FBI wants to pwn your iPhone (and Apple)

Unless you live under a rock (or use a BlackBerry?), you have no doubt heard about the brouhaha over Apple’s latest battle against the FBI and DOJ. In summary, the FBI has a court order containing very specific technical requests for Apple to implement in order to unlock the iPhone 5C used by one of the San Bernardino terrorists, Sayed Rizwan Farook. The attack by Farook and his wife occurred on December 2, 2015 killed 14 people.

Apple doesn’t want to do it, so it’s very likely this battle will be drawn out.

First, the good news: this court order is the FBI’s admission that it cannot break Apple’s encryption on iOS, the operating system of its mobile devices. If you enable an unlock PIN and/or TouchID and run iOS 8 or later, your data is even more secured.

(On a side note: Why hasn’t such a court order been seen for an Android device? Ponder that for a moment…)

Besides strong encryption, Apple also implements features to thwart brute force attempts to compromise an iOS device:

  • The user data can be wiped after a certain number of incorrect PIN entries
  • There’s a delay after every incorrect PIN entry
  • The PIN has to be manually entered on the screen

Thus, the court order aims to compel Apple to create a specialized, custom iOS for the seized iPhone 5C that will bypass the above three security features. In essence, the FBI wants to be able to have unlimited PIN guesses with no delays via a wired or wireless connection.

My take (and there are others) is that Apple probably has the technical capabilities to achieve this and grant the government’s wishes. However, I do not think Apple should comply without a fight simply because of the precedence this will set. Consider these scenarios and consequences:

  • Think about how many Apple devices get seized and are investigated by law enforcement. It would be burdensome for Apple to have to create a custom iOS tailored to each individual device in order to assist authorities in such matters.
  • What if such a custom iOS is leaked to the wild or sold to the highest bidder, either by a member of law enforcement or even by an employee of Apple? Imagine the damage if a nation-state or hacker has access to this.
  • Should the FBI win this battle, foreign governments will likely follow suit, knowing Apple could be compelled to assist their authorities in unlocking devices.

American corporations are not agents of the U.S. government. If this battle is lost, then most tech companies will need a special department just to serve the FBI, NSA, TSA, and other three-letter agencies. There is a distrust between people and government today, and that’s why most people side with Apple on this issue, especially when people heavily rely on mobile devices to store personal data. The fear is that a precedence would allow the government to encroach further into our personal lives.

Advertisements

The Last Days of Target

From Canadian Business, the details of how Target failed in Canada. A good case study in global IT (in particular, the bloated SAP software suite) management?

The company had also been learning more about using SAP correctly. Former employees describe decoding SAP as like peeling an onion—it had multiple layers and made you want to cry. One initiative in particular greatly improved Target’s data quality. A technology team was finally able to install an automatic verification feature to catch bad data before it could enter SAP and wreak havoc. If an employee entered a UPC that was short one digit, for example, the system wouldn’t allow that purchase order to proceed until the code was correct. The technology Target used in the U.S. has these checks and balances, as do other retailers who use SAP. Target Canada finally implemented a verification tool in 2014, according to a former employee who was involved, owing to time constraints. “This happened very late in the game.”

Emphasis mine.