Indeed. I would even expect that this permission will not be much more than a formality, after all the company intentionally went for an open source product, knowing that the changes would have to be published (assuming they would redistribute the software and it's GPL). From the wording of the summary I do assume that it was the intention to use the project, and that the code would be released in that case, so doing so for the other projects shouldn't be too much to ask.
What is more: the current line of products with their "secure enclave" chip and so, are already supposedly unbreakable by Apple themselves. So is this an admission that Apple can actually break into the current iPhone 6 line? Or do I miss something here?
More secure in the sense of defeating the encryption since part of the key is embedded in silicon and "unreadable"? Which is something quite different from your passcode which is normally all that prevents one's data from being decrypted by all this fancy hardware. Unless the passcode retry delay is burned into silicon, part of a processor, it would seem to be software that is patchable.
Based on the various comments here, it appears that this is exactly the case. As in, the secure enclave is a separate computer that has its own software where the delays and the limits are enforced - and this software should be a write-once system (by e.g. destroying the hardware connections that allow for this write).
I know we have this technology against MITM attacks or wiretaps, provided by SSL and the like. Keys can be securely exchanged, all data is encrypted to a level that makes it virtually impossible to break. But when you have direct hardware access to the device in question? That's a whole different ballgame. You then get someone's private SSL key in your hands and you can start to brute force the password - you could rewrite SSL (open source) if needed to do so. Extra protections have to be in place to prevent just that from happening, and that's what this is all about. The protection of the keys against direct access to the very hardware they're stored on.
What is more: the current line of products with their "secure enclave" chip and so, are already supposedly unbreakable by Apple themselves. So is this an admission that Apple can actually break into the current iPhone 6 line? Or do I miss something here?
If the above is true as you say, there's no way to securely do anything on the Internet.
Take e-banking. I control my network until the wall socket, where my ISP takes over. Arguably you can trust your ISP because it's in their interest to have you trust them. The same accounts for the network of my bank, I trust them because it's in their interest that I can trust them.
But how about the network(s) in between? I don't know how my local ISP links to my local bank. Same city - could have a direct link, but more likely there's at least one network in the middle. If I connect to a bank overseas there are more networks in between. That's the nature of the Internet.
There is no reason to trust any of those intermediate networks. None. So why do we still bother with https? According to you it's not safe, as there are untrusted networks in between. It'd also be impossible to do any e-banking safely. Yet somehow this is done on a large scale, yet somehow it's https that's seemingly keeping us safe, but according to you that's not the case. Maybe you care to explain more than just say "you're wrong"?
I know, but that's not what we're talking about here.
The person I replied to suggested the FBI to brute-force crack Apple's signature, then apply it to a new iOS version and install that on the phone to be able to crack the password.
That's why I said cracking the encryption directly is probably easier than trying to go the signature route.
Half are below median; not necessarily half are below average. It may be that more than half is below (or above) average, depending on the distribution.
That may be true if and only if you can find hundreds of people that 1) are willing to work on this project, 2) are very well versed in (breaking) encryption, and 3) know the source tree of iOS in and out. There may be a couple hundred that fulfil the last criteria, the overlap with the first two will be very small. There is the chance that some of the people that could do it are principled enough to resign from Apple and start to work for one of the competitors (if you have such skills that shouldn't be too hard to do).
If I were to have such skills and if I were to be (in part) responsible for the design and implementation of what is arguably one of the most secure consumer devices in the world, I would take great pride in my work. Being asked to undo such an accomplishment, is a really, really big thing. This is an issue that is often enough ignored: the actual people doing the work. Apple may be a company, but a company is made up of people, and if there are no people that are willing and able to perform a certain task, it won't happen, valid court order or not.
Directly brute-forcing the encryption of the data found on the phone is probably about as easy as brute-forcing Apple's signature. So that is, assuming Apple is using a proper cryptographic signature, practically impossible.
How do you think (assuming you're in the US) you're going to start a class action against a manufacturer somewhere in China, and who may have gone out of business already? Lawsuits are not the fix for your personal responsibility of due diligence when buying toys. These things are currently retailing at prices of (converted) under USD 200 a piece! Far less than I payed for my already cheap smartphone. Batteries, fairly strong motors, electronics - of course corners are being cut to meet such crazy low prices.
UL has a reputation to hold up. I can understand such a situation happening, but I can't understand it to last long. UL will have to come up with very good reasons not to approve of a new material/technology that other well established institutes already approved of. If UL would drag their feet, that'd likely mean first loss of business (safety certificates requested from others) and later bad publicity ("we have to lower quality to get UL certification!") leading to loss of reputation.
