Footnote Reveals That The San Bernardino Health Dept. Reset Syed Farook's Password, Which Is Why We're Now In This Mess

from the well,-that's-interesting dept

Fri, Feb 19th 2016 6:18pm — Mike Masnick

We already discussed the many issues with the DOJ's motion to compel Apple to create a backdoor to let them brute force the passcode on Syed Farook's iPhone. However, eagle-eyed Chris Soghoian caught something especially interesting in a footnote. Footnote 7, on page 18 details four possible ways that Apple and the FBI had previously discussed accessing the content on the device without having to undermine the basic security system of the iPhone, and one of them only failed because Farook's employers reset the password after the attacks, in an attempt to get into the device.

The key line:

... to attempt an auto-backup of the SUBJECT DEVICE with the related iCloud account (which would not work in this cases because neither the owner nor the government knew the password to the iCloud account and the owner, in an attempt to gain access to some information in the hours after the attack, was able to reset the password remotely, but that had the effect of eliminating the possibility of an auto-backup).

The "owner" of course, being the San Bernardino Health Department, who employed Farook and gave him the phone. Basically, what this is saying is that if the password hadn't been reset, it would have been possible to try to connect the phone to a "trusted" network, and force an automatic backup to iCloud -- which (as has been previously noted) was available to the FBI. But by "changing" the password, apparently that option went away.

In other words, the San Bernardino Health Dept may have been the ones who really mucked things up for the FBI. But, of course, to be honest, the FBI is probably kind of happy about that. At this point, very few people honestly believe that there's anything of much value on that phone. But this situation allows the FBI to present the most sympathetic case it probably can to try to force backdoors onto tech companies.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: doj, encryption, fbi, password, reset, san bernardino, san bernardino health department, syed farook
Companies: apple

33 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

This comment has been flagged by the community. Click here to show it

Anonymous Coward, 19 Feb 2016 @ 6:32pm

Passwords are not Backdoors
I still don't see where Apple is being asked or forced to create a backdoor. Apple is being asked pull the data from an iphone in a manner at their discretion.

Tim's hissy fit is just disingenuous. He/she is obvious a marketing person and not a technical queen.

Here is the order. https://assets.documentcloud.org/documents/2714001/SB-Shooter-Order-Compelling-Apple-Asst-iPhone.pdf
[ link to this | view in chronology ]
- Anonymous Coward, 19 Feb 2016 @ 6:51pm
  
  Re: Passwords are not Backdoors
  Queen really? I suppose you're going to claim that your totally not a bigot and that wasn't directed at him being gay?
  [ link to this | view in chronology ]
  - Anonymous Coward, 19 Feb 2016 @ 6:54pm
    
    Re: Re: Passwords are not Backdoors
    Inb4 hurr you said your instead of you're
    [ link to this | view in chronology ]
  - That Anonymous Coward (profile), 20 Feb 2016 @ 2:54am
    
    Re: Re: Passwords are not Backdoors
    I'm confused, I thought I was the token gay...
    
    Have I been replaced?!
    [ link to this | view in chronology ]
    - Wendy Cockcroft, 22 Feb 2016 @ 7:34am
      
      Re: Re: Re: Passwords are not Backdoors
      https://www.youtube.com/watch?v=KrlzaBNgz-M
      [ link to this | view in chronology ]
- Anonymous Coward, 19 Feb 2016 @ 7:45pm
  
  Re: Passwords are not Backdoors
  Pull the data by creating a custom version of their iOS (or firmware, but let's call it FBiOS for the purposes of discussion) and somehow ensure it only works on one phone. That's not discretion. It was spelled out precisely what the FBI wanted. Of course, the FBI says it would only have to work on one phone, but once they subpoena the source code for that FBiOS (yes I stole that from an article linked here the other day) version, and you can be certain they will, it would be trivial to work around any limitations that were implemented to keep it to that specific phone, iOS version, or model (depending on how Apple would have done it). Apparently, the federal government they can compel any private business to do anything, and Apple would have no choice but to comply.
  
  While there have been discussions regarding which phones would be 'safe' (e.g. 5s and above due to the Secure Enclave technology), another "writ of do wtf i tell you" could be issued for any version at any time.
  
