…from:
http://www.macrumors.com/2016/03/24/apple-pulls-ios-9-3-older-devices/
[Update: Apple has released a new build of iOS 9.3 for the iPad 2 and may be planning to roll out updates for additional devices. Apple has not yet resumed signing iOS 9.3 for affected devices. ]
Apple Temporarily Pulls iOS 9.3 Update for Older iOS Devices
Thursday March 24, 2016 5:01 pm PDT by Juli Clover<http://www.macrumors.com/author/juli-clover/>
Apple has temporarily stopped offering the iOS 9.3<http://www.macrumors.com/roundup/ios-9> update for older devices like the iPad Air and earlier and the iPhone 5s<http://www.macrumors.com/roundup/iphone-5s> and earlier due to installation issues some users have experienced. On older devices, iOS 9.3 requires users to input the Apple ID and password originally used to set up the device, which can lead to the device becoming stuck at the Activation Lock screen if the original account information can't be recalled.
In a statement given to iMore<http://www.imore.com/apple-working-ios-93-fix-ipad-2>, Apple says it is working on a fix and plans to issue a new version of iOS 9.3 in the next few days. Customers with an affected device who attempt to download iOS 9.3 during this time will not be able to install the update as Apple has stopped signing it.
[activateiphoneerror]
Updating some iOS devices (iPhone 5s and earlier and iPad Air and earlier) to iOS 9.3 can require entering the Apple ID and password used to set up the device in order to complete the software update," an Apple spokesperson told iMore. "In some cases, if customers do not recall their password, their device will remain in an inactivated state until they can recover or reset their password. For these older devices, we have temporarily pulled back the update and will release an updated version of iOS 9.3 in the next few days that does not require this step."
For customers who have already installed iOS 9.3 and have gotten stuck at the Activation Lock, Apple has published a support document<https://support.apple.com/en-us/HT206203> with steps on how to solve the issue. Apple recommends removing Activation Lock via iCloud<http://www.macrumors.com/roundup/icloud> or attempting to enter an Apple ID or password through iTunes.
I had expected to see this on some news casts but it doesn’t seem to have made it:
…from:
http://www.cbc.ca/news/business/email-scam-bank-canada-1.3470840?cmp=rss
Bank of Canada warns of email scam using its name and logo
The Bank of Canada is warning Canadians about an email and social media scam using its name and logos. (Reuters)
The Bank of Canada is warning Canadians not to fall for an email scam that tries to extort money or personal information using its name.
In a press release Tuesday, it says the scams on email and social media are using its name, logos and letterhead without authorization.
It is warning consumers that it does not:
* Accept deposits from individuals.
* Collect personal or financial information via email.
* Request personal or financial information through social media.
People should not follow any links included in social media or email messages purported to be from the Bank of Canada, the bank said.
Anyone who receives such a message should delete it and contact local authorities.
The Bank of Canada is the country's central bank, meaning it sets monetary policy, issues currency and works to keep the financial system stable. The only deposits it handles are from government and financial institutions.
The real Bank of Canada can be contacted at www.bankofcanada.ca<http://www.bankofcanada.ca> or at its Public Information Office at 1-800-303-1282,
Last year, some Canadians were taken in by fraudsters who pretended to be from the Canada Revenue Agenc<http://www.cbc.ca/news/canada/windsor/canada-revenue-agency-scam-targeting-…>y and demanded "back taxes."
Cyber-criminals are increasingly sophisticated in trying to dupe users to extort money or give up personal information that can help them break into bank accounts or credit cards.
…from:
http://gizmodo.com/if-you-want-to-keep-using-your-kindle-you-need-to-upda-1…
If You Want To Keep Using Your Kindle, You Should Update It Immediately
If you own one of Amazon’s pre-2012 Kindles, listen up: there’s a critical update that you need to install if you want to keep using it, and you must do so before March 22nd.
According to an update on the company’s help community<https://www.amazon.com/gp/help/customer/forums/kindleqna/ref=cs_hc_k_anmt?i…>, a new update is required for anyone using a pre-2012 device that has not connected it to the internet since October 5th, 2015.
Customers using an outdated software version on Kindle e-readers, or that have not connected wirelessly since October 5, 2015, require an important software update by March 22, 2016, in order to continue to download Kindle books and use Kindle services.
Failure to do so, the company warns, and you won’t be able to connect to Amazon’s Cloud, access the Kindle Store, or use any other services through the device. After March 22nd, you will also have to update the device manually, by downloading the patch and updating it through your computer.
