Apple Hires Corporate Security Chief Amid Legal Battle With FBI

An anonymous reader writes: Apple has hired a new security executive to oversee its corporate digital defenses as a result of the ongoing battle with the U.S. government over law enforcement's desire to crack into the San Bernardino shooter's iPhone 5c. George Stathakopoulos, former vice president of information security at Amazon.com and before that Microsoft's general manager of product security, is the new appointee designated to be the vice president of corporate information security. Stathakopoulos will be responsible for protecting corporate assets, such as the computers used to design products and develop software, as well as data about customers. The new hire is a sign of increased focus on security issues at Apple.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re: Good move

[Anonymous Coward]

This. Obama is a DINO so everything he does is the fault of Republicans.

Re:

[AHuxley]

PRISM worked well and never had any internal problems.
The end result will be a court ready master key, conscripted from any US brand or a rediscovery of strong crypto.

Re:Good move

[frovingslosh]

before that Microsoft's general manager of product security

I wonder if he was in charge of Microsoft product security when they turned over the source code for most of the computers used in the U.S. to the Chinese government.

Re:

[Aighearach]

Even going back to the 90s, the major customers had the source, including India.

Writing drivers was a PITA, major device vendors had the source.

It isn't secret, only proprietary and not available for general distribution.

Re:

[__aaclcg7560]

Seriously, how does someone break into this scene ?

Besides being extremely qualified, you need to be in the right place at the right time. That's how I got my job in government IT. Recruiter called me out of the blue. I applied for position, went through the interviews and filled out the paper work. Took six months to get everything in order. I'm finishing my second year on a prime contract that's fully funded for another three years. Although I get paid federal holidays off, 20 Paid Time Off (PTO) days per year, and a full benefit package, I'm making 40% l

Re:

[__aaclcg7560]

I love my critics in the peanut gallery.

Re:

[__aaclcg7560]

Nah, it just shows how popular I'm on Slashdot.

Re: How do I get one of those gigs ?

[Type44Q]

How do you know it was warm?

Re:

[Alypius]

Said the Bernie supporter who wants more government programs...

Re:

[__aaclcg7560]

Blame Bill Gates. If he built a secured operating system from the beginning, I wouldn't have the job security that comes from fixing Windows five days a week.

Watch out for infiltration

[ameline]

If I were them I'd be pretty careful about who I hired and what I had them do. I'm pretty sure their security/crypto engineers are long-time employees who have demonstrated their trustworthiness over the years.

I certainly wouldn't put it past the NSA/FBI/CSIS/GCHQ/FSB etc to try to get people on the inside.

 

Re:Watch out for infiltration

[Noah Haders]

this is why it's so dangerous to create a "one-time unlock key", even if it stays in apple's possession rather than going to the FBI. Once exists, it will become the hottest industrial espionage target. NOMORESECRETS

Re:

[Daniel Matthews]

So Apple just has to "un-exist" it when they are done. Develop and use it in a clean room, then destroy the contents of the room once they hand over the pin to the FBI, if it turns out that the FBI has a constitutional right to demand Apples assistance. You are worrying about the wrong things, this has never been a technical issue, it is a matter of law which has yet to be settled through due process.

Re:Watch out for infiltration

[Shawn Willden]

So Apple just has to "un-exist" it when they are done. Develop and use it in a clean room, then destroy the contents of the room once they hand over the pin to the FBI, if it turns out that the FBI has a constitutional right to demand Apples assistance.

Oh, and then re-create it for each of the next 200 phones the FBI wants into... making sure that no copies every leak, each time.

This case isn't about Farook's phone. Everyone knows there's nothing of use on it anyway... anything of value would have been on one of his burner phones, which the FBI knows he had and knows he destroyed, not on the phone that he knew was being backed up to iCloud under an employer-owned account. This is all about the precedent. The FBI picked this phone because "terrorist!", but even they don't care about this one. It's all about the rest.

Re:

[gnasher719]

Oh, and then re-create it for each of the next 200 phones the FBI wants into... making sure that no copies every leak, each time.

One possibility would be to unlock the phone, send an appropriate bill (some major six digit number), and see if they really want the next phone unlocked at that cost.

