Nope. There is a way to make an uncrackable long password you cannot forget.

Here is how you do it.  Take any passage from the Bible or Shakespeare or just any old thing you can remember easily.  For this demonstration, I will use Save As Many As You Can to start the password construction process.

Now I will take that line and encrypt it with GPG4USB, NOT using the same Keys I use for other transmissions of information, it is totally separate from them and on another machine not web connected.  That comes out like this:

-----BEGIN PGP MESSAGE-----
Version: GnuPG v1

hQEMAxs2kIl20LzKAQgApIEMs9rG2AIXQy7tIxPIUQN6tjUfqOz/NX/pmHTR16l4
UsgI9G5NqIuelX4/4l9PCw+PIJPdB0esCZ7INevDSlgcuqFyLD+Om1zeJsFz5kFo
f9NeusoCMi+dE6m9DX8lM1jXy+TCKm9ByORI8MwHo6FLI/8MqOFcRoI6bdTNnvHF
nS6F47+Z6gFDL/VsrzR1167aClHZSMM3cXo+ntr56Dk1+JGaEHEeg4YV1hj4ZsSi
8yC22aoB/eQptzRyuSA8w2/prst0TGdEbv7S6OBTCw1gnDzqcorEUpriblcm/+IO
hPk5jlZfaYbfJGAuOu8fIFMOHoHMHpzEPSATMWUg5NJQAXndyRyFgNwms9bSVtuC
A3QzVRurN9KylWMS8G8U1RQJsS72qhGFa/+MWaAxLnclqEsrpH8VWRVWHpaQkaUN
t6NGiUyGHRmCIXepI30Qwxg=
=mfG1
-----END PGP MESSAGE-----


Now for my Password I use for secure accounts I will use the first line of this encryption.

hQEMAxs2kIl20LzKAQgApIEMs9rG2AIXQy7tIxPIUQN6tjUfqOz/NX/pmHTR16l4

You can't brute force this Password inside the next Million years.

Now, I will need to store this encrypted file on my computer in case I forget the sequence, which since it is really long I doubt I can remember.  So I take this file and store it in a new encrypted file with any old EZ to remember password at all, it could even be 12345.  In order to crack this, the Spook would need to have access to my computer and need to figure out which file of the thousands on my computer has my passwords in it, before he could even try to crack that one.

Obviously, I don't even have to always use the first line, I could choose the second one for some purposes, or a shorter sequence for others. Any randomly chosen 12 character sequence from this would be hard to crack, and that I could memorize easily.

RE
SAVE AS MANY AS YOU CAN

Offline Palloy

  • Moderator
  • Sous Chef
  • *****
  • Posts: 3754
    • View Profile
    • https://palloy.wordpress.com
Re: Judge orders Apple to access iPhone belonging to San Bernadino shooter
« Reply #5 on: February 17, 2016, 05:58:31 PM »
Quote
install an Android version of GPG4USB on one of the phones I don't use, then after encrypting a file I can BT it over to the phone I do use, which also has GPG4USB on it to do the decryption on that phone if I need to.

I would suggest not having GPG4USB on the second phone.  That means you need the first phone to encrypt and decrypt.  Since the first phone never goes online or makes a call, it could be even simpler than a standard phone - no camera, no GPS, no SIM slot, no OTG socket, no Android (Lubuntu instead).

This Samsung S390G sells on eBay for $8.50, excluding contract, but locked to Net10 (which you don't care about).  They must be subsidised by Net10 as a loss-leader, making them cheaper than cost.  Start by uninstalling all the junk apps you can, taping over the camera, putting epoxy in the OTG socket and SIM slot.



I don't know how you would go getting it through an airport.
The State is a body of armed men

Offline jdwheeler42

  • Global Moderator
  • Sous Chef
  • *****
  • Posts: 3289
    • View Profile
    • Going Upslope
Re: How to make a Bulletproof and unforgetable, EZ to retrieve password
« Reply #6 on: February 17, 2016, 07:23:31 PM »

Two implications follow from this.  Either users will choose a password that is easy to remember and key in without mistakes (how about "123456" or "password" ?) rendering the password protection useless, or users will back up their data to somewhere else, protected with less security than iOS provides.

Nope. There is a way to make an uncrackable long password you cannot forget.

