Monday, March 14, 2016

Apple Might Be Forced To Reveal & Share iPhone Unlocking Code Widely

By Ken Rashbaum and Liberty McAteer
Among the many questions swirling around the challenge to U.S. Magistrate Judge Sheri Pym's Order that Apple create software to bypass the iPhone passcode screen, a matter of paramount public interest may have been overlooked: Even if the government prevails in compelling Apple to bypass these iPhone security features: (A) evidence for use in a criminal trial obtained in this way will be challenged under the Daubert standard (described below) and the evidence may be held to be inadmissible at trial; and (B) the Daubert challengemay require disclosure of Apple's iPhone unlocking software to a number of third parties who would require access to it in order to bring theDaubert challenge and who may not secure the new software adequately. To state that neither consequence would be in the public interest would be an understatement in the extreme.

The Daubert challenge would arise because any proffered evidence from the subject iPhone would have been obtained by methodology utilizing software that had never been used before to obtain evidence in a criminal trial. The Supreme Court, in Daubert v. Merrill-Dow Pharmaceutical-Dow Pharmaceuticals, Inc., held that new methodologies from which proffered evidence is derived must, when challenged, be substantiated by expert scientific testimony in order to be admissible. In Daubert, the court stated that the criteria that must be utilized when faced with a defense challenge to scientific testimony and evidence are:
  1. Can the methodology used to reach the expert's conclusion (the new software here) betested and verified?
  2. Have the methodology and software been peer-reviewed and has the review beenpublished in a peer-reviewed journal?
  3. Do the techniques used to reach the conclusion (here, to obtain the evidence) have anascertainable error rate?
  4. Has the methodology used to generate the conclusion (the evidence) beengenerally accepted by the relevant scientific community?
Under the Daubert standards, introduction of evidence from the iPhone, electronic communications and data stored in the phone, would require the testimony of an expert witness to, among other things:
  • establish the integrity of the data (and its reliability) throughout the chain of custody;
  • explain whether any person or software could modify the data coming off of the phone;
  • verify that the data that came off the phone as delivered by Apple and held by law enforcement was the data that had originally been on the phone;
  • explain the technical measures, such as the digital signatures attached to the data, used ensure that no tampering has occurred and their likely error rates.
Such an expert would, in preparation for his or her testimony, require access to and examination of the software, as it is inconceivable that defense counsel would simply accept the testimony of the Apple personnel without also demanding that their own, third-party, experts have access to the code. 

In addition, defense counsel would undoubtedly demand the right for their own third-party experts to have access not only to the source code, but to further demand the right to simulate the testing environment and run this code on their own systems in order to confirm the veracity of evidence. This could easily compromise the security of the new unlocking code, as argued by in the amicus brief filed with Judge Pym by Jennifer Granick and Riana Pfefferkorn from Stanford's Center for Internet and Society (also covered previously by Techdirt):
There is also a danger that the Custom Code will be lost or stolen. The more often Apple must use the forensic capability this Court is ordering it to create, the more people have to have access to it. The more people who have access to the Custom Code, the more likely it will leak. The software will be valuable to anyone eager to bypass security measures on one of the most secure smartphones on the market. The incentive to steal the Custom Code is huge. The Custom Code would be invaluable to identity thieves, blackmailers, and those engaged in corporate espionage and intellectual property theft, to name a few. 
Ms. Granick and Ms. Pfefferkorn may not have contemplated demands by defense counsel to examine the software on their own systems and according to their own terms, but their logic applies with equal force to evidentiary challenges to the new code: The risk of the software becoming public increases when it is examined by multiple defense counsel and their experts, on their own systems, with varying levels of technical competency. Fundamentally, then, basic criminal trial processes such as challenges to expert testimony and evidence that results from that testimony based on this new software stand in direct tension with the public interest in the secrecy and security of the source code of the new iPhone unlocking software. 

