I think critically, so I own a Samsung and this doesn't apply to me yet - but indications are it soon will. Google has been encrypting their phones by default for a couple generation's and are warning OEMs they might require it for Android branding soon. As a society we need to stop the trend towards this nonsense.
There's nothing on my phone worth encrypting. If there was, I'd encrypt it. However there's lots on my phone that I'd never want to lose. I do backups, but I don't get to it every day, every week, or even every month. I would like the option to be able to emergency recover my data (impossible if it's encrypted) vs. keeping some non-existent nefarious agency from seeing a video of my son take his first steps.
This is like Levis putting an unbreakable lock on my wallet. If anyone tampers with it, or if I forget the password, the contents are virtually incinerated. I'm either asked to dutifully keep a copy of everything myself, or virtually store a copy of all my personal documents at Levis warehouse - both unfavorable options to simply selling me a wallet without a lock.
So iPhones were easy to break into all the way back in those dark ages 18 months ago, but are completely secure now? Got it. How's that koolaid taste anyways?
but short of a screw-up on Apple's side, the practical options for bypassing the lock screen via a hack are getting more and more limited.
There's no way you can know that and it's just historically untrue. This is a complex proprietary system, so it's already less secure than mature industry standards. Also, this system relies on an obfuscated process to allow the user to encrypt data with a weak pin. So you have fundamentally weak security (pin code), on an unproven closed system, relying on security through obscurity principles - I would not assume an iPhone is ever more secure than any volume secured with simple software encryption and a good password. In fact, if Apple really wanted you to secure your device they'd, let you disable all their binary garbage, install dm-crypt, and do it yourself. Apple has never been about choice, or user safety though. Hint: forced encryption incentivises cloud backups.
The biggest issue is people modding with one account and posting with another - a real scumbag move. It goes something like this:
- Disagree with something
- Mod down, even though "-1 Disagree" isn't an option
- Sign in with second account to post highly emotional response that derails the conversation
- Sign back in with first account to mod yourself up.
There is nothing to detect or stop this type of scumbaggery it seems. This is compounded by the default filters hiding anything under 1 or 2 (can't remember exactly).
Considering that the front runners were Cruz and Trump while Kasich et al. barely managed to grab up a few crumbs, I would say the crazy/racist/xenophobic outnumber the rational by a very large margin. Furthermore, splitting the right only weakens it. What the USA really needs is election reform.
Glenn Beck perhaps? That reminds me, I've gotta turn on the radio and hear exactly how butthurt he is this morning. I'm sure the world is coming to an end.
The judge can attack encryption all he likes, it's math. Why he's having an effect is because people use encryption through a centralized source that is controllable. In my rant I mentioned XMPP. XMPP works like email, except better. You think a government would have any luck shutting off email? Perhaps he could force ISPs to close SMTP ports? XMPP allows you to define custom ports in SRV records so that doesn't apply. It's literally impossible to shut off (quickly anyways) without shutting off the entire internet. We don't need to centralize everything in big companies to communicate effectively, to have secure devices, or to have things that work conveniently. We think we do, because we're told that. And ultimately it becomes true, because we don't care enough to make it otherwise.
Wow, does this summary have an axe to grind or what? It's probably because there's not enough women working for him. And they make less. Fuck I hate this new breed of editorial journalism. RIP free media.
Naturally, you're attacking the tail of the snake while the head devours you from the legs up. Your post being moderated 5: Insightful is evidence of how common this mistake is. The core problem, of course, is centralizing communication through Whatsapp (aka. Facebook). Any consequence of that should be the natural expectation of highly centralized communication services. When you put all your eggs in one basket, and trust that basket to someone else, it's just a matter of time before they drop it. Nobody did this to Brazil, but the free market decision making of the Brazilian population. There are plenty of open communication standards like XMPP they could have chosen.
Of course every country in the world makes these same mistakes. Look in your pocket for proof. We choose walled gardens, centralized social media platforms, and telecom oligopolies. We naively assume for-profit companies are the good guys because they say so in their TV commercials. It's commonplace to allow a company like Apple to encrypt your data by default, and then expect you to use their cloud services to make sure you don't lose it because of that. This is widely championed as a good thing - as a victory of a free society - that consolidating your data and IT needs into the walled garden of a for-profit company is somehow better than the minuscule chance of a government agency ever looking at it. So the house of cards is starting to come crashing down and you're looking for someone to blame? Try a mirror. Not you specifically of course, but everyone.
