Slashdot Mirror
Tim Cook: "Weakening Encryption Or Taking It Away Harms Good People"
Patrick O'Neill writes: Over the last year, Apple CEO Tim Cook has repeatedly made headlines as a spearpoint in the new crypto wars. As FBI director James Comey pushes for legally mandated backdoors on encryption, Cook has added default strong encryption to Apple devices and vocally resisted Comey's campaign. Echoing warnings from technical experts across the world, Cook said that adding encryption backdoors for law enforcement would weaken the security of all devices and "is incredibly dangerous," he said last night at the Electronic Privacy Information Center awards dinner. "So let me be crystal clear: Weakening encryption or taking it away harms good people who are using it for the right reason."
Too many things these days that don't make sense. If you have a hole in a system it will be abused by malicious people.
If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
Two Words: The Fappening
Imagine Government has access to your private files LEGALLY, such that exposure of your files, your property, your life is completely unprotected by legislation?
I mean, this is the same guy who wants to effectively "take away" the ability of users to write their own code on their own machines, sure, but how's that even accomplished.
Liberty - Security - Laziness - Pick any two.
Are you honest person? You have something to hide?
Yes, every honest person has a lot to hide and it is called privacy! And it is important that everyone would value their privacy and encrypt everything just in sake of others rights for privacy!
If some authority has problems, they are free to come to knock on my door or call me. I can talk on front door or in the phone.
Obama - "Only bad people use encryption"
It's either safe for all or unsafe for all.
#3 - You rely upon Apple maintaining and respecting your privacy
Tim Cook didn't address Apple's real privacy problem
much of left-wing thought is a kind of playing with fire by people who don't even know that fire is hot - George Orwell
When politicians say this things - you can maybe believe that they don't understand the impossibility of undermining encryption such that only the 'good guys' can do it. But the director of the FBI, would must know what he is talking about, and must know that its just completely wrong.
But how many people will support this argument when the subject is encryption but rail against it when the subject is firearms and self-defense?
Compared to guns I would strongly prefer people to allowed to have strong encryption.
:)
Maybe America should start by regulating arms... Before you regulate strong encryption which has many peaceful civilian applications.
Please do leave your crazy "guns-are-more-important-arguments" in comments... I read them sarcastically and find them most entertaining
Anybody who stands to lose more by having their (illegal) activities uncovered compared to being penalized for using (banned) encryption will still use it, so only the good guys, who don't use it to cover up their criminal activity will stop using encryption. At the same time they will be more exposed to data and identity theft, blackmail and illegal snooping. This just shows how little actually the FBI cares about the safety of common, law-abiding citizens. They don't see their mission as protecting people from becoming victims in the first place, but rather as catching criminals after the fact. It's logical if pretty evil - the more crime there is in USA, the more money and power the FBI gets. But folks - which one of those is better for us? Prevention or prosecution?
But then would you show us the tech spec for the encryption protocols Apple is using? Well, OK, then, next.
This is an exclusive OR. Choose only one.
"Either we build our communications infrastructure for surveillance, or we build it for security. Either everyone gets to spy, or no one gets to spy", as Bruce Schneier says.
"The more prohibitions there are, The poorer the people will be" -- Lao Tse
is the same is saying we should not allow people to lock their cars/houses because criminals might hide something behind a locked door.
A bullet may have your name on it but splash damage is addressed "To whom it may concern."
In order to distinguish "right" and "wrong" reasons for privacy, you'd need to look into the communication. Which abolishes privacy.
The whole point of privacy is not to look into communication. In a way, not to let Schrödinger's cat out of the bag.
"None of your business" does not distinguish good and bad business. So I don't really like the pitch of Cook here:
Weakening encryption or taking it away harms good people who are using it for the right reason.
Because it will be immediately followed up by "so let's only weaken encryption and take it away from people who are using it for the wrong reason." And then we get an oversight committee which decides about which reasons are right and wrong, erring on the "safe" side.
There'll be some tin foil hat wearing paranoid redneck along any minute to tell us why he needs his sub machine gun collection to fend off The Men In Black when they come for him after he's sent illegally encrypted kitten pictures to his boyfriend.
Secrets secrets are no fun.
Secrets secrets hurt someone.
give skeleton keys to the government.
I'm sure I'll take a beating for this, but I wonder if Cook's being gay -- and not being completely "out" until relatively recently -- have some influence on this thinking about privacy?
If you think about it, someone who is gay and had been less than publicly out about it has had a period of their life where they were pretty intense about guarding their personal privacy, especially someone in a high profile corporate job where there are plenty of people inside and outside of the company who would want to take you down.
And not to say that his homosexuality is the only explanation, he's obviously intelligent and presents the case for privacy and encryption in principled, intellectual terms.