Fortunately, Amazon has provided a chart<http://www.amazon.com/gp/help/customer/display.html?nodeId=201994710&tag=gi…> that outlines which Kindles need which updates, and how to go about doing it:
Device and Year Software Version Your Device Needs Update via Wireless (2G/3G) or Wi-Fi
Kindle 1st Generation (2007) 1.2.1 Use Wireless
Kindle 2nd Generation (2009) * 2.5.8 Use Wireless
Kindle DX 2nd Generation (2009) * 2.5.8 Use Wireless
Kindle Keyboard 3rd Generation (2010) ** 3.4.2 or higher Use Wi-Fi
Kindle 4th Generation (2011) 4.1.3 or higher Use Wi-Fi
Kindle 5th Generation (2012) 4.1.3 or higher Use Wi-Fi
Kindle Touch 4th Generation (2011) ** 5.3.7.3 or higher Use Wi-Fi
Kindle Paperwhite 5th Generation (2012) ** 5.6.1.1 or higher Use Wi-Fi
Kindle Paperwhite 6th Generation (2013) No Update Needed No Update Needed
Kindle 7th Generation (2014) No Update Needed No Update Needed
Kindle Voyage 7th Generation (2014) No Update Needed No Update Needed
Kindle Paperwhite 7th Generation (2015) No Update Needed No Update Needed
The update provides a really good reminder to keep your device up to date, but also the fact that even if your books and purchases are on the cloud, you won’t always be able to reach them.
[Amazon<https://www.amazon.com/gp/help/customer/forums/kindleqna/ref=cs_hc_k_anmt?i…>, Engadget<http://www.engadget.com/2016/03/20/amazon-kindle-crucial-update/>]
…from:
http://www.engadget.com/2016/03/16/celeb-photo-hacker-charged/
Man pleads guilty to hacking celebrity accounts for photos
He admitted to phishing users for access to Gmail and iCloud accounts.
Mariella Moon , @mariella_moon
The celebrities affected by the massive nude photo leak in 2014 got some answers today. A 36-year-old man from Pennsylvania named Ryan Collins has been charged with computer hacking felony for infiltrating over 50 iCloud and 72 Gmail accounts. He has also agreed to plead guilty to one count of unauthorized access to a protected computer, according to the US Attorney's Office of the Central District of California. In his plea deal, Collins admitted to executing a phishing scheme to obtain celebs' usernames and passwords from November 2012 to September 2014. Once he got access to their accounts, he searched for and stole explicit images. In some cases, he even downloaded people's entire iCloud backups.
If you'll recall, Apple denied that the hacker exploited an iCloud flaw to access its users' accounts back then. Based on Collins' statement, the company was telling the truth. The hacker didn't take advantage of a security vulnerability: he phished his victims (who include Jennifer Lawrence, Kate Upton and many other female celebrities) or tried to guess their passwords.
That's why FBI Assistant Director David Bowdich warns:
"We continue to see both celebrities and victims from all walks of life suffer the consequences of this crime and strongly encourage users of Internet-connected devices to strengthen passwords and to be skeptical when replying to emails asking for personal information."
The feds aren't done investigating the case yet, but so far, they haven't found any evidence that Collins himself shared or uploaded the images and videos he stole. He's now facing a maximum sentence of five years in prison. If the judge agrees to both sides' recommendations, though, he could be out within 18 months.
[NOTE: if you do not have FLASH installed, you’re finished already]
You can check your FLASH version at:
https://helpx.adobe.com/flash-player.html
…you may see a message similar to this:
[cid:4876458E-FF32-41F7-87FE-8CED9BDEC423]
…after the upgrade you should see the following on the FLASH test page:
[cid:E97F04F3-F084-4F88-9F30-CB47D6EC50F1]
….from:
http://arstechnica.com/security/2016/03/adobe-issues-emergency-patch-for-ac…
Adobe issues emergency patch for actively exploited code-execution bug
Adobe has issued an emergency update for its Flash media player that patches almost two dozen critical vulnerabilities, including one that's being maliciously exploited in the wild.
"These updates address critical vulnerabilities that could potentially allow an attacker to take control of the affected system," Adobe officials wrote in an advisory published Thursday<https://helpx.adobe.com/security/products/flash-player/apsb16-08.html>. "Adobe is aware of a report that an exploit for CVE-2016-1010 is being used in limited, targeted attacks." The notice advises Flash users to install the update as soon as possible.