Agreed./. is the only site that I know of with (mostly) working moderation. There may be room for improvement but I have no idea what could/should be improved really. No solution can ever be perfect.
I'm often reading a Dutch newspaper (de Volkskrant) online. Their comments system - where posts are checked by the redaction before they go on the site - has no moderation and no threading. It's impossible to read. There are many more like that, no moderation, no threading even.
Maybe you should start reading a little more to get some literary comprehension skills, as no-where was GP talking about $10/hour wages. Instead, this is what was written:
Starting wages for her position at Yelp are nearly $10/hour over minimum wage
So that's $10/hr ON TOP OF the minimum of $12.35 as posted elsewhere.
By the way, doesn't the US have paid leave, like (almost) all other developed countries?
Absolutely. It took me a while to get used to there being ads above the search results... Very frustrating, so much harder to distinguish commercial from organic results. No problem with the commercial results, I'll even click on them occasionally, but I do like to know beforehand how that result came there.
Call me crazy but Google is one of the few white-listed in ABP.
Their ads are often useful when I'm searching for commercial offerings - when I specifically want to buy something. The regular search results give the product info, the ads give great starting points to buy.
Also they're not intrusive and easy to filter out - though that's getting harder and harder with first the appearance of ads above and below the search results, and now the disappearance of the side bar altogether. Google is at risk here of losing their exception.
After about a month the tax would add up to the full value of that phone, and continue to rise - at $10M a day. That's at least what a $10M daily tax supposedly does.
No, because (especially in current models) a major part of the encryption and related protections against brute forcing a key are engrained in the hardware. The best a software update could do is approach the iPhone 5 level (the kind of phone the FBI is now so desperate to unlock) of security.
The comments of those candidates show a total failure of all the intrusions by NSA with their PRISM project. Supposedly the NSA recorded all meta-data (who talks to who), yet the main argument of the presidential candidates on having back doors is not "what were they talking about" but "who were they talking to" - exactly the kind of information that PRISM was supposedly recording.
Several candidates mention this specifically. Who were they talking to? Who knew about this? What were the contacts of these criminals? What was their network? All these questions the NSA is supposed to be able to answer, if Snowden's revelations are anything to go by. Now I don't doubt Snowden's claims at all, so this all points to a terrible failure of the NSA of doing anything with the massive amount of information on phone calls and e-mail traffic they recorded.
Of course finding out about crimes or terrorist type attacks in the planning stage based on this kind of data may be incredibly hard; figuring out who these people had contact with after the fact should be much easier as at least they now have a very clear starting point.
So if there's one thing these pro-back door arguments point at, it's an epic failure of law enforcement. Not only did these agencies totally overstep their legal and moral boundaries, they did nothing to prevent this attack, and can not even provide any help or information after the fact. Maybe they should go back to good old policing: keeping personal contacts with the neighbourhoods, keeping good relations with the people, and actually get useful information directly out of the community the old fashioned way. It'll make lots of people a lot happier (if only because of the increased local security and social situation).
You obviously don't know what you're talking about, at all. At least I admit I don't know HOW fraud is prevented, but I do know THAT IT IS prevented.
Magnetic strips (as indeed used before the contactless) is too slow and cumbersome. Way too slow. Now I walk through the gate without stopping, instead of having to stop and fiddle with the card. Instead I just leave it in my wallet and swipe the whole thing (or what others do is swiping a hand bag, or mobile phone pouch, or a watch with built-in Octopus chip, or indeed using a mobile phone's NFC capabilities but that one is quite new). The 20 or so entry gates at the station I use most (not a particularly busy one) now can only just handle traffic; it'd need several times that number gates if working with magnetic strips. A transaction now takes some 0.3 seconds, that's slow enough.
Furthermore, magnetic strips lack write options. The amount charged, transaction time and remaining balance are written back to your Octopus card. The station you get in is stored on the card, including a first class upgrade if you opt for this, so correct payment can be processed when you get out. Bus-bus interchange discounts are based on reading the previous journey. Sometimes they have second journey discounts. All not possible with basic magnetic strips.
Octopus is stored value - which may be linked to a credit card for automatic recharges.
Other possible forms of fraud would be to change the balance on the card (and travel for free) or to create fake cards altogether. None seems to happen.
OP was talking about "contactless payments" in general. That's what I responded to - just to show that it can work, and can work really well and securely.
Slashdot Mirror
Of course, train safety records are dismal at best, especially compared to vehicle safety records.
Or don't your urban trains run fully automatic yet? Because where I live, they do.