Here is how you do it.  Take any passage from the Bible or Shakespeare or just any old thing you can remember easily.  For this demonstration, I will use Save As Many As You Can to start the password construction process.

Now I will take that line and encrypt it with GPG4USB, NOT using the same Keys I use for other transmissions of information, it is totally separate from them and on another machine not web connected.  That comes out like this:

-----BEGIN PGP MESSAGE-----
Version: GnuPG v1

hQEMAxs2kIl20LzKAQgApIEMs9rG2AIXQy7tIxPIUQN6tjUfqOz/NX/pmHTR16l4
UsgI9G5NqIuelX4/4l9PCw+PIJPdB0esCZ7INevDSlgcuqFyLD+Om1zeJsFz5kFo
f9NeusoCMi+dE6m9DX8lM1jXy+TCKm9ByORI8MwHo6FLI/8MqOFcRoI6bdTNnvHF
nS6F47+Z6gFDL/VsrzR1167aClHZSMM3cXo+ntr56Dk1+JGaEHEeg4YV1hj4ZsSi
8yC22aoB/eQptzRyuSA8w2/prst0TGdEbv7S6OBTCw1gnDzqcorEUpriblcm/+IO
hPk5jlZfaYbfJGAuOu8fIFMOHoHMHpzEPSATMWUg5NJQAXndyRyFgNwms9bSVtuC
A3QzVRurN9KylWMS8G8U1RQJsS72qhGFa/+MWaAxLnclqEsrpH8VWRVWHpaQkaUN
t6NGiUyGHRmCIXepI30Qwxg=
=mfG1
-----END PGP MESSAGE-----


Now for my Password I use for secure accounts I will use the first line of this encryption.

hQEMAxs2kIl20LzKAQgApIEMs9rG2AIXQy7tIxPIUQN6tjUfqOz/NX/pmHTR16l4

You can't brute force this Password inside the next Million years.

Now, I will need to store this encrypted file on my computer in case I forget the sequence, which since it is really long I doubt I can remember.  So I take this file and store it in a new encrypted file with any old EZ to remember password at all, it could even be 12345.  In order to crack this, the Spook would need to have access to my computer and need to figure out which file of the thousands on my computer has my passwords in it, before he could even try to crack that one.

Obviously, I don't even have to always use the first line, I could choose the second one for some purposes, or a shorter sequence for others. Any randomly chosen 12 character sequence from this would be hard to crack, and that I could memorize easily.

RE
Yes, but... it still is not easy to remember.

One option that is really underutilized is the passphrase.  Take that phrase from a passage in the Bible, a Shakespeare play, or your favorite Eminim rap for that matter, and use it directly.  I know they say to use a mix of letters, numbers, and symbols, and to never use words from the dictionary, but that is just talking about the strength of a given length of characters.  A phrase 32 letters long is about as hard to crack as a password of 7-8 random characters, but "We the People of the United States" is much easier to remember than "lk39udKJ".
Making pigs fly is easy... that is, of course, after you have built the catapult....

Offline RE

  • Administrator
  • Chief Cook & Bottlewasher
  • *****
  • Posts: 32539
    • View Profile
Re: Judge orders Apple to access iPhone belonging to San Bernadino shooter
« Reply #7 on: February 17, 2016, 08:34:52 PM »
Quote
install an Android version of GPG4USB on one of the phones I don't use, then after encrypting a file I can BT it over to the phone I do use, which also has GPG4USB on it to do the decryption on that phone if I need to.

I would suggest not having GPG4USB on the second phone.  That means you need the first phone to encrypt and decrypt.  Since the first phone never goes online or makes a call, it could be even simpler than a standard phone - no camera, no GPS, no SIM slot, no OTG socket, no Android (Lubuntu instead).

I don't know how you would go getting it through an airport.

If I actually HAD something to hide from the NSA I might consider something like that, but I don't.  I'm NOT a "terrorist", I'm an aging cripple in Alaska!  LOL.  I pose a threat to TPTB that is measured in the Negative Imaginary Numbers.  ::)  If they have a Spook assigned to watching me, they are seriously wasting taxpayer money.