CVE-2016-1010 is the common vulnerabilities and exposures designation for an integer overflow vulnerability that allows attackers to remotely execute malicious code on vulnerable computers. Adobe credited Anton Ivanov of Kaspersky Lab with discovering the zero-day vulnerability but provided no additional details. In an e-mail, a Kaspersky representative wrote:
Today Adobe released the security bulletin APSB16-08, crediting Kaspersky Lab for reporting CVE-2016-1010. The vulnerability could potentially allow an attacker to take control of the affected system. Kaspersky Lab researchers observed the usage of this vulnerability in a very limited number of targeted attacks.
At this time, we do not have any additional details to share on these attacks as the investigation is still ongoing. Even though these attacks are rare, we recommend that everyone get the update from the Adobe site as soon as possible.
The patch brings the latest version of Flash to 21.0.0.182 for Windows and Mac and 11.2.202.577 for Linux. Google Chrome and some versions of Microsoft Internet Explorer and Edge browsers bundle their own version of Flash and will update automatically. Windows 7 users who use Flash must still update manually.
Once again, readers are advised to uninstall the Flash, Java, and Silverlight browser extensions to see if they're really necessary. For many people, they aren't, and the significantly decreased attack surface greatly lowers the chances of being visited by remote code-execution attacks. People who rely on Flash to access a company intranet or other site should consider using a dedicated browser for that purpose.
…from:
http://arstechnica.com/tech-policy/2016/02/apple-prevails-in-forced-iphone-…http://www.macworld.com/article/3039452/security/judge-strikes-down-order-f…
….others
Apple prevails in forced iPhone unlock case in New York court
Ruling: All Writs Act can't be used to achieve goal that Congress hasn't granted.
by Cyrus Farivar<http://arstechnica.com/author/cyrus-farivar/> - Feb 29, 2016 5:23pm CST
A judge in New York ruled Monday<https://www.documentcloud.org/documents/2728314-Orenstein-Order.html> in favor of Apple in a case where investigators wanted the court to compel the company to unlock a seized iPhone 5S running iOS 7, which the company does have the ability to unlock.
This case involves a drug dealer who has already pleaded guilty. It pre-dates Apple's current battle with the government over a locked iPhone 5C<http://arstechnica.com/tech-policy/2016/02/apple-fires-back-at-doj-this-is-…> that belonged to one of the shooters in the December 2015 terrorist attack in San Bernardino—that case is due to be heard in court next month in nearby Riverside, California.
By contrast, the San Bernardino case involves an iPhone 5c, running iOS 9, which Apple says it cannot unlock. In the California case, federal investigators asked for and received an unprecedented court order compelling Apple to create a new firmware to unlock the device. Last week, Apple formally challenged<http://arstechnica.com/tech-policy/2016/02/apple-fires-back-at-doj-this-is-…> that order, and the outcome is pending.
However, on both coasts, Apple is fighting the government's attempt to use the same law, known as the All Writs Act—an obscure catchall statute that dates back to the 18th Century. There are several related AWA cases involving unlocking Apple devices that remain pending nationwide.
US Magistrate Judge James Orenstein ruled that what the government was asking for went too far.
The ruling, the first of its kind on the topic, has no legal bearing on the outcome of the California case as they are proceeding in different federal judicial districts. Apple hopes, however, that that Riverside judge will be "persuaded" by the decision, according to a company executive who was granted anonymity on a call with reporters.
As the judge wrote in his Monday ruling:
In short, whatever else the AWA's "usages and principles" clause may be intended to accomplish, it cannot be a means for the executive branch to achieve a legislative goal that Congress has considered and rejected. But because such rejection can take many forms, only one of which (and arguably the least likely in most circumstances) is outright prohibition, the government's argument here is manifestly irreconcilable with the statute.
The New York case began back in October 2015, when Judge Orenstein invited Apple to tell the court why it felt that the government<http://arstechnica.com/tech-policy/2015/10/feds-since-apple-can-unlock-ipho…> could not compel it to unlock a seized phone. At the time, bringing Apple into a case like this was new.
Nine days later, defendant Jun Feng pleaded guilty<https://www.documentcloud.org/documents/2499370-jun-feng-guilty-plea.html> to one count of conspiracy to distribute and possess with intent to distribute methamphetamine. Judge Orenstein then asked the government why the issue of Apple's compliance was not pointless given the guilty plea. In the government's own filing<https://www.documentcloud.org/documents/2711972-123111286409.html#document/…>, dated October 30, 2015, prosecutors said that the investigation was not over and that it still needed data from Feng's phone.
