51 comments

[ 4.5 ms ] story [ 71.3 ms ] thread
This is not a HN story. We skip most responses to the original tin foil stories.
A story about a very large and popular technology company's response to allegations of them intentionally adding backdoors to one of their flagship products isn't appropriate for a technology news site?

Edit: HN's on-top guidelines "On-Topic: Anything that good hackers would find interesting. That includes more than hacking and startups. If you had to reduce it to a sentence, the answer might be: anything that gratifies one's intellectual curiosity."

Seriously, I would like to understand why you think this isn't HN appropriate.

I think you are missing the sarcasm; he's pointing out that HN votes up sensationalism and not the follow up stories.
This is on the front page of HN.
When I made the comment it wasn't, and I had the only comment. It took about an 45 minutes to gain any traction, which can be verified by the age of the comments.

The original story would have been on the front page in minutes, with dozens of comments.

If the difference between a sensationalist vs. reaction article is only 45 minutes I think HN is doing fairly well compared to other online communities.
A story is almost gone in 45 minutes on HN. You'll often notice people complaining about posting a story posted a day earlier that didn't get any traction and is highly voted on resubmission. Someone has to start a conversion or it has to get up voted quickly. I was the 4th upvote and the first comment.
It's a win for everyone when a seminal tech company responds to Snowden material with a serious response. It compels the public to take the outlet seriously (Der Spiegel), the material seriously (Snowden), and it contributes to the general tightening in the security field.

In a word ... validation.

Anyone else notice that the bottom-right corner of the NSA doc is dated 20070108? Is that a month after the original iPhone was released or 6 months before?

Either way, quite the implication if the claims are authentic.

Plausible deniability can be an effective tool for a company too. It's certainly possible that Apple team members were indeed collaborating with the NSA (or FBI or some contractor equivalent) or that the NSA had access to Apple tech without the leadership aware of the specifics or even without any official corporate authorization/mandate in the first place.

Never noticed that.

Pretty sure it is January.

"(civilian vernacular: mm/dd/yy or mm/dd/yyyy;[165][166] other formats, including dd Month yyyy and yyyy-mm-dd, are common or prescribed—particularly in military, academic, scientific, computing, industrial, or governmental contexts. See Date and time notation in the United States.)"

My money is on January.

Apple's statement:

"Apple has never worked with the NSA to create a backdoor in any of our products, including iPhone. Additionally, we have been unaware of this alleged NSA program targeting our products. We care deeply about our customers’ privacy and security. Our team is continuously working to make our products even more secure, and we make it easy for customers to keep their software up to date with the latest advancements. Whenever we hear about attempts to undermine Apple’s industry-leading security, we thoroughly investigate and take appropriate steps to protect our customers. We will continue to use our resources to stay ahead of malicious hackers and defend our customers from security attacks, regardless of who’s behind them."

Not that it will convince anyone around here, but at least they can be called liars if any evidence did turn up.

It's interesting to say the least. If they are to be believed, what accounts for the NSA's claim of "100% success" with iPhones? Or is that just empty posturing?
100% success if you have physical access. You certainly do not need to be the NSA for that.
I can't find the exact "100% success" quote to put it into context, but for one thing, it's a six-plus year old document. It's possible that they had an exploit at the time. An exploit doesn't require Apple's cooperation.

The document also doesn't claim this success remotely (only "A remote installation capability will be pursued for a future release", which really gives no clue as to how possible that was or is). We've always known that pretty much any mobile device can be vulnerable with physical access (that's what "jailbreaking" you phone is doing).

Given that almost all early iPhone OS and iPhone have bugs and vulns that allow jailbreaks and carrier unlocks, it's completely unsurprising that the NSA had a 100% success physically.

For example, iPhone 3GS released in 2009 can be jailbroken with 2010-era latest iOS 4: http://www.iclarified.com/jailbreak/iphone3gs/mac.php?firmwa...

I don't think you even need baseband access to do all the spying. I think all of that can be done on a jailbreak.

One thing to take note of is that they specifically deny working with the NSA. They could very well be working with a contractor or another US government organization and not be lying.

Not saying that they necessarily are. Based on what I've read about the NSA I think it's very plausible that the NSA both has a backdoor from Apple, one from the baseband software (http://www.osnews.com/story/27416/The_second_operating_syste...), as well as a several hacks they've developed on their own. Their strategy is not a single path but rather as many attack vectors as possible.

Anything is plausible when there are no facts to show right? We have a document from 2007 and Apples denial. That is it.
This is like RSA saying they had no secret contract to create a crypto backdoor. Really finely phrased, doesn't actually say much.

Apple most likely wouldn't work directly with the NSA but with an entity like the FBI. The contract wouldn't be with the FBI but with a company also contracted out to do some of the work like Booz Allen Hamilton.

