Manage Learn to apply best practices and optimize your operations.

Nothing is 100% secure, not even an iPhone

Last night, the FBI announced that it was dropping its litigation against Apple, because it had found an alternative way into the iPhone that had belonged to one of the San Bernardino terrorists. It proves, yet again, that nothing is ever completely, totally secure. Suing Apple simply became moot.

To the best of my knowledge, Apple never said that it couldn’t gain access to the phone, only that it wouldn’t. I’m not here to persecute or defend Apple, nor to debate the social or legal issues raised by the case. What I will do is opine about what we believe to be secure.

I’ve always likened device or application security to the idea of the scientific hypothesis. While it’s possible to absolutely prove a hypothesis to be false — all it takes is a single test case — you can never prove a hypothesis to be true. Every time you run a test that doesn’t destroy your hypothesis, all you’ve done is bolster support for it. But, you haven’t proved it true. Stop after a million tests that all support your hypothesis, and it still could be test 1,000,001, the one your imagination never conjured up, that smashes it to bits. You get the idea.

Testing for security is the same. In the digital realm, no matter how many times your security tests stand up to scrutiny, it just might be the very next one that lets the bad guys in. Who, after all, is the party that came forward to teach the FBI how to gain access to the infamous iPhone? Fortunately, this party was not a malicious hacker, but proved there was a way in, regardless of how secure Apple wanted us to believe the device was. (The data recovered from the phone still needs to be decrypted, but that’s separate from getting to the data.) Apple now vows to tighten security further.

One of the traditional arguments against cloud computing continues to be that some CIOs feel uncomfortable about security. Where are these cloud servers? Who is managing them? And wouldn’t 10,000 corporations virtually situated in the same gigantic physical datacenter be much more of a sitting duck target than a handful of servers buried deep in the bowels of 10,000 different corporate headquarters facilities? They’re all legitimate questions.

Cloud providers have the latest security technology and spend a whole lot more on security than any IT department ever could. They can hire experts that businesses can’t afford. They can hire experts that businesses can’t even find. It likely makes clouds much better at security than any business could do on its own, but absolutely, positively secure? In a word, no. After all, if security heavyweight RSA could itself be the victim of a huge breach in 2011, what does that mean for the rest of us?

Enough about the Apple case. Are you hypothesizing about the security of your systems, services, applications, and data? Sleeping well at night? Share your opinion — or your hypothesis; we’d like to hear from you.

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

I think this is spot on - nothing is ever 100% secure - but when you move it into the secure data center you have many more tools at your disposal

Virtual Mobile Infrastructure achieves the same for mobile applications by putting mobile operating system in the cloud. No data or apps are ever resident on the end point and so hacking the end point after the fact will yield no benefit to the hacker

More on
With the FBI saying they do not need Apples help, Apple will now scramble to find the flaw in their software and patch it. This will lock the FBI out of future phone issues... If the FBI played their card right, they would have kept quite and Apple would be none the wiser. 
Apple possibly (probably?) already knows of flaws and of the method used by the FBI. The iPhone 7 will likely be a big seller because of this event.

As for the current blog post, I start by assuming that if I can get into a system, app, database or whatever, then someone else can use the same method. From that starting point, designing the security gets easier. Gaining access is only an initial step. Having capabilities must also be considered.

But it's only good enough if it appropriately balances costs. When methods are available for costs that sufficiently counter risks, it's past time to give them thought. Separating endpoints from data/apps is... hmmm... well, it sounds a little like terminal connections to a server. Or maybe diskless workstations?