Domain: trailofbits.com
Stories and comments across the archive that link to trailofbits.com.
Comments · 12
-
Report Author Conflict of Interest
Report co-author and CEO of Luta Security, Katie Moussouris, doubled down on the findings, claiming that independent researchers are “better off pen testing or living the good life of in-house research staff.”
Katie started the bug bounty program at Microsoft and now owns a company doing pen testing. Guess what the report recommends? I wonder what it would recommend if she were still heading up a bug bounty program? Maybe I'm overly cynical, but it appears the authors are trying to structure bug bounty programs to be more like they are, security consultants. If you're going to propose such a large change, why look at only one data set? Even the Hacker One CEO said their data set isn't representative of the whole.
It's clear from the news article, which has a very clickbait-y title, that there are ways to improve bug bounty programs. As others have pointed out in comments here, it's still a useful tool. There's a blog post linked in the news article gives a good overview. That should've been the Slashdot submission. -
Done a year ago... not by Microsoft
Sandboxing of Windows Defender was done over a year ago by a security researcher at Trail of Bits: Microsoft didnâ(TM)t sandbox Windows Defender, so I did.
Did Microsoft copy his work?
-
Re: Response Intel vs AMD
Go to: https://blog.trailofbits.com/2... then here: https://community.centminmod.c...
Enjoy.
-
Pretty sure they can do it
Pretty sure they can do it:
-
Re:Can someone explain why the FBI needs Apple?
First of all, thanks for comparing my question to a 3 year old's understanding of things. What a pleasant way to start your response.
Second of all, if what you say is true, then why would the FBI's demand for Apple to push an update to the device have any effect? The whole story is about how the FBI wants Apple to break the "10 failed attempts erases the key" mechanism with a software update, which apparently is totally possible for Apple to do. So your understanding must be wrong here. Apple has the ability, with a software update, to prevent the device from erasing the key after 10 attempts. If they were unable to do so, they would be refusing the order purely on technical grounds.
Third, this model doesn't feature the Secure Enclave (or at least as you're describing it). That was added in later models. (The 5S and onwards). From one analysis: "On the iPhone 5C, the passcode delay and device erasure are implemented in software".
And finally, learn the difference between "it's" and "its", especially when you're trying to sound smart.
-
Re:Comment out two lines
Yeah, yeah, that's what I've been telling people the last few days. The whole thing can be done by commenting out those two lines (or sections, whatever).
Then compile a patch using Apple's signing key. Then use DFU mode to stick it on the phone. All done!
This blog talks about DFU mode, in the comments someone says it will wipe everything, but then someone else explains how to do it without wiping. So it's totally possible and easy to do...
https://blog.trailofbits.com/2016/02/17/apple-can-comply-with-the-fbi-court-order/
And Apple's signing key would still be secret, so this does NOT lead to any new security hole.
-
Re:this isn't a backdoor as such..
Here's some more relevant information: http://blog.trailofbits.com/20...
The person who wrote this article quotes what exactly the FBI is wanting Apple to do, claims that Apple is very well capable of complying with the order, even if it were a 5S or later, and that the FBI should be able to get up to one code test per 80 ms. -
Re:Nothing to do with encryption debate
FBI asking Apple to provide them with a signed OS image which allows unrestricted brute force guesses of the password/pin code on a single phone. This is very different from building a backdoor into encryption so that it can be reversed without knowing the password.
To apply the signed image software update the smartphone must already be unlocked so the user can manually accept the update. Software updates for device software is not automatic nor should it be automatic due to the high potential of bricking the device.
-
Nothing to do with encryption debate
FBI asking Apple to provide them with a signed OS image which allows unrestricted brute force guesses of the password/pin code on a single phone. This is very different from building a backdoor into encryption so that it can be reversed without knowing the password.
Apple could provide an alternative OS image that checks for part serial numbers on specific phones named in a warrant. FBI would not be able to install that image on another phone, as removing serial check would also invalidate the signature.
I think it's a good compromise, unless one does not believe that law enforcement should be obtain available evidence with a proper warrant. It's different from going out of the way to make evidence available at the expense of law abiding user's security.
-
Re:They aren't ordering Apple to decrypt it
It's worth noting that this wouldn't work on any device that has a Secure Enclave and TouchID. The Secure Enclave can't be updated or tampered with without it erasing its keys, leaving the phone permanently encrypted. If the SE isn't modified, it imposes delays on responding to passcode requests so that after the 9th request, there's a delay of 1hr before you can try again.
This article goes into more detail: http://blog.trailofbits.com/20...
The phone in question is a 5c, so yes, Apple could theoretically do what is being asked of them. But the phones after that--no.
Thanks that is what I was getting at. Good info.
So the next question is whether they can target this specific phone with a patch to disable the ten password attempt limit and therefore allowing the FBI to continue a brute force attack on the pin number... which would be relatively simple. It sounds like the answer is yes, that they could probably do so if they brought the phone in house and updated the firmware like they would when they test new firmware updates.
As much as it pains me, I think the FBI is right on this one. It sounds like it would be reasonably simply for Apple to take this device in-house and install firmware with a patch on this older device to remove the 10 attempt limit. But if the only way to get around this limit would be to install a back door on all devices, then I think that Apple is right to fight this. The devil is really in the details.
The question for Apple is what kind of can of worms this opens up since there are so many of these devices still in use.
This is also an important technical discussion because if the ten password limit can be bypassed with a firmware update then a brute force on a 4 digit pin is relatively simple and users should be aware that their devices are not really as secure as they might have thought.
-
Backdoor ONLY applicable on older phones
"...the FBI wants Apple to create a special version of iOS that only works on the one iPhone they have recovered. This customized version of iOS (*ahem* FBiOS) will ignore passcode entry delays, will not erase the device after any number of incorrect attempts, and will allow the FBI to hook up an external device to facilitate guessing the passcode. The FBI will send Apple the recovered iPhone so that this customized version of iOS never physically leaves the Apple campus." "Even with a customized version of iOS, the FBI has another obstacle in their path: the Secure Enclave (SE)...a separate computer inside the iPhone that brokers access to encryption keys for services like the Data Protection API (aka file encryption)..." "...the recovered iPhone is a 5C. The 5C model iPhone lacks TouchID and, therefore, lacks the single most important security feature produced by Apple: the Secure Enclave." Source: http://blog.trailofbits.com/20...
-
Re:They aren't ordering Apple to decrypt it
It's worth noting that this wouldn't work on any device that has a Secure Enclave and TouchID. The Secure Enclave can't be updated or tampered with without it erasing its keys, leaving the phone permanently encrypted. If the SE isn't modified, it imposes delays on responding to passcode requests so that after the 9th request, there's a delay of 1hr before you can try again.
This article goes into more detail: http://blog.trailofbits.com/20...
The phone in question is a 5c, so yes, Apple could theoretically do what is being asked of them. But the phones after that--no.