If Feng's phone had iOS 8 or later installed—as 90 percent of iPhones do—this entire issue would likely be moot. Apple now enables full encryption by default, and the company specifically said the move happened<http://arstechnica.com/apple/2014/09/apple-expands-data-encryption-under-io…> "so it's not technically feasible for us to respond to government warrants for the extraction of this data from devices in their possession running iOS 8."
How far can you go?
Another key portion of the ruling showed that Judge Orenstein is particularly concerned with the government’s expansive view of this law, and addressed head-on the government’s assertion that because Apple licenses, rather than sells its software means that the company retains some amount of control over it.
As he wrote<https://www.documentcloud.org/documents/2728314-Orenstein-Order.html#docume…>:
In a world in which so many devices, not just smartphones, will be connected to the Internet of Things, the government's theory that a licensing agreement allows it to compel the manufacturers of such products to help it surveil the products' users will result in a virtually limitless expansion of the government's legal authority to surreptitiously intrude on personal privacy.
…
But the concern about whether the AWA, as construed by the government, would confer on the judiciary an overbroad authority to override individual autonomy cannot be so easily avoided in this case. Nothing in the government's arguments suggests any principled limit on how far a court may go in requiring a person or company to violate the most deeply-rooted values to provide assistance to the government the court deems necessary.
Judge Orenstein also noted that he "deliberately" asked the government during oral arguments how far its interpretation of the All Writs Act could go. Could federal authorities, for example, compel the manufacturer of lethal injection drugs to make them over corporate moral objections?
The government didn’t answer during oral arguments, but said in a later filing that it would simply depend on the circumstances, which Judge Orenstein found unsatisfying.
"If the government cannot explain why the authority it seeks here cannot be used, based on the same arguments before this court, to force private citizens to commit what they believe to be the moral equivalent of murder at the government's behest, that in itself suggests a reason to conclude that the government cannot establish a lack of unreasonable burden," he concluded.
Orenstein’s opinion parallels arguments that Apple made in its San Bernardino filing<https://www.documentcloud.org/documents/2722196-Motion-to-Vacate-Brief-and-…>just last week.
As its lawyers wrote then:
Finally, given the government’s boundless interpretation of the All Writs Act, it is hard to conceive of any limits on the orders the government could obtain in the future. For example, if Apple can be forced to write code in this case to bypass security features and create new accessibility, what is to stop the government from demanding that Apple write code to turn on the microphone in aid of government surveillance, activate the video camera, surreptitiously record conversations, or turn on location services to track the phone’s user? Nothing.
Headed for the Supreme Court?
Similarly, privacy law scholars roundly hoped that this case would exert some influence over the case pending before the court in California.
"It's a meticulous and scholarly opinion," Alex Abdo<https://www.aclu.org/bio/alex-abdo>, an attorney for the American Civil Liberties Union, told Ars. "It should be a roadmap for any court considering one of these requests from the government."
Rep. Ted Lieu<https://lieu.house.gov/> (D-Calif.), one of just four congressmen to hold a computer science degree, also applauded the ruling.
"I am very pleased with the decision, because it validates what I and others have been saying which is that Congress specifically rejected the FBI's proposal to put in backdoors to weaken encryption and now they're trying to do it through a 1789 law that is not appropriate for the situation," he told Ars.
The New York case could be appealed up to the 2nd Circuit Court of Appeals, and similarly, the California case could move up to the 9th Circuit Court of Appeals. If those appellate courts disagree with each other as to the limits of the All Writs Act, constituting a "circuit split," that probably would set the stage for a ruling at the nation's highest court.
"Ultimately, if the federal courts in California and New York disagree about how much authority the AWA gives the government to force Apple to unlock iPhones, the conflict could only be resolved by Congress clarifying the law or the Supreme Court settling it," Neil Richards<https://law.wustl.edu/faculty/pages.aspx?id=314>, a law professor at Washington University in St. Louis, told Ars.
Hi.
Seems a few Apple machines have been affected by security update ""Incompatible Kernel Extension Configuration Data version 3.28.1”. Apple has repaired the problem so new updates should not be affected but some people are reporting that they’ve received the “broken Configuration Data update”.
This configuration file/version can interfere with the working of your Ethernet card.
If the Ethernet connection on your Mac stopped working recently, you can follow these steps to restore it.
…from:
https://support.apple.com/en-us/HT6672
If the Ethernet connection on your Mac stopped working recently
If the Ethernet connection on your Mac stopped working recently, check System Information to find out which version of "Incompatible Kernel Extension Configuration Data” is installed. If you have version 3.28.1, you need an update. If you can connect to WiFi, your Mac will update to version 3.28.2 automatically, or you can follow the steps below to restore it manually.