Sure, it doesn't explain everything. Straight CEOs also support encryption and not always because they have secret drug/hooker/mistress/etc issued to hide, too.
But it's also works as a counter-explanation, CEOs who may not have had a deep interest in their personal privacy may have less personal association with privacy and may fall for the trap of "I have nothing to hide" and "It only helps criminals" or other deferential logic where they see granting government access as reasonable.
The problem with weakening encryption is that weaknesses do not care who uses them and once discovered they cannot be corrected. And weaknesses WILL be discovered sooner or later. Probably sooner. There is no way to only let the "good guys" in while keeping the "bad guys" out. You cannot weaken encryption without making it completely useless in the process.
It's clear that the majority of elected officials are not there to help us, so it's sad to see you modded down for sharing facts. Your comment should be insightful or informative, not troll. Sadly, there are still those who think that government is there to help them when it's really a bipartisan effort to keep us in our place.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
Here I thought a guns was designed to fire a bullet at the target the operator points it at. No gun I own has ever killed any animals or people despite firing thousands of rounds, because the only thing I point them at are inanimate (paper, steel) targets.
Grandma (and the physically disabled, young women, etc) has a chance against a young, fit, male attacker if she has a gun.
Only if she has it out, loaded, safety off, is capable of pointing it in the right direction before the attack occurs and is aware of where the attack is coming from. It's an absurd hypothetical strawman that NEVER actually happens in the real world. Do you really want granny carrying a sidearm at all times given the extremely remote chance of her actually getting attacked outside of your imagination? Personally that's not a society I care to live in. Firearms have their time and place and I'm not remotely arguing against the 2nd amendment but they aren't what keeps crime in check. Guns are used FAR more often to facilitate crime than to prevent it. Real security comes from a properly structured civil society. Guns play a role but it should be a very minor one.
As one cop told me in a moment of frankness; "I ain't dodging gunfire for no $70k a year and a pension!"
The number of cops that EVER discharge their weapon intentionally in the line of duty is miniscule. It's significantly less than one percent. If your story is true then it shouldn't be surprising at all - almost all cops never have to "dodge gunfire" or shoot at a live person. However if he really wanted a safe job and a pension then he should have picked another line of work. There are easier and safer ways to make a decent living.
Police in the US have no legal obligation to protect citizens.
Police have a legal obligation to enforce the laws and guess what? The laws (usually) protect the citizens. (unless you are a minority - then you are apparently on your own judging by police response times) Countries with far stricter gun control laws somehow miraculously manage to have even better crime statistics than the US and FAR fewer deaths by firearm. Having a civil society isn't merely a result of everyone packing guns and having a Mexican standoff.
Police handle the paperwork. Citizens are the true "first responders".
What a bunch of delusional macho BS. When was the last time you actually saw someone grab a gun and go be a "first responder" to a crime? You haven't. The notion that you are going to protect society with a firearm isn't justified by the evidence. The evidence shows that the odds are FAR higher that the gun will be used in a suicide or result in an accident. I don't have a problem with people owning guns but let's not pretend that the citizenry are marching out to fight crime. If we get to that point I'm moving to someplace civilized.
But not actually resisting.
Some of you may have noticed that large banking chains insist upon very restricted use of characters in passwords. They also insist on short passwords that disallow password phrases. For example ASCi2 symbols are usually not allowed. Many keyboard symbols are also disallowed. All in all the major banks seem to insist upon fairly weak passwords. Since they, in theory, cover any losses made by hackers or crackers invading bank accounts I find their position really weird. Certainly it can not be so difficult to allow really strong passwords. What the heck is going on? The banks themselves use 2500 character passwords and there were experts claiming that they need to go to 5,000 character passwords for bank to bank transfers. Should customers be banned from using the same level of encryption?
That is so absurdly misleading and dishonest that you ought to be living in fear that someone will read for name on it, Mr. Anony - oh.
The only reason anyone gives a flying fuck about Apple signing the software, is that Apple severely punishes all software in the marketplace that they didn't sign. If Apple didn't abuse their 100% marketshare of all Apple devices and all the copies of iOS running on them, then few people would care about getting their software signed by Apple. You may have noticed that nobody is asking either Linus Torvalds or Michael Dell, to sign their application, even though they might market that application to Linux users who might be running the app on Dell hardware.
All they have to do is permit alternatives to the Apple store, and then everyone will stop having to ask their permission to sell software for that platform, and you'll hear a lot of less bitching and groaning by developers whenever Apple says no.
Strawman. Nobody gives a flying fuck about $100. They care more about spending a year of your life and maybe over $100,000 to develop something, and unjailbroken iOS devices will not be allowed to purchase.
