[pfg]

I think there are a lot of conflating issues in this discussion.

Firmware signing and how updates are delivered are one thing. I would argue that having only one possible adversary is preferable to everyone being able to create firmware that runs on your device. If there's a practical and secure approach that would allow users to install only firmware updates they approve of, I'd be all for that[1]. In the end - please correct me if I'm wrong - this would require a user-generated key or passphrase of some sort, and then we're back at a brute-force problem and the question of how secure is that passphrase and how are rate-limits enforced.

The iPhone's disc encryption, however, does not rely on this so-called master key. That's why I think calling this a backdoor isn't a fair assessment. It's entirely reliant on the complexity of your passphrase. The iPhone's security architecture, including the firmware signing and in newer versions the secure enclave, make attacks against this significantly harder (or next to impossible, if the secure enclave firmware is actually read-only ... something that definitely needs to be clarified). Compare this to your typical desktop full-disk encryption, where you usually have no countermeasures whatsoever against this kind of thing.

[1]: Speaking as a developer. I'm not qualified to answer this for sure, but my gut feeling is that such a feature in the hands of typical end-users might actually be a bad thing for security.

[saurik]

> Speaking as a developer. I'm not qualified to answer this for sure, but my gut feeling is that such a feature in the hands of typical end-users might actually be a bad thing for security.

I think users should be allowed to make the security tradeoffs they consider relevant. Many people leave a key to the door of their house somewhere outside but nearby, yet I don't think the people who build locks should decide that that is never acceptable and decide to play parent and come up with a solution to this problem: I would prefer people to be informed about the tradeoffs they are making, but they should be allowed to do what they want. Meanwhile, this enables the people who want more security than "I trust Apple, all of Apple's employees, Apple's security from hostile third parties, and the government under which Apple does business" to go "above and beyond".

> That's why I think calling this a backdoor isn't a fair assessment.

I am using this term because Apple is using this term: they said "They [the FBI] have asked us [Apple] to build a backdoor to the iPhone." when what the result would be would still require brute forcing a passcode to get the data in question. They make it sound extremely hard, but in fact it is really easy for them to do this: it is a single line of code changed; what makes it possible for them to do this is not that they haven't bothered to build it, it is that they are moral enough to not want to do it, and they are the only people with the key... but the key, fundamentally, is equivalent to the power the FBI wants. The FBI could "build" this backdoor for themselves if Apple handed them that key.

[studentrob]

> I don't think the people who build locks should decide that that is never acceptable and decide to play parent and come up with a solution to this problem: I would prefer people to be informed about the tradeoffs they are making, but they should be allowed to do what they want.

Shouldn't Apple be allowed to do as it wants?

> what is fundamentally different is only that people realize the government might be able to force Apple to use their key.

The public already knows from the ongoing debate that the current iPhone is unlockable by Apple. What difference does it make if the key does not exist yet, as Apple says, or if it does, as you say? Everyone knows the power is in Apple's hands. We'll all demand better iPhone security as a result of this discussion.

> this enables the people who want more security ... to go "above and beyond".

I understand you are asking Apple for a specific feature that gives more security. Regardless of the existence of this particular case, you would still be trying to raise awareness and gather support for pushing Apple to implement that feature. Is that fair to say? I support you in that effort. I also think this discussion ought to be held separately, perhaps after the case, so that we can focus on not giving the DOJ any means to handcuff the tech companies. The results of this case will have a dramatic impact on all tech, and if you truly care about privacy and security, you will support Apple's stance.

Let's table the debate about how Apple needs to improve its phone security and allow users to update firmware, and focus on matters at stake: whether or not the DOJ should be able to compel Apple to hand over the key. Whether or not that key has been created is irrelevant to the fact that if the DOJ wins this case, it is one step closer to mandating that Apple make all their phones unlockable.