First, check your version number:
1. While pressing the Option key, select System Information from the Apple menu.
2. Expand the Software section and select Installations.
3. Click on the Software Name column header to sort the list alphabetically.
4. Look for “Incompatible Kernel Extension Configuration Data.”
5. If the most recent version installed is 3.28.1, then follow the steps below.
If you can connect to WiFi, follow these steps to update to version 3.28.2:
1. Open the Terminal app.
2. Type this command to update to the current version of the “Incompatible Kernel Extension Configuration Data” kernel extension:
sudo softwareupdate --background
3. Quit Terminal and restart your Mac.
If you can't connect to WiFi, follow these steps to update to version 3.28.2:
1. Follow the instructions<https://support.apple.com/kb/HT201314> to restart your Mac in OS X Recovery. After your Mac restarts, go to step 2.
2. Select Disk Utility from the list of OS X Utilities.
3. Select your drive from the list of internal drives in the sidebar. The default name is "Macintosh HD." Your drive might have a different name or location, if you renamed or moved it.
4. If the drive name is gray, then your drive might be protected by FileVault. Select File > Unlock from the Disk Utility menu, and enter your FileVault password.
5. Select File > Mount in Disk Utility to mount your drive, if it's not already mounted.
6. Quit Disk Utility. If you'd like to be able to copy and paste the command required in Step 8, select Get Help Online from the OS X Utilities list to open Safari and view this article on Apple's support site at support.apple.com/kb/HT6672<http://support.apple.com/kb/HT6672>. Quit Safari before you go to the next step.
7. Launch the Terminal app from Utilities > Terminal.
8. Type (or copy and paste) this command as one line in Terminal. In the example below, the drive name is “Macintosh HD," and there's a space between Macintosh and HD. If your Mac's drive name is different, adjust the text:
rm -rf “/Volumes/Macintosh HD/System/Library/Extensions/AppleKextExcludeList.kext”
9. Quit the Terminal app.
10. Select Restart from the Apple menu.
11. After your Mac restarts, your Ethernet connection should work.
12. Open the Terminal app and type this command to update to the current version of the “Incompatible Kernel Extension Configuration Data” kernel extension:
sudo softwareupdate --background
13. Quit Terminal and restart your Mac.
Alternatively, if you confirmed that your Mac has Incompatible Kernel Extension Configuration Data version 3.28.1, you can also follow the instructions<https://support.apple.com/kb/HT201314> to restart your Mac into OS X Recovery mode, and then select Reinstall OS X. You can reinstall OS X on your drive without reformatting it.
…from:
http://arstechnica.com/tech-policy/2016/02/apple-we-tried-to-help-fbi-terro…
Apple: We tried to help FBI terror probe, but someone changed iCloud password
Exec: No other country has asked Apple for what US is asking for now.
by Cyrus Farivar<http://arstechnica.com/author/cyrus-farivar/> - Feb 19, 2016 8:05pm CST
On Friday, an Apple executive explicitly confirmed what was stated in a government court filing<https://www.documentcloud.org/documents/2715997-Apple-iPhone-Access-MOTION-…> earlier in the day: that in the early hours of the San Bernardino terrorism investigation, county officials may have inadvertently compromised their ability to access the data on the seized iPhone 5C.
Earlier this week, Apple was given an unprecedented court order<http://arstechnica.com/tech-policy/2016/02/judge-apple-must-help-fbi-unlock…> to create custom firmware for the iPhone 5C that was used by Syed Rizwan Farook. That new firmware would remove a possible automatic wipe feature on the phone if a passcode is incorrectly entered 10 times and would remove a delay between passcode attempts intended to make brute-force entry more difficult. If Apple does comply, it would allow the government to enter PIN codes in rapid succession until it gained access to the phone. Apple CEO Tim Cook has publicly said it will resist this attempt, calling it a significant “overreach.” A court hearing has been scheduled<https://www.documentcloud.org/documents/2716342-Apple-iPhone-Access-Schedul…> for March 22, 2016, in nearby Riverside, California.
During the Friday call, the unnamed Apple executive said the company has been diligently working with the FBI to try to aid the terrorism investigation. After days of working with the FBI, Apple proposed one final attempt to recover roughly six weeks of data that was locked on the phone.
The idea was to force the iPhone 5C to auto-backup to Farook’s iCloud account. With a legal court order, Apple can and does turn over iCloud data. For some reason, Farook had not backed up the phone for roughly six weeks prior to the attack. The executive said Apple does not know whether the auto-backup was disabled or enabled, but he did say that the previous iCloud backups, which were handed over to investigators, were sporadic.