I do these things as a thought experiment to see just how EZ it really is to circumvent this kind of bullshit.  Any REAL terrorist who is not a complete imbecile like the folks who occupied the Wildlife sanctuary should be able to think of these things too, it's not fucking Rocket Science.  Certainly, any decent size state even the fucking Iranians can do better than just using a stock Iphone  for secure communications.  ::)  Back in the day, we even had Iranians in the Blackboard club in Havemeyer, they may wear Towels on their heads but they're not all mathematical imbeciles.

Everything I write is perfectly suitable to put up unencrypted on a PG to R rated website.  Besides that, the total audience is relatively microscopic in the grand scheme of things, although decent enough by collapse website standards.  I don't worry at all about some Spooks listening to my rants, in fact I hope they do, it keeps them occupied and off somebody else's website!  I have much more concern about Hackers, Spammers and Trolls messing with my accounts, and for this I don't need to go completely nuts on the security end, reasonable stuff works well enough.  For this, just passing our passwords across the net end-to-end encrypted is quite sufficient I think.

The whole controversy does elucidate some important things though.  One of them here is that if it is indeed true that Apple does not already have a backdoor in place, Trump can scream all he likes and the DoJ can drop an injucntion on Apple, but they won't be able to break the encryption any better than the NSA can.  You can't force someone to break an unbreakable code if they set up the code protocols to make it unbreakable.  You can waterboard them and rape their children in from of them, they STILL could not help you.

This Newz Propaganda story is not about the CA case at all.  It's about future cases and trying to get such backdoors installed in FUTURE OP systems.  Which they may very well succeed in doing, but the encryption methodology is now well known and you don't need Apple or Samsung or LG or Motorola to do encryption for you automatically, although granted it's easier if it is part of the OP system.  All anybody needs is 3 things:

1 Web connected computer (phone)
1 Web unconnected computer (phone) with nothing on it but your own vetted encryptor
1 Bluetooth or USB connection between the two computers

Like Gunz, high power encryption technology is a secret already out of the bag.  It's available to just about everybody.

RE
SAVE AS MANY AS YOU CAN

Offline Palloy

  • Moderator
  • Sous Chef
  • *****
  • Posts: 3754
    • View Profile
    • https://palloy.wordpress.com
Re: Judge orders Apple to access iPhone belonging to San Bernadino shooter
« Reply #8 on: February 17, 2016, 08:48:11 PM »
If the passphrase is "We the peop.................", it is not very safe from the rest of it being guessed (just Google it).  Similarly the content of a PGP message consists only of the characters A-Z, a-z, 0-9, / and + (the Base64Encode set), so if you had to guess what comes after "hQEMAxs2kIl20LzKAQgApIEM" you are at least better off choosing from that 64 character set than if you had to choose from the full 256 character set.

So far better to use the full 256 character set.  Not all characters are printable/displayable/keyable, but they are with the use of colour and a simple convention on colour usage.  Passphrases can be up to 64 characters long (I think, will check), so the best passphrase should be 64 x 8 = 256 bits long with every bit being random, and could be stored in a file buried somewhere deep inside the OS files, like
/usr/lib/xorg/modules/extensions/libglx2.so with permissions 0644 and pointed at by a symlink in /opt/ . Then "cat /opt/xorg" outputs the password, copy-paste into GPG4USB to unlock your private key.

Of course the whole thing falls flat if your computer is compromised, and you should assume your computer is compromised if it has ever been out of your control, like left in a hotel room while you are out drinking ("evil maid" scenario), or taken away for examination by airport authorities (see "Fear and Loathing in Portland #8).

If I was a terrorist I would NEVER go through an airport.
The State is a body of armed men

Offline Palloy

  • Moderator
  • Sous Chef
  • *****
  • Posts: 3754
    • View Profile
    • https://palloy.wordpress.com
Re: Judge orders Apple to access iPhone belonging to San Bernadino shooter
« Reply #9 on: February 17, 2016, 09:15:12 PM »
Quote
if it is indeed true that Apple does not already have a backdoor in place, Trump can scream all he likes and the DoJ can drop an injucntion on Apple, but they won't be able to break the encryption any better than the NSA can.