  As to the "changing the password", unless they're very specific about what password they changed (iCloud, domain password, etc) it is hard to say what effect that would have had. We don't believe, based on the information provided, that the San Bernardino Department Health Department use Mobile Device Management (MDM) software, otherwise they could have changed the iPhone passcode remotely and we wouldn't be having this conversation. I'm also willing to wager that "a few hours after the attack" some hotshot investigator instructed the IT folks at SBDH to change the iTunes password.
  [ link to this | view in chronology ]
- Mike Masnick (profile), 19 Feb 2016 @ 9:56pm
  
  Re: Passwords are not Backdoors
  I still don't see where Apple is being asked or forced to create a backdoor. Apple is being asked pull the data from an iphone in a manner at their discretion.
  
  That is not the case. We covered the order and laid out what it specifies: https://www.techdirt.com/articles/20160216/17393733617/no-judge-did-not-just-order-apple-to-break-en cryption-san-bernardino-shooters-iphone-to-create-new-backdoor.shtml
  
  It absolutely does not say they need to pull data at their discretion. It says they need to disable two specific security features by building a new operating system -- and then to enable another features. At no point is Apple actually asked to retrieve anything from the phone. Rather, once they remove those security features, then the FBI will step in and brute force the passcode.
  
  So not sure what you read but you're wrong.
  [ link to this | view in chronology ]
  - Anonymous Coward, 21 Feb 2016 @ 10:03pm
    
    Re: Re: Passwords are not Backdoors
    Mike,
    There is both an order compelling and a motion seeking. Both were filed on Feb. 16, 2016. I was referencing the order compelling. See page 3 line 3. The FBI says Apple can use any technology at their discretion if they can give the FBI the data on the phone. Apple did give the FBI the data on the icloud servers and recommended the FBI attempt to force a backup of the device. (see motion seeking; footnote 7)As we know from the media stories, the backup glitched. I just don't see any story here except Tim Cook throwing a hissy fit in a blog about how he doesn't wish to help in an investigation his company has already helped in.
    
    SB-Shooter-Order-Compelling file: https://assets.documentcloud.org/documents/2714001/SB-Shooter-Order-Compelling-Apple-Asst-iPhone.pdf
    
    SB-shooter-MOTION-seeking file:http://www.wired.com/wp-content/uploads/2016/02/SB-shooter-MOTION-seeking-asst-iPhone.pdf
    
    It should be noted the first file has [proposed] struck out. But it does have the court clerk's stamp.
    [ link to this | view in chronology ]
    - That One Guy (profile), 21 Feb 2016 @ 11:31pm
      
      Re: Re: Re: Passwords are not Backdoors
      I just don't see any story here except Tim Cook throwing a hissy fit in a blog about how he doesn't wish to help in an investigation his company has already helped in.
      
      This again?
      
      As has been pointed out time and time and time again, there's a significant difference between providing unencrypted data from a device versus creating a modified version of the OS to undermine key security features and allowing the FBI to attempt to brute-force the password.
      
      One Apple can do with ease and without affecting their security as it requires something that they already have, the other takes a lot more work, provides a bypass for the security on the devices they sell, and opens up a huge can of worms by allowing a precedent to be set that companies can be forced to bypass their own security, effectively creating a 'golden key' requirement without a single law being passed.
      [ link to this | view in chronology ]
- Anonymous Coward, 20 Feb 2016 @ 6:57am
  
  Re: Passwords are not Backdoors
  Nice try San Bernardino Health Dept IT person.
  [ link to this | view in chronology ]
  - Anonymous Coward, 20 Feb 2016 @ 9:50am
    
    Re: Re: Passwords are not Backdoors
    You misspelled "FBI terrorist".
    [ link to this | view in chronology ]
    - hopponit (profile), 20 Feb 2016 @ 10:08am
      
      Re: Re: Re: Passwords are not Backdoors
      You got it backwards. It should be "terrorist FBI" .
      [ link to this | view in chronology ]
That Anonymous Coward (profile), 19 Feb 2016 @ 6:37pm

Your Honor we caused a giant clusterfuck, now force Apple to clean up after our inability to secure evidence properly.
[ link to this | view in chronology ]
Anonymous Anonymous Coward, 19 Feb 2016 @ 6:43pm

Creative Self Imolation with an Altruistic End Game
So, instead of hiring some CI's and writing a scenario for them pass on to some inept wannabe's then arresting those inept wannabe's for the crime the FBI prompted to be committed, the FBI arranged to shoot themselves in the foot in order to have an excuse to backdoor encryption?