Apple suggested that the FBI take the iPhone 5C, plug it into a wall, connect it to a known Wi-Fi network and leave it overnight. The FBI took the phone to the San Bernardino County Health Department, where Farook worked prior to the December 2, 2015 attack.
When that attempt did not work, Apple was mystified, but soon found out that the Apple ID account password had been changed shortly after the phone was in the custody of law enforcement, possibly by someone from the county health department. With no way to enter the new password on the locked phone, even attempting an auto-backup was impossible. Had this iCloud auto-backup method actually functioned, Apple would have been easily able to assist the FBI with its investigation.
The executive only revealed this detail to reporters now because it had thought it was under a confidentiality agreement with the government. Apple seems to believe this agreement is now void since the government brought it up in a public court filing.
Given that this iCloud backup tactic could not even be attempted, the Department of Justice pulled out all the stops, and asked a judge to order that Apple re-write the firmware. The Apple executive also made a point of saying that no other government—not even China or Russia—has ever asked what American prosecutors have asked the company to do this week.
On the call, Apple's press representative refused to articulate why the company would not go on the record with its call with journalists.
Also on Friday, the House Committee on Commerce invited both FBI Director James Comey and Apple CEO Tim Cook to testify on the issue of encryption.
Rich Mogull has twenty years experience in information security, physical security, and risk management. He specializes in data security, application security, emerging security technologies, and security management. Prior to founding Securosis, Rich was a Research Vice President at Gartner Inc (garner.com<http://garner.com>) on the security team where he also served as research co-chair for the Gartner Security Summit. Prior to his seven years at Gartner, Rich worked as an independent consultant, web application developer, software development manager at the University of Colorado, and systems and network administrator. Rich is the Security Editor of TidBITS, a monthly columnist for Dark Reading, and a frequent contributor to publications ranging from Information Security Magazine to Macworld. He is a frequent industry speaker at events including the RSA Security Conference and DefCon.
…from:
http://www.macworld.com/article/3034355/ios/why-the-fbis-request-to-apple-w…
Why the FBI's request to Apple will affect civil rights for a generation
No legal case applies in a vacuum, and in this case the FBI needs the precedent more than the evidence.
[Rich Mogull]
Rich Mogull<http://www.macworld.com/author/Rich-Mogull/> | @rmogull<https://twitter.com/rmogull>
Contributor, Macworld
* Feb 17, 2016 11:14 AM
* <http://www.facebook.com/sharer.php?u=http://www.macworld.com/article/303435…'s%20request%20to%20Apple%20will%20affect%20civil%20rights%20for%20a%20generation>
* <https://twitter.com/intent/tweet?url=http%3A%2F%2Fwww.macworld.com%2Farticl…>
* <https://plus.google.com/share?url=http%3A%2F%2Fwww.macworld.com%2Farticle%2…>
* <https://pinterest.com/pin/create/bookmarklet/?url=http%3A%2F%2Fwww.macworld…>
* <http://reddit.com/submit?url=http%3A%2F%2Fwww.macworld.com%2Farticle%2F3034…>
* <http://www.macworld.com/article/3034355/ios/why-the-fbis-request-to-apple-w…>
*
16
<http://www.macworld.com/article/3034355/ios/why-the-fbis-request-to-apple-w…>
On Tuesday, the United States District Court of California issued an order requiring Apple to assist the FBI in accessing a locked iPhone<http://www.macworld.com/article/3034028/security/apple-ordered-to-assist-in…> (PDF<https://assets.documentcloud.org/documents/2714001/SB-Shooter-Order-Compell…>)—and not just any iPhone, but the iPhone 5c used by one of the San Bernardino shooters. The order is very clear: Build new firmware to enable the FBI to perform an unlimited, high speed brute force attack, and place that firmware on the device.
Apple is not only fighting the request<http://www.macworld.com/article/3034214/security/tim-cook-says-apple-will-o…>, but posted a public letter signed by Tim Cook<http://aos.prf.hn/click/camref:1100laKZ/destination:http://www.apple.com/cu…>and linked on Apple’s front page.
Make no mistake: This is unprecedented, and [in this author’s opinion] the situation was deliberately engineered by the FBI and Department of Justice to force a showdown. This is an issue with far-reaching implications well beyond a single phone, a single case, or even Apple itself.
As a career security professional, this case has chilling implications.
Why now?