That's not the point.  The private keys are on file, encrypted by iOS, so if you can get iOS running, you can access the keys.  The roadblocks are the password to switch the iPhone on, and the passphrase to unlock the private key.  They can brute force the latter, but they can't brute force the iOS password - ten failed tries and it wipes everything.  NSA are asking for an iOS with the front door unlocked, not a backdoor.
The State is a body of armed men

Offline RE

  • Administrator
  • Chief Cook & Bottlewasher
  • *****
  • Posts: 32539
    • View Profile
Re: Judge orders Apple to access iPhone belonging to San Bernadino shooter
« Reply #10 on: February 18, 2016, 02:16:44 AM »

Of course the whole thing falls flat if your computer is compromised, and you should assume your computer is compromised if it has ever been out of your control, like left in a hotel room while you are out drinking ("evil maid" scenario), or taken away for examination by airport authorities (see "Fear and Loathing in Portland #8).


How about you bury your passphrase under one of the 1000s of pics you have in your computer, after you have encrypted the passphrase with a different key buried under another pic?  You could go several pictures deep with this and you would have to know the sequence of pics in order to do all the decryptions correctly.

I can't see how you could even automate that to brute force it.

RE
SAVE AS MANY AS YOU CAN

Offline RE

  • Administrator
  • Chief Cook & Bottlewasher
  • *****
  • Posts: 32539
    • View Profile
Re: Judge orders Apple to access iPhone belonging to San Bernadino shooter
« Reply #11 on: February 18, 2016, 03:27:56 AM »
Of course the whole thing falls flat if your computer is compromised, and you should assume your computer is compromised if it has ever been out of your control, like left in a hotel room while you are out drinking ("evil maid" scenario), or taken away for examination by airport authorities (see "Fear and Loathing in Portland #8).

If I was a terrorist I would NEVER go through an airport.

Got this problem solved.

To make it much stronger, you can take a passphrase and do an old fashioned cypher on it.

Start with a phrase of 20 characters or less.

SAVEASMANYASYOUCAN

Next, substitute a 3 digit number for each letter, starting at a random number you remember, like 666 for A.

Now your original passphrase of 20 characters (actually 18 for the example) has 54 numbers.

Next make a rule for each succeeding letter, like -1 for the first digit, +3 for the last.  So B would be 569.  C would be 472.

So the word CAB would be

472666569

Now get Tricky and substitute Special Characters for a numbers that show up often.  For instance,  put the & or $ sign anywhere there is a 6 in alternating order.

Now it looks like

472&$&5$9

Finally, for the Piece de Resistance, Transpose a couple of numbers, like say the 2nd number from the beginning with the last number.

So now it looks like

492&$$&5$7

This completely bollixes up all the 3 number sequences through all 50-60 characters.

This is now your passphrase.

To be able to reconstruct it, all you have to remember is the original phrase, and your 3 rules for jumbling it up.  A brute force attack knows none of your rules, all it sees is an apparently random series of numbers and special characters.

On your trip through airport security, say they do go through your files and find something encrypted.  Put your encrypted stuff in your download folder.

You claim ignorance of the file.  “I have no idea what that is.  Maybe malware downloaded it, I don't know?”

Nowhere on your computer is there information stored on what the passphrase is or how it was constructed.  This only exists in your head, it can't be hacked out, only tortured out perhaps, but if you claim ignorance of the file to begin with, unless you are otherwise really suspect of nefarious deeds, they will probably not torture you to try to decrypt a file you claim to know nothing about.

The example above is just one way to do this sort of thing.  The point is you can generate a very long and complex passphrase with just a few simple rules you can remember, so you don't need to store the passphrase on your computer at all.  This locks up all files using this passphrase and there is no way to break it other than brute force (or torture of course).

RE

SAVE AS MANY AS YOU CAN

Offline RE

  • Administrator
  • Chief Cook & Bottlewasher
  • *****
  • Posts: 32539
    • View Profile
New Password Construction Method
« Reply #12 on: February 18, 2016, 04:03:55 AM »
OK, I just had a BRAINSTORM on how to create an unnbreakable passwprd or phrase requiring only ONE rule you need to remember!

Here is a password constructed with the NEW method  :icon_sunny:

2X#c4V%b6N&m

This is an extremely simplified one to see if any of the other cyber security paranoids here can figure out the methodology, which can be altered in numerous ways to make your own rule.  I would NEVER use the rule I used for this one, it's just too EZ once you understand the concept.

I am interested to see if anyone can even guess the concept.  I set this one up with a rule that makes it possible to figure out the concept, if not the password.

Good Luck!

