Apple Vs FBI: We tried to help the FBI but someone changed phone's iCloud password
Transliteration... The feds tampered with the phone and apparently fucked up their own investigation.
The idea was to force the iPhone 5C to auto-backup to Farookâs iCloud account. With a legal court order, Apple can and does turn over iCloud data. For some reason, Farook had not backed up the phone for roughly six weeks prior to the attack. The executive said Apple does not know whether the auto-backup was disabled or enabled, but he did say that the previous iCloud backups, which were handed over to investigators, were sporadic.
Apple suggested that the FBI take the iPhone 5C, plug it into a wall, connect it to a known Wi-Fi network and leave it overnight. The FBI took the phone to the San Bernardino County Health Department, where Farook worked prior to the December 2, 2015 attack.
When that attempt did not work, Apple was mystified, but soon found out that the Apple ID account password had been changed shortly after the phone was in the custody of law enforcement, possibly by someone from the county health department. With no way to enter the new password on the locked phone, even attempting an auto-backup was impossible. Had this iCloud auto-backup method actually functioned, Apple would have been easily able to assist the FBI with its investigation.
The executive only revealed this detail to reporters now because it had thought it was under a confidentiality agreement with the government. Apple seems to believe this agreement is now void since the government brought it up in a public court filing.
http://arstechnica.com/tech-policy/2016/02/apple-we-tried-to-help-fbi-terror... -- RR "Through counter-intelligence it should be possible to pinpoint potential trouble-makers ... And neutralize them, neutralize them, neutralize them"
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 02/20/2016 02:08 PM, Rayzer wrote:
Transliteration... The feds tampered with the phone and apparently fucked up their own investigation.
So according to this account, for reasons unknown the FBI violated the most fundamental principles of digital forensics by failing to make a complete backup of the stored content of the device before doing anything else with or to it. Then /also/ quite deliberately destroyed its evidentiary value by delivering it into the custody and control of some random idiot. I find this narrative /very/ difficult to believe:
The idea was to force the iPhone 5C to auto-backup to Farookâs iCloud account. With a legal court order, Apple can and does turn over iCloud data. For some reason, Farook had not backed up the phone for roughly six weeks prior to the attack. The executive said Apple does not know whether the auto-backup was disabled or enabled, but he did say that the previous iCloud backups, which were handed over to investigators, were sporadic.
Apple suggested that the FBI take the iPhone 5C, plug it into a wall, connect it to a known Wi-Fi network and leave it overnight. The FBI took the phone to the San Bernardino County Health Department, where Farook worked prior to the December 2, 2015 attack.
When that attempt did not work, Apple was mystified, but soon found out that the Apple ID account password had been changed shortly after the phone was in the custody of law enforcement, possibly by someone from the county health department. With no way to enter the new password on the locked phone, even attempting an auto-backup was impossible. Had this iCloud auto-backup method actually functioned, Apple would have been easily able to assist the FBI with its investigation.
The executive only revealed this detail to reporters now because it had thought it was under a confidentiality agreement with the government. Apple seems to believe this agreement is now void since the government brought it up in a public court filing.
http://arstechnica.com/tech-policy/2016/02/apple-we-tried-to-help- fbi-terror-probe-but-someone-changed-icloud-password/
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBAgAGBQJWyRoBAAoJEDZ0Gg87KR0LwqkQAJpUkf2UqCYnAunxYFBOgkzH qBU2vZE9SrvUjNe553SDMxQZkxhYioxTcvQ/ZSSaFfuosaM6JlOfCBWO0/f1tyN1 /njsg0gl5hkYohuyPGogWykulg3S1n3i9VulRLNugH2atxqOVWMx8yFvf1BNcP7H 9QMY573CVyB2WTzEH7pYcV49/CNeAhOAGRzuO/lDCucXd8n50JBuD962MvT9CxdD GMAA2BgC5sH/68fWF3kgyagtPzbeDNMZraZfCOf0izML+WMfX52LdY8ZR/Gb+/Df gCGA6TsuWRkH+2bhht4b53mSl5gkuoGK7C3UAELCacRIBQ8UNxzF1Ij/S4MdW61h A2pGVV8smyMAR/kP7+QcO1FacEUxYa5aHsSWu+E6uWjkbqD878/z6NunGzJiOxQZ Vhj35s0lbKxBCyNrkutxDsY4wkiAEcQQ7t7h8TD5O+S4r53qoCVGV/rAAafdwizj 87P4FhbvgtOeijN1zn+N4eTTUlOixBTHV1TCwHYL7od7bWJ/DdvJX2q6zqQ1lEDV xrAndCdhF3CmaSHA24D4AC6mABGLDWo8cpQbtaIAfhvnrTFf01HOyjPNTZbiOXO1 US14iNngOaPMya4m0OENmKzqLHODxjYBPCyCcz35tWg/kOQz0TW8OkusfYigQZjm lAck6yMjRb1gMtYaQA+y =rqjq -----END PGP SIGNATURE-----
Steve Kinney wrote:
On 02/20/2016 02:08 PM, Rayzer wrote:
Transliteration... The feds tampered with the phone and apparently fucked up their own investigation. So according to this account, for reasons unknown the FBI violated the most fundamental principles of digital forensics by failing to make a complete backup of the stored content of the device before doing anything else with or to it. Then /also/ quite deliberately destroyed its evidentiary value by delivering it into the custody and control of some random idiot.