Apple is basically using the corrupt videogame console bullshit model, pioneered by IBM in the 1960s. It is disgraceful to be so technologically and socially regressive, and has no fucking place on personal computers post-1975. In fact, Apple used to be part of the solution, before they decided to become the problem instead. I would be ashamed to ever be associated with them and would omit from from my resume if I had ever worked there (fortunately, I haven't).
I agree with Tim Cook on what he's saying about crypto and it's refreshing to get such reminders that people can be nuanced within the mix of good and evil. But don't kid yourself: the must-be-signed-by-Apple aspect of all this, is basically like Tim Cook walking around holding a "GOD HATES FAGS" sign, along with all the irony that entails. And iOS users are also pointing to the "GOD HATES FAGS" sign and nodding with agreement, every time they send a dollar Apple's way.
It's disgusting and you should stop acting proud of the disgrace.
has become the most dangerous person in the world.
If you lived in Compton, would you lock your front door, but keep the backdoor unlocked and windows open? If you open it, they will come.
The government has experts who can open a fire safe. It may not be cheap, but it can be done. As far as we can tell, there are no experts who can decrypt something encrypted in AES-128 or stronger without the key.
"When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
The piece of this that hasn't gotten nearly enough attention is this: Requiring U.S. tech companies to put backdoors in encryption will make U.S. technology anathema in every other country on this planet. U.S. tech companies will lose virtually all of their non-US market immediately, and the rest of it as soon as alternatives become available. (Which they will; the demand will be huge.)
Anyone at Apple trying to sound altruistic just looks like the pot calling the kettle black.
BeauHD. Worst editor since kdawson.
I have a feeling the NSA can break pretty much anything, so long as they don't need their computers for anything else for a few days or weeks.
It is effectively impossible to brute-force a 128-bit key, and by that I mean you can't do it by using all the resources of the Solar System until the heat death of the Universe. Exponential growth works that way, and a 128-bit key is 2^64 times as hard to brute-force as a 64-bit key, which already requires significant horsepower.
There is a possibility that the NSA can break AES, but that seems unlikely given the Snowden revelations and the lack of success of academic cryptanalysts. They'll probably always be a few years behind the NSA, but the gap has narrowed significantly.
"When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
Look, I appreciate Tim Cook's public statement. And Apple has done us a solid by encrypting those mobile Apple devices by default, so he's much more than an empty windbag on the issue. These are substantive actions and I appreciate them.
However. By casting this as a "Facebook and Google bad, Apple good" argument, I fear that he diminishes the entire discussion. The issue of his self-interest comes up. The truth is that there is a fortunate alignment of the Apple business model, which does not depend upon surveilling user activity and conversations, with this security mindset. Facebook and Google do depend upon such surveillance.
And while I decry the more overbearing intrusions of the Googles and Facebooks of the world, that brings up an issue. They have lots of customers, and lots of happy customers too. And quite a few of those happy customers (perhaps not a majority, but still) are generally aware that they are being watched by those companies.
If the conversation devolves into 'Apple is better than Google/Facebook', it becomes just another market joust for profitability, customers and market share. The security argument needs to be about more than that.
I know, but they don't need to go with a pure brute force approach.
You're then claiming that the NSA knows how to break the ciphers, and I've seen no evidence of that. It's not in the Snowden revelations, and private crypto researchers seem to think it very unlikely.
"When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
No, I'm saying there's more than one way to skin a cat. You can decipher a message much faster if you happen to know it ends with an email signature used for unencrypted messages as well. Or you can steal the keys and reduce the problem to guessing a password. For that you can create a custom rainbow table based on biographical data and get a huge head-start.
And I'm saying that people have thought of that.
If you know something of the message, you've got a known-plaintext attack, and those are studied. A good cipher is one where even being able to dictate the plaintext allows you to get the key.
Stealing the keys is possible sometimes, but not necessarily for earlier messages. It also requires a higher level of intrusion than just intercepting messages and trying to read them.
Given good password handling, which I hope a key manager would have, rainbow tables are simply not very useful. Salt defeats rainbow tables. Two bytes of salt increases the size of the necessary rainbow table by a factor of 65,536.
"When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
Sure, given a good key manager, but what about a human? The practical impossibility of breaking modern cryptography goes out the window once you factor in human vulnerabilities. Why brute-force a key if you can trick somebody into giving you a head start?
Which doesn't require tying up computers for weeks or months.
Crypto isn't magic. If used properly, and not compromised by outside means, it's probably unbreakable, and I'd trust it to defy the NSA. Any successful attack would be by means of a keylogger, or research on somebody, or using a rubber hose, or something like that.
"When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes