Government snooping, backdoors and #necessaryhashtags - Page 59

kladner · 2016-03-09, 22:23

Snowden: FBI Claim That Only Apple Can Unlock Phone Is “Bullshit”
-The Intercept

Quote:

NSA whistleblower Edward Snowden says the FBI’s ostensibly last-ditch attempt to unlock San Bernardino shooter Syed Rizwan Farook’s iPhone is a sham.

The FBI last month persuaded a federal judge that the only way to get into the phone was to make Apple write code to undermine its own security protocols. Apple is refusing to comply.

“The FBI says Apple has the ‘exclusive technical means’” to unlock the phone,
Snowden said during a discussion at Common Cause’s Blueprint for Democracy conference.
“Respectfully, that’s bullshit,” he said, over a video link from Moscow.

The link below is cited in the article above.
One of the FBI’s Major Claims in the iPhone Case Is Fraudulent
-ACLU blog

Quote:

In the FBI’s court order requesting Apple's assistance in unlocking the work iPhone 5c used by the San Bernardino shooter, the bureau's first and most urgent demand is that Apple disable the iPhone's “auto-erase” security feature. This feature (which is not enabled by default on most iPhones) protects user data on a device from would-be snoops by wiping the phone after 10 failed passcode attempts. This protects you and me from thieves trying to guess our passcodes and access our data for identify theft, for example.

But the truth is that even if this feature is enabled on the device in question, the FBI doesn't need to worry about it, because they can already bypass it by backing up part of the phone (called the “Effaceable Storage”) before attempting to guess the passcode. I'll go into the technical details (which the FBI surely already knows) below.

only_human · 2016-03-16, 00:37

Apple's Response To DOJ: Your Filing Is Full Of Blatantly Misleading Claims And Outright Falsehoods

Quote:

In fact, in a footnote, Apple goes even further in not just blasting the DOJ's suggestion that Congress didn't really consider a legislative proposal to update CALEA to suck in requirements for internet communications companies, but also highlighting the infamous quote from top intelligence community lawyer Robert Litt about how they'd just wait for the next terrorist attack and get the law passed in their favor at that point.

Quote:

The filing is basically Apple, over and over again, saying, "uh, what the DOJ said was wrong, clueless, technically ignorant, or purposely misleading." Hell, they even attack the DOJ's claim that the All Writs Act was used back in 1807 to force Aaron Burr's secretary to decrypt one of Burr's cipher-protected letters. Apple points out that the DOJ is lying.

kladner · 2016-03-16, 03:32

Fun links from the article linked above.

Fallout:
https://www.techdirt.com/articles/20...cryption.shtml

John Oliver:
https://www.techdirt.com/articles/20...rnalists.shtml

Lindsey Graham(!):
https://www.techdirt.com/articles/20...le-fight.shtml

ewmayer · 2016-03-18, 00:18

In-depth piece on the profit-motivated side of our headlong societal rush towards universal surveillance by Shoshana Zuboff of the Frankfurter Allgemeine Zeitung:

The Secrets of Surveillance Capitalism : Governmental control is nothing compared to what Google is up to. The company is creating a wholly new genus of capitalism, a systemic coherent new logic of accumulation we should call surveillance capitalism. Is there nothing we can do?

Quote:

The very idea of a functional, effective, affordable product as a sufficient basis for economic exchange is dying. The sports apparel company Under Armour is reinventing its products as wearable technologies. The CEO wants to be like Google. He says, “If it all sounds eerily like those ads that, because of your browsing history, follow you around the Internet, that’s exactly the point–except Under Armour is tracking real behavior and the data is more specific… making people better athletes makes them need more of our gear.” The examples of this new logic are endless, from smart vodka bottles to Internet-enabled rectal thermometers and quite literally everything in between. A Goldman Sachs report calls it a “gold rush,” a race to “vast amounts of data.”

Came across a seemingly-unrelated article on Biotech cos. "mining for gold in the personal microbiome" that same day, and it quickly dawned on me that these things are not unrelated at all ... with respect to the issue of “Great. Big Pharma IP in my gut biome. What could go wrong?” — Just think, by combining this research with the kind of miniaturization embodied in the “smart internet-connected rectal thermometer” described above, a pharma corp could actually discover a novel and useful microbe in your gut and patent it before you ever knew about it. Market efficiency there, my friends! Then they could turn around and sue you, the host of said microbe, under the in-final-secret-negotiations TPP/TTIP's ISDS dispute resolution [a.k.a. 'corporate-captured kangaroo court'] provision for patent infringement, requesting the court that you pay a hefty fine and undergo a course of personal-biome-nuking antibiosis … using the same PharmaCorp's incredibly expensive antibiotics, of course, and at your own expense. But hey, the cost of the drugs will help you reach your ACA-caused colossal insurance deductible for the year. Man, big-data-enhanced free-market capitalism is so awesome.

retina · 2016-03-21, 09:41

Quote:

Originally Posted by retina

I don't care about the outcome actually. The important point is that if one uses a short passcode then they are essentially relying upon the goodwill of apple to not allow others access to their data. And any security that relies upon the actions (or non-actions) of others is not the sort of security that I want to use.