Re:

[Shawn Willden]

Oh, and then re-create it for each of the next 200 phones the FBI wants into... making sure that no copies every leak, each time.

One possibility would be to unlock the phone, send an appropriate bill (some major six digit number), and see if they really want the next phone unlocked at that cost.

The FBI would just argue in court that Apple can't substantiate that cost, and get the court to find that they don't have to pay, or only have to pay a reduced amount. Especially for the nth device.

Slippery slope arguments are generally fallacious, but not always, and this case really is a slippery slope.

Re:

[gnasher719]

The FBI would just argue in court that Apple can't substantiate that cost, and get the court to find that they don't have to pay, or only have to pay a reduced amount. Especially for the nth device.

Apple would then argue in court that since the FBI refuses to pay Apple's cost, this constitutes an unacceptable burden.

Re:

[Agripa]

Why wouldn't Apple be able to substantiate the cost? They would know how much time and effort went into creating the program earlier.

Or are you suggesting that the court would penalize them for destroying something they had no reason to preserve?

Re:

[Shawn Willden]

Apple couldn't substantiate a six digit cost because it wouldn't cost that much. Not every time.

Re:

[spire3661]

The matter of law IS settled. The FBI is trying to go around the law. There are limits to what the government can do, the FBI just reached it. Either they back off or they are going to continue to get egg on their face. Crypto is here and its not going anywhere. They picked a fight they cant win.

Re:

[Anonymous Coward]

> Crypto is here and its not going anywhere. They picked a fight they cant win.

You said it!

If you use crypto but give someone else a key, you have no control over your data. You have zero security.

The idea that we can "balance" the need for individual security with national security by weakening encryption is a dog that won't hunt.

Re:

[Anonymous Coward]

But he once worked for Microsoft, the industry example of security.

Re:

[Daniel Matthews]

All they have to do is compromise an existing staff member, same goes for any other foreign state or non-state group. Therefore what Apple needs to do is be very careful that they don't have any key employees with habits or secrets that could be used to black mail them. In fact that risk has always existed and your comment is pretty much redundant.

Re:

[TheGratefulNet]

you think 'staff members' have full *important* code access?

ha!

the more important the code is, the higher up you have to have authorization to even KNOW about. at least any real company does that. you can't even see some dirs unless you are authorized.

Re:

[swb]

You would think that really important stuff like the signing keys would be stored in a special room more akin to a bank vault than anything else. Probably with 365/24 armed security and probably something that requires two people to go in at the same time so that no one person is alone with the equipment and a completely audit trail of the computer inside.

Re:

[toonces33]

The main thing the FBI needs is the signing certificate. Undoubtedly this is something that Apple keeps tight control over, but at the end of the day it is just a file on disk somewhere.

Re:

[ameline]

The signing keys are almost certainly on secure signing modules. These will not allow the key to leave the module -- they will only sign blobs with it. They can be configured to require n of m access tokens -- passwords, biometrics, & physical tokens. So to sign a new SIF, it would require 3 or 4 employees all entering their passwords, fingerprints and secure tokens (usually USB dongles of some sort) This module itself will be in a very secure room -- behind several locked doors. It will not be connecte

Re:

[Coren22]

Those are two different books. The electromagnetic doorframe was in Cryptonomicon.

Why don't

[rossdee]

why don't they just buy the entire FBI
I am sure President Donald will give them a good deal...

Re:

[tsa]

Probably because Donald isn't president yet.

Insert map trap equivalents.

[niftymitch]

Apple needs to renew the insertion of Map Trap equivalents in their sources.

https://www.gislounge.com/map-... [gislounge.com]

Done correctly they are an easy way to watermark your code and
sets of them can be searched for from time to time.

your_ardvark(Ants_in_Pants_timer_knob) /*about 15 seconds this is 15 year old code */

Let's see how long it takes for google to find the one above.

To all the pro-gun anti-encryption folks

[Chewbacon]

Encryption: it's like a gun for your info. 128-bit, 256-bit. It's as big of gun as you want it to be!

Total sense

[paiute]

The guy's last name alone is an unbreakable password.