Cellebrite can unlock any iPhone (for some values of “any”)

An update by Ars Technica on Cellebrite’s ability to access the content on otherwise secured iOS devices:

Cellebrite is not revealing the nature of the Advanced Unlocking Services’ approach. However, it is likely software based, according to Dan Guido, CEO of the security firm Trail of Bits. Guido told Ars that he had heard Cellebrite’s attack method may be blocked by an upcoming iOS update, 11.3.

“That leads me to believe [Cellebrite] have a power/timing attack that lets them bypass arbitrary delays and avoid device lockouts,” Guido wrote in a message to Ars. “That method would rely on specific characteristics of the software, which explains how Apple could patch what appears to be a hardware issue.”

Regardless of the approach, Cellebrite’s method almost certainly is dependent on a brute-force attack to discover the PIN. And the easiest way to protect against that is to use a longer, alphanumeric password—something Apple has been attempting to encourage with TouchID and FaceID, since the biometric security methods reduce the number of times an iPhone owner has to enter a password.

This once again confirms the importance of establishing strong, long, passwords for iOS devices. Sure they’re less convenient but they provide measurably better security.


Serious Vulnerabilities (Probably) Found in All iOS Devices

From Forbes:

The Israeli firm, a subsidiary of Japan’s Sun Corporation, hasn’t made any major public announcement about its new iOS capabilities. But Forbes was told by sources (who asked to remain anonymous as they weren’t authorized to talk on the matter) that in the last few months the company has developed undisclosed techniques to get into iOS 11 and is advertising them to law enforcement and private forensics folk across the globe. Indeed, the company’s literature for its Advanced Unlocking and Extraction Services offering now notes the company can break the security of “Apple iOS devices and operating systems, including iPhone, iPad, iPad mini, iPad Pro and iPod touch, running iOS 5 to iOS 11.” Separately, a source in the police forensics community told Forbes he’d been told by Cellebrite it could unlock the iPhone 8. He believed the same was most probably true for the iPhone X, as security across both of Apple’s newest devices worked in much the same way.

If Cellebrite has, indeed, found a way of compromising all iOS devices then they’ve accomplished a pretty impressive task. I have to wonder whether the vulnerabilities emerged from studying the iBoot leak or their own software or hardware research. Assuming Cellebrite’s claims are legitimate they serve to underscore the position that government’s shouldn’t introduce backdoors or vulnerabilities into devices given that doing so will only exacerbate the existing problems associated with securing devices. Security is designed to add friction, not totally prevent an unauthorized party’s actions, and deliberately reducing such friction will put all users at greater jeopardy.


The Forgotten History of New York’s Bagel Famines

Natasha Frost haswritten a really great piece on the history of bagels in New York:

The men of Bagel Bakers Local 338 were not to be trifled with. Founded in the 1930s, all 300-odd initial members were Yiddish speakers who descended from these hardy early bakers. Joining required a family connection—though this wasn’t sufficient on its own. Only after three to six months of apprenticeship, once a “bench man” had attained a minimum rolling speed of 832 bagels an hour, could members’ sons and nephews be grudgingly brought into the fold and given labor cards.

But Local 338 was different. Bagels were acquiring a special cachet among Jewish Americans, and bakers grew wise to the value of their special skills. Within eight years of formation, the union had contracts with 36 of the largest bakeries in the city and New Jersey. They had a ferocious reputation—non-union bagel makers were few and far between, and the holdouts experienced threats and day-and-night picketing until they toed the line.

I had no idea just how political bagel making was, nor how significantly the union was brought to its knees following the creation of Thompson’s ‘bagel machine’ in the 1950s. If you love your morning bagels — and spend the time to hunt down places that still make them by hand — you’ll love the article that Frost has put together.


The True Cost Of “Free” Professional Services

Leah Miller has a good take on Unsplash, a website where photographers donate photos which can subsequently be used without royalty or attribution:

They bill themselves as “Beautiful FREE photos for Everyone”. That means anyone, including businesses can go to their website and download unlimited amounts of photography (and some of it is very good) work without attribution or payment to the individual(s) who created them. Furthermore there is no requirement for Model or Property Releases which guarantees that the photographer and end user are likely to get sued. Don’t believe me? Do a search on that website of any popular brand you can think of…sportswear, etc. You will not see a single RELEASE for those images in sight. Large companies like Apple will sue the pants off you should they get wind of their products/logos etc. being used commercially. That “EXPOSURE” you got in return for the image of a Nike sneaker you posted (and was subsequently downloaded and used commercially) won’t be worth an ounce of mercy when that first lawyer letter hits your mailbox.