I have changed my mind on this. I hope that Apple lose this case, and that they are forced to help in creating the demanded software.

My reasons are three-fold (in no particular order):

It will showcase the existing weaknesses of the digital devices people use and highlight the dangers of storing everything without regard for who may gain access in the future.
It will encourage engineers designing devices to make them unreachable to anyone without the passcode, regardless of what software is runnable, and with all desired timeouts and lockouts remaining active and effective. I'm sure most companies would not like to be in Apple's position and they will try to find a way to avoid it in the future.
It will send a signal to people using their digital devices (the users) that they cannot rely upon the stated goodwill and good intentions of companies to keep them secure, because other parties can coerce the companies to act in ways that may harm them.

ewmayer · 2016-03-22, 03:56

My old, decidedly non-smart 'candybar' cellphone played a nasty trick on me over the weekend. Not being married (and thus not subject to e-leash laws) I only turn it on once per day to check messages and make a needed call or two; everyone who knows me well enough to possibly need to reach me in emergency fashion knows alternate means of doing so. I have no landline - ditched that ~10 years ago, as soon as CA passed a law requiring mobile carriers to allow people to transfer an existing number to a mobile phone.

Until ~6 months ago I used the phone sans the optional 4-digit lock code, but then 'with enhanced security in mind' (i.e. cops stealing info off your phone and such) I began to use that feature. No problems until this past weekend, when the phone suddenly decided the lock code I'd been using - it needs a lot of menus to change, no possible chance of 'butt-dialing' a random new one - is no good. Local Verizon store was little help - bottom line, whatever possible options I may have for getting it unlocked there will take at least as much time as manually running through all 10^4 possibilities (statistically one will need on average 1/2 as many ... my thumbs are hoping to get lucky). Using breaks here and there and TV commercial breaks to merrily click away ... 400 down so far, as many as 9600 to go. Needless to say, given how lightly I use the unit (i.e. few personal data on it, just contact numbers and names), once I'm back I shall be disabling this particular security feature.

retina · 2016-03-22, 04:10

Quote:

Originally Posted by ewmayer

Until ~6 months ago I used the phone sans the optional 4-digit lock code, but then 'with enhanced security in mind' (i.e. cops stealing info off your phone and such) I began to use that feature. No problems until this past weekend, when the phone suddenly decided the lock code I'd been using - it needs a lot of menus to change, no possible chance of 'butt-dialing' a random new one - is no good. Local Verizon store was little help - bottom line, whatever possible options I may have for getting it unlocked there will take at least as much time as manually running through all 10^4 possibilities (statistically one will need on average 1/2 as many ... my thumbs are hoping to get lucky). Using breaks here and there and TV commercial breaks to merrily click away ... 400 down so far, as many as 9600 to go. Needless to say, given how lightly I use the unit (i.e. few personal data on it, just contact numbers and names), once I'm back I shall be disabling this particular security feature.

So your phone software is

. If it was bug free then no doubt you wouldn't have this problem. And is the passcode used to encrypt the data or is it just a simple software gate that is useless if someone scans the flash storage directly?

However why not just wipe the whole thing and restore from backup? If you don't have any backups then what would you have done if you had had it stolen, or lost it, or accidentally dropped it into molten lava? If the data are important enough to spend time going through up to 10000 PIN trials then they should also be important enough to spend 2 minutes backing it up occasionally. I guess hindsight is a wonderful thing.

0PolarBearsHere · 2016-03-22, 04:35

Quote:

Originally Posted by retina

and highlight the dangers of storing everything without regard for who may gain access in the future.

With the amount of intimate photos and personal details put on facebook marked as public or friends of friends, I seriously doubt people are going to care about storing it safely.

retina · 2016-03-22, 05:04

Quote:

Originally Posted by 0PolarBearsHere

With the amount of intimate photos and personal details put on facebook marked as public or friends of friends, I seriously doubt people are going to care about storing it safely.