So... A judge blocked the use of a service because they can't do the impossible and reverse overwhelmingly complex math algorithms? Sounds like a brilliant judge. When I read this article I don't see a problem with stupid judges though (that's to be assumed), I see a problem with a population using a centralized communication source. Why the world keeps choosing this model for communication I don't understand. We have decentralised open standards like xmpp and pgp encryption. I suppose that stuff is hard to monetize though, and armchair activists find real solutions to simple problems too boring to get behind. Ah fuck it, where's my guy fawkes mask?
What are you taking about? The technical impossibility of having a master key for all encrypted data aside, where is this paranoia coming from? I can only assume from the hyperbole surrounding the recently proposed Compliance with Court Orders Act. I've linked it so you can actually read it. It's not long. You'll quickly notice there's nothing in there explicitly defining the type of thing you're talking about. Some people are concerned with some of the language being used and what it may imply, but this is why bills have drafts.
I really fear for a generation that reads highly opinionated editorials (the only type of "news" that exists anymore) and takes it as fact without verifying anything.
While he may be right with regards to things that are actually important, I'm really tired of being told that the video of my son taking his first steps needs to be encrypted. I would much rather have the ability to externally mount and recover my data than prevent some shadowy organisation from seeing it. All of these software companies are gleefully encrypting everything on my device, not because they give a shit, but because it's an extra reason for me to use their cloud backup services.
It's like putting an indestructible pad lock on your wallet. If you ever forgot the code the entire contents of your wallet are lost forever. To solve this, your wallet manufacturer (let's say Levis) agrees to hold a copy of all of your important information at their warehouse! All this so some mystical nosy neighbor can't see pictures of my kids.
Encryption had been around for decades and there's a simple reason it has never been on by default: in 99.99999% of cases it causes problems and doesn't really solve any. So please world, start pressuring manufactures to stop turning this on by default. They aren't helping you like you think.
The hardware encryption key only forces you to brute force the password on the actual device. Nothing about the actual circuitry prevents you from making too many decryption attempts too quickly (other than physical limitations of the circuitry of about 80ms per iteratoin). The brute force security measures were part of iOS on older devices, but are implemented on the "Secure Enclave" firmware in newer ones. This firmware is rewritable memory in the interest of applying software updates for security fixes. It's therefore a requirement that this firmware is secured with a "Secure Boot" bootloader (just like the main SOC) which contains Apple's public key. That is why they are so worried about a legal precedent for writing custom signed software/firmware even if it is done in a secure Cupertino lab and only works on one device. It brings to light the fact that their security measures surrounding the availability of weak passcodes to encrypt data fundamentally centralize security to their software signing key. This means the millions of dollars likely spent on this system are wasted when there is no inherent benefit over using simple software encryption available off the shelf. If they are able to avoid the legal precedent of writing custom software for the government you still can't really feel secured. The ability then just uniquely resides with them, which means your data is only ever as secure as Apple's intentions.
So, use strong passwords, even though Apple devices let you use weak ones.
When has human extinction ever seemed unlikely? It wouldn't take much more than what causes other species to go extinct. Climate change, over consumption of resources, or a major disruption in our source of food. We can even add something no animal is capable of doing to itself: nuclear holocaust. We're not as wonderful as we think we are sometimes.
People using fingerprints for passwords are deliberately making their machines less secure.
It depends. Traditionally I'd say your right, but with phones, maybe not. Strong passwords are very hard to use with phones. When you encrypt data on an Android phone it demands an alpha numeric password because data encrypted with a numeric pin code might as well not be at all. So, for a business, for example, biometrics are a really good option to encrypt data while not inconveniencing your users too much.
This should even be your preferred option on iPhones. As we now know, Apple's security relies on a central source (Apple's signing key) to protect encrypted data with a weak pin code. This means all data secured with a pin code has its security centralized in Cupertino, and is breakable by them and anyone they choose (or are forced) to cooperate with. It also relies on trust that they are properly securing their key, and their underlying proprietary system. Android is at least using mature open standards, so your data can be better assumed to be strongly encrypted with a good password (or fingerprint).
So when it comes to encryption with weak passwords, biometrics is certainly better. Strong passwords, probably not. But no matter what you use, it's always circumventible with a hammer to the knees.
So, then wouldn't Apple's software signing key be technically obtainable through a warrant? Clearly it would, but I don't think you'd find a judge willing to sacrifice the security of everyone with an iPhone for any cause. Despite the hysteria that they are all corrupt despots.
I'll be happy to consider any evidence or reasoned argument you have for that claim. You know, those things I've supplied that you're wilfully ignoring? Hyperbole and conjecture won't work here.