I'm started to wonder who "we" actually means in these responses as well. Is this the stock-holder we, the CEO we, or we as in employees of Apple as a whole. I suspect it is not the latter one.

We still don't know the point of entry for this malware and I have no more reason to suspect it is done by the shipping carriers than I have reason suspect the hardware makers themselves.

Where are people suspecting the shipping carriers?
The NSA's recommended guide for creating a secure phone (fishbowl) lists supply chain compromise as a threat. Probably because they themselves manage to infiltrate manufacturing and distribution
Isn't this very similar to earlier claims about the NSA seeing Google's data?

Many believed that Google was doing the NSA's bidding. Many others felt that only the polar opposite could be true: That Google rejected the NSA's pleas and thus the data couldn't be seen.

It seems to have turned out that fact was somewhere in between -- Google was an involuntary partner, but the NSA could monitor virtually all of their data via the data center to data center links.

The same thing could be happening at Apple (or any business): They have all the best intentions in the world and want to build the most secure product they can, but there is a extrajudicial foe that answers to essentially no one.

Yeah, but we still don't know if anyone in Google provided aid. So long as National Security Letters exist, there will always be the possibility that an employee or business unit has been complicit without anyone who can speak for the company ever finding out.
Google explicitly denied voluntarily cooperating or working with the NSA in such a manner. While their denial was picked apart (just as the Apple one is, everyone declaring exclusions and perceived disclaimers), Google's statement effectively eliminated the possibility of an NSL silencing them. An NSL bars you from talking about something, but can't compel you to publicly lie (nor do I think a company with the might and influence of Google be bullied too easily).

Of course this is all talking about Google as a corporation voluntarily doing something. Was someone in Google (or Apple or any other company) working on behalf of the NSA? There was early debates about whether that could even be legal, but at this point it seems that "anything goes" is the pattern, so possibly.

There's absolutely nothing stopping the NSA/CIA from hiring a foreign national to work on their behalf, just like the DGSE could pay an American national in Palo Alto. Whether those employees could operate domestically w/o breaking the laws of their spymaster, maybe not.

It's sorta telling to me that Google decided to go encryption on all intra-data after Snowden. No doubt they would have been briefed by agencies that they cooperate with about what the exposures would be.

It's more likely that whatever chipsets common across smartphones or routers is the point of exploit. So the NSA and Samsung or whomever have to have a private agreement. Apple/Google don't have a need to know, but you think a few engineers might be curious.

"Apple has never worked with the NSA to create a backdoor in any of our products, including iPhone."

WIGGLE ROOM ALERT: Apple might have worked with government contractors, just not the NSA directly.

"Additionally, we have been unaware of this alleged NSA program targeting our products. We care deeply about our customers’ privacy and security."

WIGGLE ROOM ALERT: They could very well be unaware of this program -- but aware of another program that hasn't been disclosed yet.

For more on sneaky talk, read this fantastic Atlantic piece that dissects deliberately misleading statements by NSA officials: http://www.theatlantic.com/politics/archive/2013/12/how-amer...

One key strategy they've had: they consistently deny specific programs, as opposed to general actions.

Think about what the NSA really did here in 2008. Apple didn't need to help the NSA do this. Here's why:

The NSA exploited a bug in the iPhone in the same way that the jailbreak community has been doing since the iPhone came out in 2007. The only difference is that the NSA installed malware where as the jailbreak apps install Cydia.

Remember jailbreakme.com? That is a browser based root vulnerability. Find an exploit in the iPhone's mail, sms, browser, or any other app, and you could too install malware. Of course this is not easy with the security of the iPhone, but with NSA like resources there is no such thing as bulletproof security.

Plot-twist: the NSA is the jailbreaking community.
This could be true. Technically. You don't need to work with NSA, you may, for example, work with some another organisation tightly coupled with NSA. There also could be carefully planted vulnerabilities in the software, it would be extremely stupid for Apple to implement clearly recognizable backdoor. And of course they will deny anything always.
It doesn't matter what they say. If they had, the law requires them to lie and say they didn't.
It does matter. Apple could tell the truth and let the NSA take them to court. What a nightmare that would be for the NSA.
They cannot make this statement until we get rid of national security letters. It's a statement that even the company itself can't verify as true or false.

Instead they should have released a PR statement like so:

"Apple's is unaware of any help it has provided the NSA in creating iPhone backdoors, but due to the presence of National Security Letters that would gag us if we had, we can neither confirm nor deny whether we have helped the NSA. If we have, no one in the company but those that aided the NSA would know. We urge the citizens of this country to challenge the constitutionality of NSLs so that we may be able to confirm whether or not we have aided in the creation of iPhone backdoors."

That's the only truthful statement that could be uttered at this point.

