mersenneforum.org  

Go Back   mersenneforum.org > Extra Stuff > Soap Box

Reply
 
Thread Tools
Old 2016-03-09, 22:23   #639
kladner
 
kladner's Avatar
 
"Kieren"
Jul 2011
In My Own Galaxy!

2·3·1,693 Posts
Default More on Apple v FBI

Snowden: FBI Claim That Only Apple Can Unlock Phone Is “Bullshit”
-The Intercept
Quote:
NSA whistleblower Edward Snowden says the FBI’s ostensibly last-ditch attempt to unlock San Bernardino shooter Syed Rizwan Farook’s iPhone is a sham.

The FBI last month persuaded a federal judge that the only way to get into the phone was to make Apple write code to undermine its own security protocols. Apple is refusing to comply.

“The FBI says Apple has the ‘exclusive technical means’” to unlock the phone,
Snowden said during a discussion at Common Cause’s Blueprint for Democracy conference.
“Respectfully, that’s bullshit,” he said, over a video link from Moscow.
The link below is cited in the article above.
One of the FBI’s Major Claims in the iPhone Case Is Fraudulent
-ACLU blog
Quote:
In the FBI’s court order requesting Apple's assistance in unlocking the work iPhone 5c used by the San Bernardino shooter, the bureau's first and most urgent demand is that Apple disable the iPhone's “auto-erase” security feature. This feature (which is not enabled by default on most iPhones) protects user data on a device from would-be snoops by wiping the phone after 10 failed passcode attempts. This protects you and me from thieves trying to guess our passcodes and access our data for identify theft, for example.

But the truth is that even if this feature is enabled on the device in question, the FBI doesn't need to worry about it, because they can already bypass it by backing up part of the phone (called the “Effaceable Storage”) before attempting to guess the passcode. I'll go into the technical details (which the FBI surely already knows) below.
kladner is offline   Reply With Quote
Old 2016-03-16, 00:37   #640
only_human
 
only_human's Avatar
 
"Gang aft agley"
Sep 2002

2×1,877 Posts
Default

Apple's Response To DOJ: Your Filing Is Full Of Blatantly Misleading Claims And Outright Falsehoods
Quote:
In fact, in a footnote, Apple goes even further in not just blasting the DOJ's suggestion that Congress didn't really consider a legislative proposal to update CALEA to suck in requirements for internet communications companies, but also highlighting the infamous quote from top intelligence community lawyer Robert Litt about how they'd just wait for the next terrorist attack and get the law passed in their favor at that point.
Quote:
The filing is basically Apple, over and over again, saying, "uh, what the DOJ said was wrong, clueless, technically ignorant, or purposely misleading." Hell, they even attack the DOJ's claim that the All Writs Act was used back in 1807 to force Aaron Burr's secretary to decrypt one of Burr's cipher-protected letters. Apple points out that the DOJ is lying.
only_human is offline   Reply With Quote
Old 2016-03-16, 03:32   #641
kladner
 
kladner's Avatar
 
"Kieren"
Jul 2011
In My Own Galaxy!

2×3×1,693 Posts
Default

Fun links from the article linked above.

Fallout:
https://www.techdirt.com/articles/20...cryption.shtml

John Oliver:
https://www.techdirt.com/articles/20...rnalists.shtml

Lindsey Graham(!):
https://www.techdirt.com/articles/20...le-fight.shtml
kladner is offline   Reply With Quote
Old 2016-03-18, 00:18   #642
ewmayer
2ω=0
 
ewmayer's Avatar
 
Sep 2002
República de California

19·613 Posts
Default

In-depth piece on the profit-motivated side of our headlong societal rush towards universal surveillance by Shoshana Zuboff of the Frankfurter Allgemeine Zeitung:

The Secrets of Surveillance Capitalism : Governmental control is nothing compared to what Google is up to. The company is creating a wholly new genus of capitalism, a systemic coherent new logic of accumulation we should call surveillance capitalism. Is there nothing we can do?
Quote:
The very idea of a functional, effective, affordable product as a sufficient basis for economic exchange is dying. The sports apparel company Under Armour is reinventing its products as wearable technologies. The CEO wants to be like Google. He says, “If it all sounds eerily like those ads that, because of your browsing history, follow you around the Internet, that’s exactly the point–except Under Armour is tracking real behavior and the data is more specific… making people better athletes makes them need more of our gear.” The examples of this new logic are endless, from smart vodka bottles to Internet-enabled rectal thermometers and quite literally everything in between. A Goldman Sachs report calls it a “gold rush,” a race to “vast amounts of data.”
Came across a seemingly-unrelated article on Biotech cos. "mining for gold in the personal microbiome" that same day, and it quickly dawned on me that these things are not unrelated at all ... with respect to the issue of “Great. Big Pharma IP in my gut biome. What could go wrong?” — Just think, by combining this research with the kind of miniaturization embodied in the “smart internet-connected rectal thermometer” described above, a pharma corp could actually discover a novel and useful microbe in your gut and patent it before you ever knew about it. Market efficiency there, my friends! Then they could turn around and sue you, the host of said microbe, under the in-final-secret-negotiations TPP/TTIP's ISDS dispute resolution [a.k.a. 'corporate-captured kangaroo court'] provision for patent infringement, requesting the court that you pay a hefty fine and undergo a course of personal-biome-nuking antibiosis … using the same PharmaCorp's incredibly expensive antibiotics, of course, and at your own expense. But hey, the cost of the drugs will help you reach your ACA-caused colossal insurance deductible for the year. Man, big-data-enhanced free-market capitalism is so awesome.
ewmayer is offline   Reply With Quote
Old 2016-03-21, 09:41   #643
retina
Undefined
 
retina's Avatar
 
"The unspeakable one"
Jun 2006
My evil lair

185216 Posts
Default

Quote:
Originally Posted by retina View Post
I don't care about the outcome actually. The important point is that if one uses a short passcode then they are essentially relying upon the goodwill of apple to not allow others access to their data. And any security that relies upon the actions (or non-actions) of others is not the sort of security that I want to use.
I have changed my mind on this. I hope that Apple lose this case, and that they are forced to help in creating the demanded software.

My reasons are three-fold (in no particular order):
  • It will showcase the existing weaknesses of the digital devices people use and highlight the dangers of storing everything without regard for who may gain access in the future.
  • It will encourage engineers designing devices to make them unreachable to anyone without the passcode, regardless of what software is runnable, and with all desired timeouts and lockouts remaining active and effective. I'm sure most companies would not like to be in Apple's position and they will try to find a way to avoid it in the future.
  • It will send a signal to people using their digital devices (the users) that they cannot rely upon the stated goodwill and good intentions of companies to keep them secure, because other parties can coerce the companies to act in ways that may harm them.
retina is offline   Reply With Quote
Old 2016-03-22, 03:56   #644
ewmayer
2ω=0
 
ewmayer's Avatar
 
Sep 2002
República de California

19·613 Posts
Default

My old, decidedly non-smart 'candybar' cellphone played a nasty trick on me over the weekend. Not being married (and thus not subject to e-leash laws) I only turn it on once per day to check messages and make a needed call or two; everyone who knows me well enough to possibly need to reach me in emergency fashion knows alternate means of doing so. I have no landline - ditched that ~10 years ago, as soon as CA passed a law requiring mobile carriers to allow people to transfer an existing number to a mobile phone.

Until ~6 months ago I used the phone sans the optional 4-digit lock code, but then 'with enhanced security in mind' (i.e. cops stealing info off your phone and such) I began to use that feature. No problems until this past weekend, when the phone suddenly decided the lock code I'd been using - it needs a lot of menus to change, no possible chance of 'butt-dialing' a random new one - is no good. Local Verizon store was little help - bottom line, whatever possible options I may have for getting it unlocked there will take at least as much time as manually running through all 10^4 possibilities (statistically one will need on average 1/2 as many ... my thumbs are hoping to get lucky). Using breaks here and there and TV commercial breaks to merrily click away ... 400 down so far, as many as 9600 to go. Needless to say, given how lightly I use the unit (i.e. few personal data on it, just contact numbers and names), once I'm back I shall be disabling this particular security feature.
ewmayer is offline   Reply With Quote
Old 2016-03-22, 04:10   #645
retina
Undefined
 
retina's Avatar
 
"The unspeakable one"
Jun 2006
My evil lair

141228 Posts
Default

Quote:
Originally Posted by ewmayer View Post
Until ~6 months ago I used the phone sans the optional 4-digit lock code, but then 'with enhanced security in mind' (i.e. cops stealing info off your phone and such) I began to use that feature. No problems until this past weekend, when the phone suddenly decided the lock code I'd been using - it needs a lot of menus to change, no possible chance of 'butt-dialing' a random new one - is no good. Local Verizon store was little help - bottom line, whatever possible options I may have for getting it unlocked there will take at least as much time as manually running through all 10^4 possibilities (statistically one will need on average 1/2 as many ... my thumbs are hoping to get lucky). Using breaks here and there and TV commercial breaks to merrily click away ... 400 down so far, as many as 9600 to go. Needless to say, given how lightly I use the unit (i.e. few personal data on it, just contact numbers and names), once I'm back I shall be disabling this particular security feature.
So your phone software is . If it was bug free then no doubt you wouldn't have this problem. And is the passcode used to encrypt the data or is it just a simple software gate that is useless if someone scans the flash storage directly?