It's so hard to sift through the hyperbole, but all I can see from the actual language of the bill is:
Covered entities are responsible only for the information or data that they (or another party on their behalf) have made unintelligible.
The government cannot require or prohibit any specific design or operating system for any covered entity to use in complying with a court order.
Which means, that if you take a centralized, proprietary, approach to user security, that you are able to circumvent by design, you have to comply with court orders to do the same thing you have the power to do. This would be a huge problem if companies were required to centralize and weaken security, but the bill then explicitly states that government can't tell you how to design or secure your products.
So centralize your security with your master signing key, like Apple, and expect to share that power with the government. Decentralizing your security with open standards, like Android and Linux, remains legal, and there's nothing anyone can, or could ever do, anyways. This is completely reasonable and responsible. If companies are going to build backdoors into their encryption, either purposefully or by poor design, then society needs to have a check on that power. So, why all the hyperbole about the government requiring permanent backdoors? That's clearly not what this is.
I think your fearmongering a bit. How exactly does shrinking the size and responsibility of government, with regard to social programs and the like, devolve into a civil war with an ultimate dictatorship. I think you're ex... Wait...
This is one reason I am an anarchist.
Nevermind. I get it now. Jeez, this generation's basement dwellers wake up early.
My original point was that it all seems rather convenient Apple would create an unnecessary controversy in a year with declining sales.
You shifted the argument with an assertion that Android encryption/security was worse. I spent several paragraphs explaining to you why it was actually better, none of which you read, by your own omission. I provided publicly available Apple documentation to you, twice, to show you that Apple user data has been either weakly encrypted, or not encrypted at all, until 2015. In fact, if your phone is running anything older than iOS 8 even today you're still vulnerable. Android has had encryption since 2.3 (2010) via the mature industry standard implementation of dm-crypt in the Linux kernel. I spent a couple paragraphs explaining to you why dm-crypt was better than Apple's proprietary solution, I'd encourage you to go back and read it.
So my "point" hasn't changed, but what exactly is yours?
I'm not talking about blindly trusting anyone. In fact, what I'm talking about is not blindly doing anything. Be careful you don't get so angry and distrustful you end up on the opposite, but still other, side of right.
Slashdot Mirror
I think critically, so I own a Samsung and this doesn't apply to me yet - but indications are it soon will. Google has been encrypting their phones by default for a couple generation's and are warning OEMs they might require it for Android branding soon. As a society we need to stop the trend towards this nonsense.
There's nothing on my phone worth encrypting. If there was, I'd encrypt it. However there's lots on my phone that I'd never want to lose. I do backups, but I don't get to it every day, every week, or even every month. I would like the option to be able to emergency recover my data (impossible if it's encrypted) vs. keeping some non-existent nefarious agency from seeing a video of my son take his first steps.
This is like Levis putting an unbreakable lock on my wallet. If anyone tampers with it, or if I forget the password, the contents are virtually incinerated. I'm either asked to dutifully keep a copy of everything myself, or virtually store a copy of all my personal documents at Levis warehouse - both unfavorable options to simply selling me a wallet without a lock.
So iPhones were easy to break into all the way back in those dark ages 18 months ago, but are completely secure now? Got it. How's that koolaid taste anyways?
but short of a screw-up on Apple's side, the practical options for bypassing the lock screen via a hack are getting more and more limited.
There's no way you can know that and it's just historically untrue. This is a complex proprietary system, so it's already less secure than mature industry standards. Also, this system relies on an obfuscated process to allow the user to encrypt data with a weak pin. So you have fundamentally weak security (pin code), on an unproven closed system, relying on security through obscurity principles - I would not assume an iPhone is ever more secure than any volume secured with simple software encryption and a good password. In fact, if Apple really wanted you to secure your device they'd, let you disable all their binary garbage, install dm-crypt, and do it yourself. Apple has never been about choice, or user safety though. Hint: forced encryption incentivises cloud backups.
The biggest issue is people modding with one account and posting with another - a real scumbag move. It goes something like this:
- Disagree with something
- Mod down, even though "-1 Disagree" isn't an option
- Sign in with second account to post highly emotional response that derails the conversation
- Sign back in with first account to mod yourself up.
There is nothing to detect or stop this type of scumbaggery it seems. This is compounded by the default filters hiding anything under 1 or 2 (can't remember exactly).
If you don't bow at the feet of Apple in that FBI case you don't have much of a chance either.
"Hey this thing's working really well and making us tons of money."
"Ya, but you need something to do this month."
"Ok, we'll completely design it."
"That's the spirit, promote this man."
