Apple and the FBI
The FBI has gotten a court order demanding that Apple help unlock a San Bernardino shooter's work phone, an iPhone 5C.
This has been in the news everywhere for days, and I'm already sick of it, so I'm going to keep this short.
Almost everyone has read Apple's public response, but nobody I've talked to has read the actual court order itself. You're doing yourself a disservice if you don't read the actual court order for yourself. It's three pages, and it's much more precise than Apple's response or anything you'll read in the news.
From the order, we see that the government is asking Apple to do three things:
- Disable the auto-erase function
- Allow a way to submit passwords automatically (without fingers on touchscreen)
- Prevent the device from taking longer than necessary to check passwords
Here's the thing: Apple is taking the stance that they don't want to weaken their product's security. That's great. However, I think Apple is actually weakening their security by not complying, or at the very least they're publicly admitting that their security is already weak.
The court has asked Apple to do nothing that a well-funded adversary couldn't already do on their own.
Strong encryption should stand up to an adversary that already knows everything (except the encryption key itself). If your security relies on the adversary not knowing some detail then you are relying on security through obfuscation. It's 2016, we can do better.
So while I applaud Apple's stance for not wanting to weaken their security, I say if their compliance with the court order significantly weakens their security, then their security was already poor to begin with.
Like this post? Consider following me on Twitter or following me on Github. Don't forget to subscribe to my feed.