Why again doesn't Hollywood employ these guy's. They are a lot more creative than the dorks that are currently writing for them.
[ link to this | view in chronology ]
Mark Wing, 19 Feb 2016 @ 6:54pm

I'm surprised there's no court order compelling the resurrection of Farook and the un-destruction of the phones he destroyed. But, court order.
[ link to this | view in chronology ]
- Anonymous Coward, 19 Feb 2016 @ 7:48pm
  
  Re:
  For all we know his corpse could be at a black site being force fed through a tube while being forced to listen to a Megadeth/Taylor Swift/Justin Beiber/Kanye West mashup between waterboardings where they ask him for the passcode and what he did with his computer's harddrive.
  [ link to this | view in chronology ]
Anonymous Coward, 19 Feb 2016 @ 8:59pm

now this is what cook needs to be putting out there. that there were ways into the phone that apple provided but that the fbi or other investigators screwed them by being ignorant and developing an entirely custom operation system is absolutely ridiculous when the tools were there the government was just to stupid to use them. I feel like this would resonate a lot better with the avg person. I would also mention the cost to the taxpayers would be in the tens of millions of dollars due to the govt screw up. and that you would thing with the billions that are going to cyber warfare and terrorism that they should have known better.
[ link to this | view in chronology ]
Scote, 19 Feb 2016 @ 9:02pm

The health department probably did the right thing
If a conspirator knew the account password they could have remote wiped the phone, so changing the iCloud password wasn't necesarily the wrong thing to do.
[ link to this | view in chronology ]
- That Anonymous Coward (profile), 20 Feb 2016 @ 2:51am
  
  Re: The health department probably did the right thing
  But that is a decision the FBI should have made, not Skippy from IT who decided on his own to be helpful.
  
  They could have secured the phone to prevent a remote wipe or even gotten an court order asking Apple to lock the account associated with the phone preventing remote wipes.
  
  What I found shocking was that San Bernardino has software that they install on SOME phones owned by the county that lets them unlock the phone. But that policy isn't for all county owned phones, which seems stupid to have a very useful tool that isn't deployed on all of the assets.
  
  www.msn.com/en-us/news/technology/common-mobile-software-could-have-opened-san-bernardino-sho oters-iphone/
  [ link to this | view in chronology ]
- nasch (profile), 20 Feb 2016 @ 7:32am
  
  Re: The health department probably did the right thing
  If a conspirator knew the account password they could have remote wiped the phone, so changing the iCloud password wasn't necesarily the wrong thing to do.
  
  Turning the phone off would prevent that, would it not?
  [ link to this | view in chronology ]
  - Anonymous Coward, 20 Feb 2016 @ 7:39am
    
    Re: Re: The health department probably did the right thing
    Turn off an iPhone?
    [ link to this | view in chronology ]
- Anonymous Coward, 20 Feb 2016 @ 8:37am
  
  Re: The health department probably did the right thing
  If a conspirator knew the account password they could have remote wiped the phone
  
  Good - because they'd have the location of the co-conspirator via how the wipe was preformed.
  
  If the "bad guys" had enough op-sec to destroy passwords and other phones, why would the work phone been used where the employer had the right to inspect?
  [ link to this | view in chronology ]
Patrick, 20 Feb 2016 @ 1:07am

Maybe they should retract that statement about Apple's objection being solely for marketing and make it a mea culpa for their incompetence and getting an order of preservation to prevent password change etc. If nothing else it would be more accurate.
[ link to this | view in chronology ]
Anonymous Coward, 20 Feb 2016 @ 4:45am

Even if there were an auto-backup, you couldn't be certain that all relevant data were contained therein. FBI would still need to conduct forensic analysis on the phone's direct contents.

Regarding iCloud, it's trivial to change Apple's backend to allow the phone to authenticate successfully.
[ link to this | view in chronology ]
Digitari, 20 Feb 2016 @ 6:01am

How suprising..
that Techdirt has so many Apple coders as readers..