I think there is more to it than simple photos people choose to make public. These pocket computers can do much more. For starters they can contain private messages/pictures/whatevers that people don't want to put on ~~vanitybook~~ ~~egobook~~ facebook. They can contain stored passwords for banking, CC numbers, health information, etc. If people care about these things then they should inform themselves about just what they are getting into when they decide to put everything in there.

Nick · 2016-03-22, 12:20

Quote:

Originally Posted by ewmayer

My old, decidedly non-smart 'candybar' cellphone played a nasty trick on me over the weekend...

Here in Europe, the 4 digit PIN people type into a non-smart mobile phone does not protect access to the physical phone but access to the SIM (smart card) inside it with the crypto keys for the network connection. Thus, what is protected by the PIN is the subscriber's account with the phone company.

ewmayer · 2016-03-24, 04:44

I am back in ... yesterday I decided to try to be smart about things and try all possible single-bit-flips applied to the old PIN, assuming each digit stored as a hex char, i.e. in the binary range 0000-1001. No joy, so continued my brute-force enumeration, and got thru the first 1000 possibles (0000-0999) last night. Was just now settling in for another during-TV-ads evening sessions, and hit it on the 4th try. The new lock code, 1003, turns out to match the last 4 digits of my phone #, which is

[1] Annoying, in that it points to a software bug of some kind - I never have occasion to enter my own number, and have never used it as a basis for a PIN.

[2] Relieving, in that it is at the lower end of the "how many tries needed on average" scale.

One final annoyance - it seems on this model phone, once you PIN-protect access, you can only *change* your PIN, not unselect the PIN protection option. Shy of wiping the entire memory, that is.

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
I'm rich AND on a government check.	jasong	jasong	18	2013-08-12 18:21
How does proper government manifest in regulation?	cheesehead	Soap Box	10	2011-04-17 02:29

2016-03-16, 03:32	#641
kladner "Kieren" Jul 2011 In My Own Galaxy! 2×3×1,693 Posts	Fun links from the article linked above. Fallout: https://www.techdirt.com/articles/20...cryption.shtml John Oliver: https://www.techdirt.com/articles/20...rnalists.shtml Lindsey Graham(!): https://www.techdirt.com/articles/20...le-fight.shtml

2016-03-22, 03:56	#644
ewmayer ∂²ω=0 Sep 2002 República de California 19·613 Posts	My old, decidedly non-smart 'candybar' cellphone played a nasty trick on me over the weekend. Not being married (and thus not subject to e-leash laws) I only turn it on once per day to check messages and make a needed call or two; everyone who knows me well enough to possibly need to reach me in emergency fashion knows alternate means of doing so. I have no landline - ditched that ~10 years ago, as soon as CA passed a law requiring mobile carriers to allow people to transfer an existing number to a mobile phone. Until ~6 months ago I used the phone sans the optional 4-digit lock code, but then 'with enhanced security in mind' (i.e. cops stealing info off your phone and such) I began to use that feature. No problems until this past weekend, when the phone suddenly decided the lock code I'd been using - it needs a lot of menus to change, no possible chance of 'butt-dialing' a random new one - is no good. Local Verizon store was little help - bottom line, whatever possible options I may have for getting it unlocked there will take at least as much time as manually running through all 10^4 possibilities (statistically one will need on average 1/2 as many ... my thumbs are hoping to get lucky). Using breaks here and there and TV commercial breaks to merrily click away ... 400 down so far, as many as 9600 to go. Needless to say, given how lightly I use the unit (i.e. few personal data on it, just contact numbers and names), once I'm back I shall be disabling this particular security feature.

2016-03-24, 04:44	#649
ewmayer ∂²ω=0 Sep 2002 República de California 19·613 Posts	I am back in ... yesterday I decided to try to be smart about things and try all possible single-bit-flips applied to the old PIN, assuming each digit stored as a hex char, i.e. in the binary range 0000-1001. No joy, so continued my brute-force enumeration, and got thru the first 1000 possibles (0000-0999) last night. Was just now settling in for another during-TV-ads evening sessions, and hit it on the 4th try. The new lock code, 1003, turns out to match the last 4 digits of my phone #, which is [1] Annoying, in that it points to a software bug of some kind - I never have occasion to enter my own number, and have never used it as a basis for a PIN. [2] Relieving, in that it is at the lower end of the "how many tries needed on average" scale. One final annoyance - it seems on this model phone, once you PIN-protect access, you can only change your PIN, not unselect the PIN protection option. Shy of wiping the entire memory, that is.