This can be applied to Google, Apple, et al. Microsoft is just extraordinarily bad at it.
Considering that the front runners were Cruz and Trump while Kasich et al. barely managed to grab up a few crumbs, I would say the crazy/racist/xenophobic outnumber the rational by a very large margin. Furthermore, splitting the right only weakens it. What the USA really needs is election reform.
Glenn Beck perhaps? That reminds me, I've gotta turn on the radio and hear exactly how butthurt he is this morning. I'm sure the world is coming to an end.
At least these "studies" are now using words appropriate to the level of science being done: "Suggests".
The judge can attack encryption all he likes, it's math. Why he's having an effect is because people use encryption through a centralized source that is controllable. In my rant I mentioned XMPP. XMPP works like email, except better. You think a government would have any luck shutting off email? Perhaps he could force ISPs to close SMTP ports? XMPP allows you to define custom ports in SRV records so that doesn't apply. It's literally impossible to shut off (quickly anyways) without shutting off the entire internet. We don't need to centralize everything in big companies to communicate effectively, to have secure devices, or to have things that work conveniently. We think we do, because we're told that. And ultimately it becomes true, because we don't care enough to make it otherwise.
Wow, does this summary have an axe to grind or what? It's probably because there's not enough women working for him. And they make less. Fuck I hate this new breed of editorial journalism. RIP free media.
Naturally, you're attacking the tail of the snake while the head devours you from the legs up. Your post being moderated 5: Insightful is evidence of how common this mistake is. The core problem, of course, is centralizing communication through Whatsapp (aka. Facebook). Any consequence of that should be the natural expectation of highly centralized communication services. When you put all your eggs in one basket, and trust that basket to someone else, it's just a matter of time before they drop it. Nobody did this to Brazil, but the free market decision making of the Brazilian population. There are plenty of open communication standards like XMPP they could have chosen.
Of course every country in the world makes these same mistakes. Look in your pocket for proof. We choose walled gardens, centralized social media platforms, and telecom oligopolies. We naively assume for-profit companies are the good guys because they say so in their TV commercials. It's commonplace to allow a company like Apple to encrypt your data by default, and then expect you to use their cloud services to make sure you don't lose it because of that. This is widely championed as a good thing - as a victory of a free society - that consolidating your data and IT needs into the walled garden of a for-profit company is somehow better than the minuscule chance of a government agency ever looking at it. So the house of cards is starting to come crashing down and you're looking for someone to blame? Try a mirror. Not you specifically of course, but everyone.
So... A judge blocked the use of a service because they can't do the impossible and reverse overwhelmingly complex math algorithms? Sounds like a brilliant judge. When I read this article I don't see a problem with stupid judges though (that's to be assumed), I see a problem with a population using a centralized communication source. Why the world keeps choosing this model for communication I don't understand. We have decentralised open standards like xmpp and pgp encryption. I suppose that stuff is hard to monetize though, and armchair activists find real solutions to simple problems too boring to get behind. Ah fuck it, where's my guy fawkes mask?
What are you taking about? The technical impossibility of having a master key for all encrypted data aside, where is this paranoia coming from? I can only assume from the hyperbole surrounding the recently proposed Compliance with Court Orders Act. I've linked it so you can actually read it. It's not long. You'll quickly notice there's nothing in there explicitly defining the type of thing you're talking about. Some people are concerned with some of the language being used and what it may imply, but this is why bills have drafts.
I really fear for a generation that reads highly opinionated editorials (the only type of "news" that exists anymore) and takes it as fact without verifying anything.
While he may be right with regards to things that are actually important, I'm really tired of being told that the video of my son taking his first steps needs to be encrypted. I would much rather have the ability to externally mount and recover my data than prevent some shadowy organisation from seeing it. All of these software companies are gleefully encrypting everything on my device, not because they give a shit, but because it's an extra reason for me to use their cloud backup services.
It's like putting an indestructible pad lock on your wallet. If you ever forgot the code the entire contents of your wallet are lost forever. To solve this, your wallet manufacturer (let's say Levis) agrees to hold a copy of all of your important information at their warehouse! All this so some mystical nosy neighbor can't see pictures of my kids.
Encryption had been around for decades and there's a simple reason it has never been on by default: in 99.99999% of cases it causes problems and doesn't really solve any. So please world, start pressuring manufactures to stop turning this on by default. They aren't helping you like you think.