At best, none of these issues can be resolved definitively at this time because the software to unlock the phone has not been written. But the government's demand that the court force Apple to write software that circumvents its own security protocols maybe shortsighted as a matter of trial strategy, in that any evidence obtained by that software may be precluded following a Daubert inquiry. Further, the public interest may be severely compromised by a court order directing that Apple to write the subject software because the due process requirements for defense counsel and their experts to access the software and Apple's security protocols may compromise the secrecy necessary to prevent the proposed workaround from becoming available to hackers, foreign governments and others. No matter what safeguards are ordered by a court, security of the new software may be at considerable risk because it is well known that no security safeguards are impregnable. 

The government may be well advised to heed the adage, "Be careful what you ask for. You may just get it." Its victory in the San Bernardino proceedings may be worse that Pyrrhic. It could be dangerous.

Thursday, February 11, 2016

“Huge” number of Mac apps vulnerable to hijacking, and a fix is elusive | Ars Technica

“Huge” number of Mac apps vulnerable to hijacking, and a fix is elusive | Ars Technica: Fellow researcher Simone Margaritelli has developed a technique that streamlines the attack by allowing it to work with the Metasploit exploit framework. He showed how he could exploit the vulnerability on a fully patched Mac running the latest version of the VLC Media Player. VLC developers released an update three days ago that patches the vulnerability so that the attack no longer works against the latest version.
Patch your VLC, people:

Tuesday, February 9, 2016

Why Stack Overflow Doesn’t Care About Ad Blockers – Stack Overflow Blog – A destination for all things related to development at Stack Overflow

As an interesting follow-on to Wired's article earlier today, see the this post by StackOverflow regarding its advertising policy:

But really: anything that doesn’t speak specifically to the Stack Overflow audience is not permitted. We also don’t accept rich media like animated ads, expandable ads, or video, which are the norm for most publishers today. This strict policy means we leave money on the table, but our team wants to protect Stack Overflow from those kinds of ads, as they run the risk of alienating that established trust.
For those of you that don't know, StackOverflow is a forum where users go to post software development / programming questions and answers. It is one of the single most valuable resources available to any developer out there - I have used it more times than I care to count. To put it mildly, they have very high street cred, and this policy seems totally consistent with that reputation.

Well done, StackOverflow.

How WIRED Is Going to Handle Ad Blocking | WIRED

How WIRED Is Going to Handle Ad Blocking | WIRED: You can subscribe to a brand-new Ad-Free version of For $1 a week, you will get complete access to our content, with no display advertising or ad tracking.
The above article mentions that WIRED now allows you to easily whitelist its site, or, for $1 a week, you can have an ad-free viewing experience.

While I do not think this is a perfect solution, I think it is a huge step in the right direction, made in good faith. Importantly, it recognizes something so fundamental that so many other subscription services do not seem to grasp:

If I pay for a subscription, it must be both advertisement free and not track my data.

Any other stance is simply going to result in more users using ad-blockers or resorting to more aggressive forms of content-piracy. To be completely frank, it is why I do not, and will not, pay for Hulu.

Kudos, Wired. Here's hoping other publications follow suit.

Monday, January 18, 2016

Apple is not Vertically Integrated (Response to 'Why Big Companies Keep Failing: The Stack Fallacy' | TechCrunch)

Why Big Companies Keep Failing: The Stack Fallacy | TechCrunch: Apple continues to successfully integrate vertically down  — building chips, programming languages, etc., but again has found it very hard to go up the stack and build those simple apps — things like photo sharing apps and maps.

This is super confusing to read from Techcrunch. Surely @anushublog is aware of the fact that Apple is not an OEM and is actually nowhere near vertically integrated? They are a design shop, and up until very recently, 100% of their manufacture was outsourced.

Additionally, one of Apple's core competencies is its software - iphoto is actually great. Apple Maps is not amazing - but certainly way better than it used to be. Apple's messenger app is great. Its mail app is great. Its video editing software (Final Cut Pro)  and music editing software (Logic Pro) are actually industry standards.

This is pretty careless, IMO. Maybe the point is that Apple is bad at making social-media apps? Well, maybe. But they likely make more money off of social media apps than ~99% of social media app publishers, due to their ownership of the App Store.

That aside, the fundamental point of the article - that Product Management is very hard - is a good lesson.