My estimation? Yes. Absolutely. They are INCREDIBLY ham-handed and brain-dead much like the Vogons in Hitchhiker's Guide. Yes... Absolutely. Their forensics lab has been shut down and investigated a number of times in the last few decades Yep unhuh! -- RR "Through counter-intelligence it should be possible to pinpoint potential trouble-makers ... And neutralize them, neutralize them, neutralize them"
On Sat, Feb 20, 2016 at 08:59:31PM -0500, Steve Kinney wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 02/20/2016 02:08 PM, Rayzer wrote:
Transliteration... The feds tampered with the phone and apparently fucked up their own investigation.
So according to this account, for reasons unknown the FBI violated the most fundamental principles of digital forensics by failing to make a complete backup of the stored content of the device before doing anything else with or to it. Then /also/ quite deliberately destroyed its evidentiary value by delivering it into the custody and control of some random idiot.
How *do* you make a complete backup of the stored content of a sealed device with an internal battery that can, and should, if properly designed, wipe it's internal crypto keys if opened? A sufficiently savvy niche market device vendor like apple would not do this 'for user privacy', they'd do it prevent the attack of the cheap phone clones. Now, the particularly iphone in question probably has a flash chip I could read the (encrypted) data out of rather easily with schematics obtained from an underpayed apple campus janitor, or with moderate difficulty with a few 10-15 sacrificial phones. So it seems there should be a market for phones with strong crypto tamper-protection to maintain both evidentiary integrity, AND force public disclosure of any attempts to pull data off said phones. Would it be a good trade for Gov, Industry, and Public to agree that if the Gov wants the data on a device considered 'evidence', that *everyone* gets the data, or no-one at all gets the data? Can such an 'evidence disclosure' protocol be *securely* designed? Might it look something like bitcoin multi-sig, where N of M parties must swear under oath, in multiple jurisdictions that the encrypted blob has been made public, and can each add their portion of the multi-sig key to the public record?
On Sat, Feb 20, 2016 at 11:08:07AM -0800, Rayzer wrote:
The idea was to force the iPhone 5C to auto-backup to Farookâs iCloud account. With a legal court order, Apple can and does turn over iCloud data. For some reason, Farook had not backed up the phone for roughly six weeks prior to the attack. The executive said Apple does not know whether the auto-backup was disabled or enabled, but he did say that the previous iCloud backups, which were handed over to investigators, were sporadic.
http://www.theregister.co.uk/2016/02/17/apple_iphone_5c/ "It appears the killer disabled his cloud backups after this date." How do they enable remotely(?) disabled backups? And Apple can read plaintext backups on their cloud?...
Georgi Guninski wrote:
How do they enable remotely(?) disabled backups?
I'm guessing the simplest way would be to go to the site itself and change your password and then not change it on your phone's setting. But I'm guessing. I own a $7.99 pay-by-the-call 'dealer phone' under an assumed name that can be tossed in the bed of a pickup truck passing by without financial hurt if I need to... -- RR "Through counter-intelligence it should be possible to pinpoint potential trouble-makers ... And neutralize them, neutralize them, neutralize them"
participants (4)
-
Georgi Guninski -
Rayzer -
Steve Kinney -
Troy Benjegerdes