RE
SAVE AS MANY AS YOU CAN

Offline RE

  • Administrator
  • Chief Cook & Bottlewasher
  • *****
  • Posts: 32539
    • View Profile
FBI asked San Bernardino to reset the password for shooter’s phone backup
« Reply #13 on: February 20, 2016, 11:42:57 PM »
Never forget "The Cloud" is out there copying everything.


RE

https://www.washingtonpost.com/world/national-security/fbi-asked-san-bernardino-to-reset-the-password-for-shooters-phone-backup/2016/02/20/21fe9684-d800-11e5-be55-2cc3c1e4b76b_story.html

National Security
FBI asked San Bernardino to reset the password for shooter’s phone backup


The Justice Department is in high-stakes battle with Apple over whether the government can use the courts to force Apple to create software to help it unlock a customer’s iPhone. (Erik S. Lesser/EPA)

By Ellen Nakashima and Mark Berman February 20 at 9:20 PM

In the chaotic aftermath of the shootings in San Bernardino, Calif., in December, FBI investigators seeking to recover data from the iPhone of one of the shooters asked a technician in the California county to reset the phone’s iCloud password.

But that action foreclosed the possibility of an automatic backup to the Apple iCloud servers that might have turned up more clues to the origins of the terrorist attack that killed 14 people.

“The county and the FBI were working together cooperatively to obtain data, and at the point when it became clear the only way to accomplish the task at hand was to reset the iCloud password, the FBI asked the county to do so, and the county complied,” David Wert, a spokesman for San Bernardino County, said in an email.

The Justice Department disclosed the apparent misstep in a court filing Friday, which is part of a larger, high-stakes battle over whether the government can use the courts to force Apple to create software to help it unlock a customer’s iPhone — in this case, one used by Syed Rizwan Farook. Farook, a county health worker, and his wife were killed in a firefight with police hours after the Dec. 2 attack.

[Why Apple is in a historic fight with the government over one iPhone.]
Apple chief executive Tim Cook, shown here in a 2013 appearance before a Senate committee, has pledged to fight an order to help the federal government access data officials believe is stored on the iPhone linked to the San Bernardino terrorists. (Shawn Thew/EPA)

“This was happening hours after the worst terror attack since 9/11, and there were still credible reports of a third shooter,” said a federal law enforcement official, speaking on the condition of anonymity to discuss an ongoing investigation. “It was a very dynamic time, and the number one priority was figuring out what happened and if there were more attacks coming.”

According to senior Apple executives, the FBI’s first call to Apple for help came on Saturday, Dec. 5, at 2.46 a.m. With a subpoena, the bureau obtained subscriber data and other details. On Sunday, the FBI, with a warrant, obtained data from Farook’s iPhone that had been backed up to iCloud. That backup contained information only through Oct. 19, six weeks before the attack.

The same Sunday, the FBI asked the county for help in retrieving data from the phone, Wert said in an interview. “So the county said we could get to the information on the cloud if we changed the password or had Apple change the password,” he said. “The FBI asked us to do that, and we did.”

It is not clear why the FBI needed to reset the password if it was able to obtain the backed-up data from Apple.

Nonetheless, by resetting the password, the county, which owned Farook’s phone, and the FBI eliminated the possibility of seeing whether additional data beyond Oct. 19 might be recovered from the phone through the auto-backup feature, experts said.

The FBI in a court filing said Farook “may have disabled” the auto-backup. But, tech experts said, there might be other reasons the phone did not back up: It was not near a WiFi network it was familiar with, such as his home or workplace, or it was not turned on long enough to back up. With the password changed, it is impossible to know.

“Even though it has been reported that the iCloud backups were disabled, there still is data that may have been recoverable,” said security expert Dan Guido, chief executive of Trail of Bits. Depending on the phone’s settings, it might have synched notes, emails, address books — perhaps geolocation data — with the company’s network.
Why Apple refuses to hack into the San Bernardino shooter's iPhone
Play Video1:32
Apple CEO Tim Cook released a statement arguing against the FBI's recent order to hack into the San Bernardino shooter's iPhone 5c. See why he and Apple are refusing to do so. (Jhaan Elker/The Washington Post)

In a statement Saturday night, an FBI spokesperson said the bureau’s goal “was, and still is,” to extract as much evidence as possible from the phone. Tests previously conducted by the FBI showed that “direct data extraction” from Apple’s mobile devices often yields more data than an iCloud backup, the spokesperson said.