The hardware encryption key only forces you to brute force the password on the actual device. Nothing about the actual circuitry prevents you from making too many decryption attempts too quickly (other than physical limitations of the circuitry of about 80ms per iteratoin). The brute force security measures were part of iOS on older devices, but are implemented on the "Secure Enclave" firmware in newer ones. This firmware is rewritable memory in the interest of applying software updates for security fixes. It's therefore a requirement that this firmware is secured with a "Secure Boot" bootloader (just like the main SOC) which contains Apple's public key. That is why they are so worried about a legal precedent for writing custom signed software/firmware even if it is done in a secure Cupertino lab and only works on one device. It brings to light the fact that their security measures surrounding the availability of weak passcodes to encrypt data fundamentally centralize security to their software signing key. This means the millions of dollars likely spent on this system are wasted when there is no inherent benefit over using simple software encryption available off the shelf. If they are able to avoid the legal precedent of writing custom software for the government you still can't really feel secured. The ability then just uniquely resides with them, which means your data is only ever as secure as Apple's intentions.
So, use strong passwords, even though Apple devices let you use weak ones.
When has human extinction ever seemed unlikely? It wouldn't take much more than what causes other species to go extinct. Climate change, over consumption of resources, or a major disruption in our source of food. We can even add something no animal is capable of doing to itself: nuclear holocaust. We're not as wonderful as we think we are sometimes.
People using fingerprints for passwords are deliberately making their machines less secure.
It depends. Traditionally I'd say your right, but with phones, maybe not. Strong passwords are very hard to use with phones. When you encrypt data on an Android phone it demands an alpha numeric password because data encrypted with a numeric pin code might as well not be at all. So, for a business, for example, biometrics are a really good option to encrypt data while not inconveniencing your users too much.
This should even be your preferred option on iPhones. As we now know, Apple's security relies on a central source (Apple's signing key) to protect encrypted data with a weak pin code. This means all data secured with a pin code has its security centralized in Cupertino, and is breakable by them and anyone they choose (or are forced) to cooperate with. It also relies on trust that they are properly securing their key, and their underlying proprietary system. Android is at least using mature open standards, so your data can be better assumed to be strongly encrypted with a good password (or fingerprint).
So when it comes to encryption with weak passwords, biometrics is certainly better. Strong passwords, probably not. But no matter what you use, it's always circumventible with a hammer to the knees.
So, then wouldn't Apple's software signing key be technically obtainable through a warrant? Clearly it would, but I don't think you'd find a judge willing to sacrifice the security of everyone with an iPhone for any cause. Despite the hysteria that they are all corrupt despots.
I'll be happy to consider any evidence or reasoned argument you have for that claim. You know, those things I've supplied that you're wilfully ignoring? Hyperbole and conjecture won't work here.
Covered entities are responsible only for the information or data that they (or another party on their behalf) have made unintelligible.
The government cannot require or prohibit any specific design or operating system for any covered entity to use in complying with a court order.
Which means, that if you take a centralized, proprietary, approach to user security, that you are able to circumvent by design, you have to comply with court orders to do the same thing you have the power to do. This would be a huge problem if companies were required to centralize and weaken security, but the bill then explicitly states that government can't tell you how to design or secure your products.
So centralize your security with your master signing key, like Apple, and expect to share that power with the government. Decentralizing your security with open standards, like Android and Linux, remains legal, and there's nothing anyone can, or could ever do, anyways. This is completely reasonable and responsible. If companies are going to build backdoors into their encryption, either purposefully or by poor design, then society needs to have a check on that power. So, why all the hyperbole about the government requiring permanent backdoors? That's clearly not what this is.
This is one reason I am an anarchist.
Nevermind. I get it now. Jeez, this generation's basement dwellers wake up early.
My original point was that it all seems rather convenient Apple would create an unnecessary controversy in a year with declining sales.
You shifted the argument with an assertion that Android encryption/security was worse. I spent several paragraphs explaining to you why it was actually better, none of which you read, by your own omission. I provided publicly available Apple documentation to you, twice, to show you that Apple user data has been either weakly encrypted, or not encrypted at all, until 2015. In fact, if your phone is running anything older than iOS 8 even today you're still vulnerable. Android has had encryption since 2.3 (2010) via the mature industry standard implementation of dm-crypt in the Linux kernel. I spent a couple paragraphs explaining to you why dm-crypt was better than Apple's proprietary solution, I'd encourage you to go back and read it.
So my "point" hasn't changed, but what exactly is yours?
What happens when you try to do anything by committee.
I'm not talking about blindly trusting anyone. In fact, what I'm talking about is not blindly doing anything. Be careful you don't get so angry and distrustful you end up on the opposite, but still other, side of right.