However why not just wipe the whole thing and restore from backup? If you don't have any backups then what would you have done if you had had it stolen, or lost it, or accidentally dropped it into molten lava? If the data are important enough to spend time going through up to 10000 PIN trials then they should also be important enough to spend 2 minutes backing it up occasionally. I guess hindsight is a wonderful thing.
retina is offline   Reply With Quote
Old 2016-03-22, 04:35   #646
0PolarBearsHere
 
0PolarBearsHere's Avatar
 
Oct 2015

2·7·19 Posts
Default

Quote:
Originally Posted by retina View Post
and highlight the dangers of storing everything without regard for who may gain access in the future.
With the amount of intimate photos and personal details put on facebook marked as public or friends of friends, I seriously doubt people are going to care about storing it safely.
0PolarBearsHere is offline   Reply With Quote
Old 2016-03-22, 05:04   #647
retina
Undefined
 
retina's Avatar
 
"The unspeakable one"
Jun 2006
My evil lair

2×11×283 Posts
Default

Quote:
Originally Posted by 0PolarBearsHere View Post
With the amount of intimate photos and personal details put on facebook marked as public or friends of friends, I seriously doubt people are going to care about storing it safely.
I think there is more to it than simple photos people choose to make public. These pocket computers can do much more. For starters they can contain private messages/pictures/whatevers that people don't want to put on vanitybook egobook facebook. They can contain stored passwords for banking, CC numbers, health information, etc. If people care about these things then they should inform themselves about just what they are getting into when they decide to put everything in there.
retina is offline   Reply With Quote
Old 2016-03-22, 12:20   #648
Nick
 
Nick's Avatar
 
Dec 2012
The Netherlands

110101011112 Posts
Default

Quote:
Originally Posted by ewmayer View Post
My old, decidedly non-smart 'candybar' cellphone played a nasty trick on me over the weekend...
Here in Europe, the 4 digit PIN people type into a non-smart mobile phone does not protect access to the physical phone but access to the SIM (smart card) inside it with the crypto keys for the network connection. Thus, what is protected by the PIN is the subscriber's account with the phone company.
Nick is online now   Reply With Quote
Old 2016-03-24, 04:44   #649
ewmayer
2ω=0
 
ewmayer's Avatar
 
Sep 2002
República de California

19·613 Posts
Default

I am back in ... yesterday I decided to try to be smart about things and try all possible single-bit-flips applied to the old PIN, assuming each digit stored as a hex char, i.e. in the binary range 0000-1001. No joy, so continued my brute-force enumeration, and got thru the first 1000 possibles (0000-0999) last night. Was just now settling in for another during-TV-ads evening sessions, and hit it on the 4th try. The new lock code, 1003, turns out to match the last 4 digits of my phone #, which is

[1] Annoying, in that it points to a software bug of some kind - I never have occasion to enter my own number, and have never used it as a basis for a PIN.

[2] Relieving, in that it is at the lower end of the "how many tries needed on average" scale.

One final annoyance - it seems on this model phone, once you PIN-protect access, you can only *change* your PIN, not unselect the PIN protection option. Shy of wiping the entire memory, that is.
ewmayer is offline   Reply With Quote
Reply

Thread Tools


Similar Threads
Thread Thread Starter Forum Replies Last Post
I'm rich AND on a government check. jasong jasong 18 2013-08-12 18:21
How does proper government manifest in regulation? cheesehead Soap Box 10 2011-04-17 02:29

All times are UTC. The time now is 12:13.


Fri Aug 6 12:13:07 UTC 2021 up 14 days, 6:42, 1 user, load averages: 2.18, 2.31, 2.40

Powered by vBulletin® Version 3.8.11
Copyright ©2000 - 2021, Jelsoft Enterprises Ltd.

This forum has received and complied with 0 (zero) government requests for information.

Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation.
A copy of the license is included in the FAQ.