I’ve been writing about Apple’s role in our digital civil rights since 2014<http://tidbits.com/article/15137>, and specifically addressed why Apple is at the center of the battle over encryption<http://tidbits.com/article/16210> last month on TidBITS. The short version is that Apple is one of the only companies with the technologies, high profile, and business model to both find themselves in the cross hairs, and take a strong position.
Apple has a long history of complying with court orders and assisting law enforcement. Previous to iOS 8, they could extract data off devices. Even today, data in most of their online services (iCloud, excluding iMessage and FaceTime) can be provided upon legal request.
This case is different for multiple reasons:
* Apple is being asked to specifically create new software to circumvent their security controls. They aren’t being asked to use existing capabilities, since those no longer work. The FBI wants a new version of the operating system designed to allow the FBI to brute force attack the phone.
* The FBI is using a highly emotional, nationally infamous terrorism case as justification for the request.
* The request refers to the All Writs Act, which is itself under scrutiny in a case in New York involving Apple<https://www.eff.org/cases/re-order-apple-all-writs>. Federal Magistrate Judge James Orenstein of the Eastern District of New York is currently evaluating if the Act applies in these cases.
That’s why this is about far more than a single phone. Apple does not have the existing capability to assist the FBI. [In this author’s opinion] the FBI engineered a case where the perpetrators are already dead. And the law cited is under active legal debate within the federal courts.
The crux of the issue is should companies be required to build security circumvention technologies to expose their own customers? Not “assist law enforcement with existing tools,” but “build new tools.”
The FBI Director has been clear that the government wants back doors into our devices<https://www.fbi.gov/news/speeches/going-dark-are-technology-privacy-and-pub…>, even though the former head of the NSA disagrees and supports strong consumer encryption<http://money.cnn.com/2016/01/13/technology/nsa-michael-hayden-encryption/in…>. One reason Apple is likely fighting this case so publicly is that it is a small legal step from requiring new circumvention technology, to building such access into devices. The FBI wants the precedent far more than they need the evidence, and this particular case is incredibly high profile and emotional.
The results will, without question, establish precedence beyond one killer’s iPhone.
The technical details
The court order is quite specific. It applies only to one iPhone [5c owned by San Bernardino shooters], and requests Apple create a new version of the firmware that eliminates the existing feature that erases the iPhone after 10 failed attempts at entering the passcode. It further asks Apple to allow passcode attempts to be performed as rapidly as possible.
[passcodes iphone]
Apple has been prompting users to choose longer and more complicated—and harder to crack—iPhone passcodes.
Beginning with iOS 8, devices are encrypted using a key derived from your passcode. This is combined with a hardware key specific to the device. Apple has no way of knowing or circumventing that key. On newer devices, the hardware key is embedded in the device and is not recoverable. Thus the passcode must be combined with the device key in a chip on the phone, and that chip rate-limits passcode attempts to make a brute force attack slower.
Reading through the order, it seems the FBI thinks that a modified version of the operating system would allow them to engage in high-speed attacks, if the 10-tries limit was removed. The request indicates they likely can’t image the device and perform all the attacks on their own super-fast computers, due to that hardware key. With a four-character passcode the device could probably be cracked in hours. A six-character code<http://www.macworld.com/article/3018152/security/switch-to-six-digits-for-y…> might take days or weeks, and anything longer could take months or years.
Dan Guido over at Trail of Bits posted a great explanation<http://blog.trailofbits.com/2016/02/17/apple-can-comply-with-the-fbi-court-…>:
As many jailbreakers are familiar, firmware can be loaded via Device Firmware Upgrade (DFU) Mode. Once an iPhone enters DFU mode, it will accept a new firmware image over a USB cable. Before any firmware image is loaded by an iPhone, the device first checks whether the firmware has a valid signature from Apple. This signature check is why the FBI cannot load new software onto an iPhone on their own—the FBI does not have the secret keys that Apple uses to sign firmware.
This opens up a few questions. Could this work on newer devices with the enhanced encryption of the Secure Enclave<http://www.macworld.com/article/2999804/security/apple-cant-decrypt-your-ip…>? How can Apple pair the device and replace the firmware in the first place? Would they be using the shooter’s computer? An over-the-air update? Apple says that all devices (with or without the Secure Enclave) are vulnerable to this kind of attack, but declined to comment on the specific technical methods, a position I initially disagreed with, but on reflection is probably the right move for reasons we will get to in a moment.
Thus the FBI wants a new version of iOS, signed by Apple and installed on the device, that removes limitations on their attempts to brute-force the password.