“Even if the password had not been changed and Apple could have turned on the auto-backup and loaded it to the cloud, there might be information on the phone that would not be accessible” without Apple’s help, the spokesperson said.

The showdown between Apple and the government arises out of the FBI’s inability to recover data from Farook’s phone, especially for the weeks prior to the attack. The Justice Department on Tuesday got a federal judge to order Apple to build software to override an auto-wipe feature on the phone that deletes data after 10 failed tries to enter a password. The FBI could then try to crack the phone’s password by “brute force,” making many attempts without risking the wiping of the data.

Apple chief executive Tim Cook said the firm would challenge the order, warning that it would set a “chilling” precedent that could lead to more invasive requests for data. On Friday, the Justice Department fired back, charging that Apple’s stance was motivated by “marketing” concerns as it promotes itself as a protector of consumer privacy.
SAVE AS MANY AS YOU CAN

Offline RE

  • Administrator
  • Chief Cook & Bottlewasher
  • *****
  • Posts: 32539
    • View Profile
Apple to argue First Amendment rights in FBI decryption battle
« Reply #14 on: February 24, 2016, 02:51:13 AM »
http://appleinsider.com/articles/16/02/24/apple-to-argue-first-amendment-rights-in-fbi-decryption-battle

Apple to argue First Amendment rights in FBI decryption battle

By Mikey Campbell   
Tuesday, February 23, 2016, 10:17 pm PT (01:17 am ET)
As expected, Apple intends to argue its First Amendment rights as part of a multi-pronged legal strategy designed to flout a court order compelling the company unlock an iPhone linked to last year's San Bernardino shootings.


Theodore Boutrous, Jr., one of two high-profile attorneys Apple hired to handle its case, said a federal judge overstepped her bounds in granting an FBI motion that would force the company to create a software workaround capable of breaking iOS encryption, reports the Los Angeles Times.

Specifically, U.S. Magistrate Judge Sheri Pym last week ordered Apple to help FBI efforts in unlocking an iPhone 5c used by San Bernardino shooting suspect Syed Rizwan Farook, a directive that entails architecting a bypass to an iOS passcode counter. Government lawyers cited the All Writs Act of 1789 as a legal foundation for its request, a statute leveraged by the FBI in at least nine other cases involving iOS devices.

While the act itself is 227 years old, lawmakers have updated the document to cover a variety of modern concerns, most recently as applied to anti-terrorism operations. In essence, All Writs is a purposely open-ended edict designed to imbue federal courts with the power to issue orders when other judicial tools are unavailable.

A 1977 Supreme Court reading of the All Writs Act is often cited by law enforcement agencies to compel cooperation, as the decision authorized an order that forced a phone company's assistance in a surveillance operation. In Apple's case, however, there is no existing technology or forensics tool that can fulfill the FBI's ask, meaning Apple would have to write such code from scratch.

"The government here is trying to use this statute from 1789 in a way that it has never been used before. They are seeking a court order to compel Apple to write new software, to compel speech," Boutrous told The Times. "It is not appropriate for the government to obtain through the courts what they couldn't get through the legislative process."

Boutrous intimated that the federal court system has already ruled in favor of treating computer code as speech. In 1999, a three-judge panel of the 9th U.S. Circuit Court of Appeals, which covers California, ruled that source code relating to an encryption system was indeed protected under the umbrella of free speech. That opinion was later rendered moot, however, meaning there is no direct legal precedent to support Apple's arguments.

The comments expressed by Boutrous echo those of Apple CEO Tim Cook, who earlier this week called for the government to drop its demands and instead form a commission or panel of experts "to discuss the implications for law enforcement, national security, privacy and personal freedoms."

Apple is scheduled to file its response to last week's order on Friday.
SAVE AS MANY AS YOU CAN

 

Related Topics

  Subject / Started by Replies Last post
0 Replies
285 Views
Last post November 17, 2016, 01:16:07 PM
by Palloy
0 Replies
476 Views
Last post November 18, 2016, 02:36:11 PM
by Palloy
0 Replies
150 Views
Last post March 21, 2017, 07:00:24 PM
by Palloy2