When you purchase a “creative” person’s professional’s services, be they from a photographer, programmer, editor, writer, or marketer, you’re paying for more than the finished thing that the professional is providing. You’re paying for the suite of skills and talents and knowledge that surround the finished product, and some of those skills and talents and knowledge are largely invisible to the client. And that’s fine: it’s what’s being paid for. But if you get something for free or at a deeply discounted price it’s important to know that all those hidden extras that you don’t see when you hire a professional can quickly become your problem. Sometime those problems are just a massive pain in the ass when they arise. But at their worst they can be a terrible drag on whatever you have going on in your life and career, and can be poison to either your hobby, your side gig, or your professional career.


Apple’s Data Stewardship Questioned, Again

Matt Green has a good writeup of the confusion associated with Apple’s decision to relocate Chinese users’ data to data centres in China. He notes:

Unfortunately, the problem with Apple’s disclosure of its China’s news is, well, really just a version of the same problem that’s existed with Apple’s entire approach to iCloud.

Where Apple provides overwhelming detail about their best security systems (file encryption, iOS, iMessage), they provide distressingly little technical detail about the weaker links like iCloud encryption. We know that Apple can access and even hand over iCloud backups to law enforcement. But what about Apple’s partners? What about keychain data? How is this information protected? Who knows.

This vague approach to security might make it easier for Apple to brush off the security impact of changes like the recent China news (“look, no backdoors!”) But it also confuses the picture, and calls into doubt any future technical security improvements that Apple might be planning to make in the future. For example, this article from 2016 claims that Apple is planning stronger overall encryption for iCloud. Are those plans scrapped? And if not, will those plans fly in the new Chinese version of iCloud? Will there be two technically different versions of iCloud? Who even knows?

And at the end of the day, if Apple can’t trust us enough to explain how their systems work, then maybe we shouldn’t trust them either.

Apple is regarded as providing incredibly secure devices to the public. But as more and more of the data on Apple devices is offloaded to Apple-controlled Cloud services it’s imperative that the company both explain how it is securing data and, moreover, the specific situations under which it can disclose data it is stewarding for its users.


Transparency Follows After Trust Is Lost

Via Wired:

Speaking at Davos, Uber CEO Dara Khosrowshahi pointed out that consumers face a challenge in trying to understand tech’s influence in the age of big data. He called this an “information asymmetry.” In his previous job, as CEO of Expedia, Khosrowshahi said, customers were shown a tropical island while they waited for their purchase page to show up. As a test, engineers replaced the placid image with a stressful one that showed a person missing a train. Purchases shot up. The company subbed in an even more stressful image of a person looking at a non-working credit card, and purchases rose again. One enterprising engineer decided to use image of a cobra snake. Purchases went higher.

What’s good for a business isn’t always good for that businesses’ users. Yet Khosrowshahi stopped testing because he decided the experiment wasn’t in line with the Expedia’s values. “A company starts having so much data and information about the user that if you describe it as a fight, it’s just not a fair fight,” said Khosrowshahi.

The tech industry often responds to these concerns with a promise to be more transparent—to better show how its products and services are created and how they impact us. But transparency, explained Rachel Botsman in the same Davos conversation, is not synonymous with trust. A visiting professor at the University of Oxford’s Said School, Botsman authored a book on technology and trust entitled “Who Can You Trust?” “You’ve actually given up on trust if you need for things to be transparent,” she said. “We need to trust the intention of these companies.”

I think that it’s how little design flourishes are used to imperceptibly influence consumers that should be used to justify more intensive ethics and legal education to designers and engineers. Engineers of physical structures belong to formal associations that can evaluate the appropriateness of their members’ creations and conduct. Maybe it’s time for equivalent professional networks to be build for the engineers and developers who are building the current era’s equivalents to bridges, roads, and motor vehicles.