I code in my own linux, and it's sorta like OSX but I have no Idea what it all entails
[ link to this | view in chronology ]
madasahatter (profile), 20 Feb 2016 @ 7:43am

He had a buddy in IT?
This series of events raises the question about the IT person. Was this person a friend? And did they change the password, which should be known, deliberately?
[ link to this | view in chronology ]
Anonymous Coward, 20 Feb 2016 @ 8:51am

Mcafee offered to crack the encryption free of charge to the government. Saying that he has a hacker team that is the envy of any group. Funny how the government doesn't want to take him up on that isn't it?

http://www.cnbc.com/2016/02/19/john-mcafee-fbi-should-let-me-hack-iphone.html

No opening this phone isn't the real objective. The real objective is to gain a tool that can be used on any iPhone. Otherwise they would have taken Mcafee up on that.

Since Congress is not willing to pass a bill requiring backdoors into encryption this whole dog and pony show is about one thing and one thing only. Getting a new tool, that Apple is to give them free of charge, which could be used on any encrypted iPhone. This is the sneaky way to get what you want when you can't get a law passed.
[ link to this | view in chronology ]
Um Guys, 20 Feb 2016 @ 3:35pm

The FBI Instructed the County to Change the Password
...to set up this whole situation?

http://www.theguardian.com/technology/2016/feb/20/san-bernadino-county-fbi-gunman-apple-ac count

he San Bernardino County government on Friday night said the FBI told its staff to tamper with the Apple account of Syed Farook, who with his wife, Tashfeen Malik, carried out the December shooting in which 14 people were killed.
[ link to this | view in chronology ]
Anon, 20 Feb 2016 @ 8:26pm

So...
So going postal is now a terrorist incident? If this guy were really an actual terrorist, he would have shot up somewhere more public and intimidating than... where they work.

Do they have ANY clue that there is any communication of relevance there? A major fishing expedition which will involve millions of dollars (plus what's already been spent) and yield nothing.
[ link to this | view in chronology ]
- Coyne Tibbets (profile), 21 Feb 2016 @ 2:58am
  
  Re: So...
  All Muslims are terrorists.
  All terrorists are Muslim.
  All violent acts committed by Muslims are terror attacks, regardless of victim count.
  All violent attacks by non-Muslims are ordinary crimes, regardless of victim count.
  
  Our rulers created these rules to properly define the enemy we're supposed to be fighting. Bottom line: The enemy is Muslims and no one else. George Orwell demonstrated this type of thought control in 1984.
  
  This case is a perfect example: it appears to be an ordinary (if any can be called that) workplace attack. But it is positively a terrorist act simply because a Muslim was involved. Just ask our rulers.
  [ link to this | view in chronology ]
Coyne Tibbets (profile), 21 Feb 2016 @ 2:33am

Say what again?
Syed Farook's iPhone password was reset by the iPhones owner, which is San Bernardino Health Department.

Say what? When my employer resets my password, they have to communicate the new password to me, or it has to be some dummy default.

1) If they were able to do this then why can't the government just get the eMail that has the new password? It must have been passed by some channel other than the device; you can't sign on to your device if the new password is on the device.

2) If the transmitted password can't be retrieved, then why can't San Bernardino Health Department simply reset it again?

The longer this "episode" runs, the more clear it becomes that this is just an excuse to force Apple to develop a backdoor. Which, of course, the government will keep and use anytime it wishes.
[ link to this | view in chronology ]
- Anonymous Coward, 21 Feb 2016 @ 11:56am
  
  Re: Say what again?
  There's two different things here: the password to his cloud account, which the employer can (and did) reset, and the passcode to the phone itself, which they cannot. By resetting the password on the cloud account, they were able to get the information that the phone had previously backed up a month and a half before the shooting, but they stopped the phone from being able to make a new backup with the current contents of the phone.
  [ link to this | view in chronology ]
Anonymous Coward, 21 Feb 2016 @ 2:57am

This has nothing to do with syed and more to give themselves yet another ability

We are nothing but sheep, cattle, there to work on behalf, to be monitored, to be fucking conditioned.........the politicians work for the government, not the people

Its fucking archaic, the world has changed, but we have not, who decided that being ruled is a natural human state, oh thats right, questionable folks of the past, with questionable folks of the present carrying the batton

The more things change, the more things stay the same
[ link to this | view in chronology ]