Apple is on the record as having never received an NSL. NSLs may prohibit you from disclosing information, but they cannot force you to lie (especially by one you've never received).
They can force you to lie. If not lying would conceivably tip off a subject of an investigation that they are under surveillance, than not lying would be in violation of the NSL. That is the entire point of the gag order.
"Apple has never received an order under Section 215 of the USA Patriot Act. We would expect to challenge such an order if served on us."

So are you suggesting they've received a NSL letter about nothing in particular forcing them to lie in this instance?

I'm not suggesting that they have or have not received a NSL. I am saying, if they are in compliance with the gag order portion of the NSL, then they must always deny that they ever received a NSL for any reason. The government views not denying receipt of a NSL as confirming receipt. If they hadn't received a NSL, of course they would say they hadn't received one. If they had received a NSL, or course they would say they hadn't received one. The only reply to the question of "have you received a NSL" that is ever legal, is to deny receipt.

So whatever their true status is, it cannot be judged from their own statements, as long as we assume that nobody at Apple gives two shits enough to stick their neck out and risk incarceration for violating a NSL.

Or we could believe their statement about fighting the order. So much speculation and no facts.
If they get one in the future what happens? Are they allowed to not make this claim next time, which strongly implies that they got one? Open question, is there any US precedent as to what they're allowed to do there?
If they get one in the future then they drop the statement from their report.

moron4hire seems to believe that they would force them to keep the statement (and thus lie), but I'm going to need a source on that.

That seems like the obvious answer, and I'm inclined to believe it, but it seems like a very strong implication that they did get one if they do that. If they're not allowed to tell, are they allowed to imply this strongly?
This is not correct. You're thinking of Apple's "warrant canary", which covered only Section 215 of the USA PATRIOT Act, "Access to records and other items under the Foreign Intelligence Surveillance Act", aka mass FISA requests.

Apple almost certainly has received many NSLs, which is why they can only disclose "1000-2000 account information requests" for the first half of 2013 in their transparency report. That number combines law enforcement and national security order requests in order to keep vague the exact number of the latter. If you take a look at that transparency report[1], you can see they come as close as you can to confirming that they have received NSLs when (so far) you can of course not confirm that you've ever received NSLs.

[1] https://www.apple.com/pr/pdf/131105reportongovinforequests3....

I was under the impression that section 215 was the NSL since it mentions the bit about gag orders on Wikipedia:

>The section carries a gag order stating that "No person shall disclose to any other person (other than those persons necessary to produce the tangible things under this section) that the Federal Bureau of Investigation has sought or obtained tangible things under this section"

No, the modern NSL was defined in section 505 of the USA PATRIOT Act, though it modifies statutes going back many decades. It was section 505, though, that let the FBI go hog-wild with them.
They can make that statement and they did make that statement. You can go down the rabbit hole a very long way with "conspiracy theories" or you can believe Apple.
Not to jump on you in particular -- there are many posts in this thread alone conflating things -- but I've noticed that there exists a great confusion about National Security Letters here on HN, even amongst those who seem to think they're following these things very closely.

A NSL is not a catch-all. It can only compel disclosure of metadata, aka non-content data, aka pretty much what's covered under Smith v Maryland (third party doctrine and all that). That alone is damaging, of course: when the police were getting phone number records in 1976, technology was very different from say, the ability to track your every movement just from the IDs of the cell phone towers that your phone connects to as you move around your city.

However, a NSL cannot compel someone to write a backdoor into a program, or force you to hand over your private encryption keys, or even hand over the content of a single email. There are many other legal approaches to these other things (like a real court order from a judge), and there is a decent chance that a company is completely spineless and rolls over for the government without any need for the request to be legal (a la AT&T and room 641A), but those approaches have nothing to do with National Security Letters.

I wish people would learn a little bit about this before thinking they know a lot about this...

Gag orders aside, is there any evidence that a national security letter can be used to compel a company to create or help create a backdoor like that?

Everything I've seen about NSLs says that they allow the government to compel production of (some) information about an individual or group if they say it's part of a national security investigation. As I understand it, the big objection to NSLs from groups like the EFF and ACLU is that they're outside the normal system of court order and subpoenas, lack enough restrictions on when they can be used and have the gag order provision...not that they give the government power to ask companies to do whatever they want.

So the NSA hacked the iPhone so thoroughly without help? Yikes.
My follow up question would be: Has Apple created back doors for law enforcement?

The only way to keep spy agencies out is to made data inaccessible to everyone.

How it works: NSA uses its immense resources to find jailbreaks. Finds jailbreaks. Sets up a 'hacker front' to publish jailbreaks/establish hegemony over the subject in the mindset of the iPhone-jailbreaking public. Regularly publish jailbreaks.

Oila: a few million remote installations. (EDIT: .. on known-subversive phones. Only subversive types jailbreak.)