Indeed. I would even expect that this permission will not be much more than a formality, after all the company intentionally went for an open source product, knowing that the changes would have to be published (assuming they would redistribute the software and it's GPL). From the wording of the summary I do assume that it was the intention to use the project, and that the code would be released in that case, so doing so for the other projects shouldn't be too much to ask.
Since when has the US switched to metric?
What is more: the current line of products with their "secure enclave" chip and so, are already supposedly unbreakable by Apple themselves. So is this an admission that Apple can actually break into the current iPhone 6 line? Or do I miss something here?
More secure in the sense of defeating the encryption since part of the key is embedded in silicon and "unreadable"? Which is something quite different from your passcode which is normally all that prevents one's data from being decrypted by all this fancy hardware. Unless the passcode retry delay is burned into silicon, part of a processor, it would seem to be software that is patchable.
Based on the various comments here, it appears that this is exactly the case. As in, the secure enclave is a separate computer that has its own software where the delays and the limits are enforced - and this software should be a write-once system (by e.g. destroying the hardware connections that allow for this write).
Is that so?
I know we have this technology against MITM attacks or wiretaps, provided by SSL and the like. Keys can be securely exchanged, all data is encrypted to a level that makes it virtually impossible to break. But when you have direct hardware access to the device in question? That's a whole different ballgame. You then get someone's private SSL key in your hands and you can start to brute force the password - you could rewrite SSL (open source) if needed to do so. Extra protections have to be in place to prevent just that from happening, and that's what this is all about. The protection of the keys against direct access to the very hardware they're stored on.
What is more: the current line of products with their "secure enclave" chip and so, are already supposedly unbreakable by Apple themselves. So is this an admission that Apple can actually break into the current iPhone 6 line? Or do I miss something here?
If the above is true as you say, there's no way to securely do anything on the Internet.
Take e-banking. I control my network until the wall socket, where my ISP takes over. Arguably you can trust your ISP because it's in their interest to have you trust them. The same accounts for the network of my bank, I trust them because it's in their interest that I can trust them.
But how about the network(s) in between? I don't know how my local ISP links to my local bank. Same city - could have a direct link, but more likely there's at least one network in the middle. If I connect to a bank overseas there are more networks in between. That's the nature of the Internet.
There is no reason to trust any of those intermediate networks. None. So why do we still bother with https? According to you it's not safe, as there are untrusted networks in between. It'd also be impossible to do any e-banking safely. Yet somehow this is done on a large scale, yet somehow it's https that's seemingly keeping us safe, but according to you that's not the case. Maybe you care to explain more than just say "you're wrong"?
I know, but that's not what we're talking about here.
The person I replied to suggested the FBI to brute-force crack Apple's signature, then apply it to a new iOS version and install that on the phone to be able to crack the password.
That's why I said cracking the encryption directly is probably easier than trying to go the signature route.
Wrong.
Half are below median; not necessarily half are below average. It may be that more than half is below (or above) average, depending on the distribution.
And if you get nine women together, you can get a baby in one month!
Yes, you can - after a 9-month start-up time.
That may be true if and only if you can find hundreds of people that 1) are willing to work on this project, 2) are very well versed in (breaking) encryption, and 3) know the source tree of iOS in and out. There may be a couple hundred that fulfil the last criteria, the overlap with the first two will be very small. There is the chance that some of the people that could do it are principled enough to resign from Apple and start to work for one of the competitors (if you have such skills that shouldn't be too hard to do).
If I were to have such skills and if I were to be (in part) responsible for the design and implementation of what is arguably one of the most secure consumer devices in the world, I would take great pride in my work. Being asked to undo such an accomplishment, is a really, really big thing. This is an issue that is often enough ignored: the actual people doing the work. Apple may be a company, but a company is made up of people, and if there are no people that are willing and able to perform a certain task, it won't happen, valid court order or not.
Directly brute-forcing the encryption of the data found on the phone is probably about as easy as brute-forcing Apple's signature. So that is, assuming Apple is using a proper cryptographic signature, practically impossible.
a class action against the manufacturer
How do you think (assuming you're in the US) you're going to start a class action against a manufacturer somewhere in China, and who may have gone out of business already? Lawsuits are not the fix for your personal responsibility of due diligence when buying toys. These things are currently retailing at prices of (converted) under USD 200 a piece! Far less than I payed for my already cheap smartphone. Batteries, fairly strong motors, electronics - of course corners are being cut to meet such crazy low prices.
UL has a reputation to hold up. I can understand such a situation happening, but I can't understand it to last long. UL will have to come up with very good reasons not to approve of a new material/technology that other well established institutes already approved of. If UL would drag their feet, that'd likely mean first loss of business (safety certificates requested from others) and later bad publicity ("we have to lower quality to get UL certification!") leading to loss of reputation.
