FBI presumably salivating
Probably not.
They will do anything, but salivate if they lose the Casus Belli to have the authority to command any corporation to do anything with their products and services as they see please.
Johns Hopkins University professor Matthew Green says a hard-to-exploit zero day vulnerability in iOS encryption allows skilled attackers to decrypt intercepted iMessages. Replication steps for the bug have been withheld until Apple releases a patch for the latest stable iOS 9 version. Green told The Washington Post he and …
But it should let the cat out of the bag. Apple could point to that and very clearly say they don't need to be involved. Use that exploit since THEY'RE a state-level agency. The court obviously can't order to Apple to do something unless there's no alternative, which this exploit clearly presents.
And would you look at that? The FBI's actually backing off! Seems the revelation of this new exploit crumbled the foundation of their case since it's now proven they don't need Apple's help to get into the phone, and by law you can't compel something when an alternative is available (necessity is required).
Of course, after Cookie made out that the World (well, iBone users) would be DOOOOOOOOMMED, with everything up to and including a plague of baby-eating locusts, if anyone was able to read the data on the iPhone in question, it would seem the iBoners best switch to a more secure phone.
FBI Obama presumably salivating
Fixed it for ya.
http://www.theregister.co.uk/2016/03/11/president_barack_obama_encryption_sxsw/
Amid the row between Apple and the FBI over the unlocking of a mass murderer's iPhone, President Barack Obama has told the tech world to suck it up and do what the Feds want.
A 4 digit pin just doesn't have sufficient entropy on its own. You have to trust the hidden key part of the algorithm is absolutely secure, which it never will be given physical access.
What's needed is a diceware style interface for rapidly picking words from a finite dictionary, using a touchscreen. That way the key alone could withstand brute force attacks.
Physical access can break ANYTHING open since they can just use side-channel attacks coming from things like EMR to deduce whatever secret is needed. Worst comes to worst, they can decap the chip physically (defeating any booby-traps along the way). That's why they say that physical access = Game Over.
"They're trying to mandate a legal backdoor by judicial precedent."
Yes, they do want a legal back door. But they want it because access is (1) physically impossible, (2) prohibitively expensive or, if you're ultra paranoid, (3) they don't want to reveal the technique they are using.
Reason #2 amounts to reason #1. They might conceal a technique because it's patchable or because it's so outrageous that everyone would demand it's made illegal, if it's not already. But it doesn't matter what you know, if you can't bring it before a court it's useless.
"Yes, they do want a legal back door. But they want it because access is (1) physically impossible, (2) prohibitively expensive or, if you're ultra paranoid, (3) they don't want to reveal the technique they are using."
Well, the article says that, according to these researchers, (1) doesn't apply (it's proven possible), (2) is unlikely (though it takes state-class resources, it's unlikely to be too costly for a state), and (3) is moot (the secret's already out).
The 4 digit PIN isn't used to seed the encryption, it only unlocks the real encryption key. Read the iOS Security Guide Apple helpfully provides for a full explanation. So no worries about lack of entropy. Whatever this flaw is, it has nothing to do with the PIN and must be something in the way key exchange works for iMessage. Encryption is hard to get right, even for experts. Which is why the spooks probably like the idea of terrorists using some third party app like Telegram - they don't have all the experts an Apple or a Google can afford, and if they can screw up, and all the people reviewing OpenSSL can screw up, what chance does a guy writing an app like that have to get everything right?
As for the length of PINs, you aren't limited, you have the choice to use passwords. I think with a PIN you might only get 4 or 6 digits, and maybe that could be relaxed but I think it would be better to not relax it and instead encourage people to use passwords.
a) They likely already bought the exploit on the exploit market.
b) It's not plausible that they have problems getting to the data, at least not if they are as well equipped as the Dutch police:
https://www.youtube.com/watch?v=AVGlr5fleQA
What they want in the current case is a way to make the attack cheap enough so it can be used on large numbers of people. For a single case extracting the key out of a security chip is well within what Apple would charge for custom firmware.
"... it shatters the notion that strong commercial encryption has left no opening for law enforcement and hackers..."
Yep. Same old, same old. Nobody should be surprised by this. Unless they're oblivious to history.
Although this is not directly applicable to the FBI thing, it's evidence that this haystack still contains plenty more needles.
"Question for all: Have we ever heard of a zero-day exploit from our own nation states?"
Why would they tell you dear citizen, of the many zero day exploits they possess but aren't legally authorised to use (but do anyway)? Hence the global scramble for incredibly dubious legislation designed to retrospectively make it all hunky dory instead of black bag and allow them to use their ill-gotten evidence (or planted stitch-up material) in a court of law.
We live in some impressively fucked-up times.
but they're actively withholding them from law enforcement agencies. Isn't this supposed to be an offense ? I mean they're not supposed to cave in to law enforcement requests and modify their code but ostensibly closing an existing one could raise some eyebrows among government agencies. I hope Mr. Cook knows the difference between preaching to his followers on Twitter and being grilled in front of a US senate committee.