Why this matters
Legal precedent is like a glacier, slowly building over time until it becomes nigh unstoppable. Major issues like this are first, and sometimes ultimately, decided on a series of small steps that build on each other. It’s the reason the NRA fights any attempts at gun control, since they fear a slow build, not a single small law.
The crux of this round of the encryption debate is if companies should be forced to build tools to circumvent their customers’ security. If the answer is “yes,” it could be a small step to “should they just build these tools into the OS from the start?”
I have no doubt the FBI deliberately chose the highest-profile domestic terrorism case in possibly a decade. We, average citizens, want the FBI to stop this sort of evil. We don’t necessarily see this one case as applying to our lives and our rights. Why the big deal?<http://www.theverge.com/2016/2/17/11031910/donald-trump-apple-encryption-ba…> What if the FBI could find the terrorists’ contacts and stop other attacks?
What matters is if we have a right to the security and privacy of our devices and communications.
But the truth is, no legal case applies in a vacuum. If this goes through, if Apple is forced to assist, it will open a floodgate of law enforcement requests. Then what about civil cases? Opening a phone to support a messy divorce and child custody battle? Or what about requests from other nations, especially places like China and the UAE that already forced BlackBerry and others to compromise the security of their customers?
And once the scale of these requests increases, as a security professional I guarantee the tools will leak, the techniques will be exploited by criminals, and our collective security will decline. It really doesn’t matter if it’s the iPhone 5c or 6s. It really doesn’t matter if this is about dead terrorists or a drug dealer. It doesn’t matter what specific circumvention Apple is being asked to create.
What matters is if we have a right to the security and privacy of our devices, and of our communications, which are also under assault. If we have the right to tools to defend ourselves from the government and criminals alike. Yes, these tools will be sometimes used for the worst of crimes, but they’re also fundamental to our civil rights, freedom of discourse, and our ability to protect our digital lives from the less impactful, but far more frequent criminal attacks.
[It is the author’s opinion that] this situation was engineered by the FBI and Department of Justice for the maximum impact and chances of success. Apple is fighting, and as a security professional it’s my obligation to support their position, and stronger security.
…from:
http://www.apple.com/support/usbc-chargecable/
Apple USB-C Charge Cable Replacement Program
[USB-C charge cable]
Please select a Country
Asia
Australia
België
Belgique
Brasil
България
Canada (English)
Canada (Français)
中国
Česká republika
Danmark
Deutschland
España
Eesti
Ελλάδα
France
Hong Kong (English)
香港
India
Indonesia
Ireland
Italia
日本
대한민국
Κύπρος
Latin America
América Latina
Latvija
Lietuva
Luxembourg (English)
Luxembourg (Français)
Luxemburg (Deutsch)
Malaysia
Magyarország
Malta
México
Nederland
New Zealand
Norge
Österreich
Polska
Portugal
Россия
România
Saudi Arabia
Singapore
Slovensko
Slovenija
Schweiz
Suisse
Suomi
Sverige
台灣
ไทย
Türkiye
United Arab Emirates
United Kingdom
United States
A limited number of Apple USB-C charge cables that were included with MacBook computers through June 2015 may fail due to a design issue. As a result, your MacBook may not charge or only charge intermittently when it’s connected to a power adapter with an affected cable.
Apple will provide a new, redesigned USB-C charge cable, free of charge, to all eligible customers. This program also covers Apple USB-C charge cables that were sold as a standalone accessory.
For MacBook owners who provided a valid mailing address during the product registration process or Apple Online Store purchase, Apple will send you a new cable by the end of February 2016.
All other eligible MacBook owners should use the replacement process below to receive a new USB-C charge cable.
Identifying an affected cable
Affected cables have “Designed by Apple in California. Assembled in China.” stamped on them. New, redesigned cables include a serial number after that text. See images below.
Affected cable [Affected cable detail]
Redesigned cable [Redesigned cable detail]
Replacement Process
Please choose one of the options below to receive a new USB-C charge cable. We will need your MacBook serial number to verify eligibility for this program. Learn how to find your serial number here<https://support.apple.com/en-us/HT204356>.
* Find an Apple Retail Store. Genius Bar reservation recommended.
* Find an Apple Authorized Service Provider<https://locate.apple.com/>.
* Contact Apple Support.
Additional Information
This worldwide Apple program does not extend the standard warranty coverage of the MacBook.
If you believe you have paid for a replacement due to this issue, contact Apple regarding a refund.
The program covers the affected USB-C charge cables until June 8, 2018.
Information as of 2016-02-12