Agreed. /. is the only site that I know of with (mostly) working moderation. There may be room for improvement but I have no idea what could/should be improved really. No solution can ever be perfect.
I'm often reading a Dutch newspaper (de Volkskrant) online. Their comments system - where posts are checked by the redaction before they go on the site - has no moderation and no threading. It's impossible to read. There are many more like that, no moderation, no threading even.
Maybe you should start reading a little more to get some literary comprehension skills, as no-where was GP talking about $10/hour wages. Instead, this is what was written:
Starting wages for her position at Yelp are nearly $10/hour over minimum wage
So that's $10/hr ON TOP OF the minimum of $12.35 as posted elsewhere.
By the way, doesn't the US have paid leave, like (almost) all other developed countries?
Absolutely. It took me a while to get used to there being ads above the search results... Very frustrating, so much harder to distinguish commercial from organic results. No problem with the commercial results, I'll even click on them occasionally, but I do like to know beforehand how that result came there.
Call me crazy but Google is one of the few white-listed in ABP.
Their ads are often useful when I'm searching for commercial offerings - when I specifically want to buy something. The regular search results give the product info, the ads give great starting points to buy.
Also they're not intrusive and easy to filter out - though that's getting harder and harder with first the appearance of ads above and below the search results, and now the disappearance of the side bar altogether. Google is at risk here of losing their exception.
After about a month the tax would add up to the full value of that phone, and continue to rise - at $10M a day. That's at least what a $10M daily tax supposedly does.
No, because (especially in current models) a major part of the encryption and related protections against brute forcing a key are engrained in the hardware. The best a software update could do is approach the iPhone 5 level (the kind of phone the FBI is now so desperate to unlock) of security.
He also describes how those same "prodigies" have big problems finding a job, thanks to such demands.
The comments of those candidates show a total failure of all the intrusions by NSA with their PRISM project. Supposedly the NSA recorded all meta-data (who talks to who), yet the main argument of the presidential candidates on having back doors is not "what were they talking about" but "who were they talking to" - exactly the kind of information that PRISM was supposedly recording.
Several candidates mention this specifically. Who were they talking to? Who knew about this? What were the contacts of these criminals? What was their network? All these questions the NSA is supposed to be able to answer, if Snowden's revelations are anything to go by. Now I don't doubt Snowden's claims at all, so this all points to a terrible failure of the NSA of doing anything with the massive amount of information on phone calls and e-mail traffic they recorded.
Of course finding out about crimes or terrorist type attacks in the planning stage based on this kind of data may be incredibly hard; figuring out who these people had contact with after the fact should be much easier as at least they now have a very clear starting point.
So if there's one thing these pro-back door arguments point at, it's an epic failure of law enforcement. Not only did these agencies totally overstep their legal and moral boundaries, they did nothing to prevent this attack, and can not even provide any help or information after the fact. Maybe they should go back to good old policing: keeping personal contacts with the neighbourhoods, keeping good relations with the people, and actually get useful information directly out of the community the old fashioned way. It'll make lots of people a lot happier (if only because of the increased local security and social situation).
You obviously don't know what you're talking about, at all. At least I admit I don't know HOW fraud is prevented, but I do know THAT IT IS prevented.
Magnetic strips (as indeed used before the contactless) is too slow and cumbersome. Way too slow. Now I walk through the gate without stopping, instead of having to stop and fiddle with the card. Instead I just leave it in my wallet and swipe the whole thing (or what others do is swiping a hand bag, or mobile phone pouch, or a watch with built-in Octopus chip, or indeed using a mobile phone's NFC capabilities but that one is quite new). The 20 or so entry gates at the station I use most (not a particularly busy one) now can only just handle traffic; it'd need several times that number gates if working with magnetic strips. A transaction now takes some 0.3 seconds, that's slow enough.
Furthermore, magnetic strips lack write options. The amount charged, transaction time and remaining balance are written back to your Octopus card. The station you get in is stored on the card, including a first class upgrade if you opt for this, so correct payment can be processed when you get out. Bus-bus interchange discounts are based on reading the previous journey. Sometimes they have second journey discounts. All not possible with basic magnetic strips.
Octopus is stored value - which may be linked to a credit card for automatic recharges.
Other possible forms of fraud would be to change the balance on the card (and travel for free) or to create fake cards altogether. None seems to happen.
OP was talking about "contactless payments" in general. That's what I responded to - just to show that it can work, and can work really well and securely.