Slashdot Mirror


User: ooloorie

ooloorie's activity in the archive.

Stories
0
Comments
5,136
First seen
Last seen
Profile
(view on slashdot.org)

Comments · 5,136

  1. Re:iPhone 7 will use SE to authorize any OS update on Apple's iPhone Already Has a Backdoor · · Score: 1

    Correct. And what that means is that the security of the iPhone 7 PIN code is not due to the fact that "it uses SE to authorize any OS update". The authorization of firmware updates seems to be working even on the iPhone 5c, otherwise the FBI wouldn't be asking Apple for signing the udpated firmware. Security of short PINs relies on verifying the PIN in a secure enclave, nothing more. Signing OS upgrades is something Apple does because they are control freaks, not because it is necessary for making the cryptosystem work. That is, the reference to "OS updates" in the title is spurious and irrelevant.

  2. fast encoding? on Multimedia Powerhouse FFmpeg Hits 3.0 · · Score: 2, Interesting

    How fast can ffmpeg do encoding on modern hardware? Is there functional GPU support to get high compression rates in real time?

  3. If you disagree with the FDA because you don't agree with the science, I'm calling you irrational

    There is no “the science“. There are scientific beliefs one can personally verify. Everything else is merely based on hearsay and trust. Among the things I have personally verified, the FDA gets many things right and some wrong. The set of things you have verified and you merely assume are try based on hearsay are different for you than they are for me, and unless you have a background in statistics, you almost certainly hold more false beliefs about FDA matters than I do. Still, if you act according to your beliefs and I act according to mine, we both act rationally, even if we act differently and even if each of us acts based on some erroneous beliefs.

  4. Re:precedent for what? on Bill Gates Sides With FBI In Apple Spat (ft.com) · · Score: 1

    Yes it is the same. Glad you realize it.

  5. Re:iPhone 7 will use SE to authorize any OS update on Apple's iPhone Already Has a Backdoor · · Score: 1

    That's nice. My point remains: restricting firmware updates is neither necessary not sufficient to secure a phone; it is in fact irrelevant. If Apple added other features to make their phones secure, all the better

  6. Re:How does this work with safes? on Bill Gates Sides With FBI In Apple Spat (ft.com) · · Score: 1

    I think a better analogy is that of someone who holds a piece of evidence in a criminal case but refuses to disclose where it is, telling the FBI to go search for it themselves. https://en.wikipedia.org/wiki/...

  7. Re:The irony on German Police Allowed To Use Its Own "Federal Trojan" (helpnetsecurity.com) · · Score: 1

    Really? You're saying that European governments have a right to invade anybody's privacy to prevent them from committing a crime? Care to provide some citations to back up your interesting legal theory?

  8. precedent for what? on Bill Gates Sides With FBI In Apple Spat (ft.com) · · Score: 1

    He states that it is for this specific case, but seems to miss the point that there are other law enforcement officials waiting on the wings with their requests should this precedent be set.

    The only real protection against such government intrusions is technological, not some wimpy legal precedent. Since the iPhone 5c apparently can be unlocked after the fact with the help of Apple, it is not secure. That problem isn't going to get fixed by legal posturing, it's only going to get fixed by fixing the phone hardware and software.

  9. Half of Americans vote Republican too. It is sad when the liberal socialists are for more freedoms, than so called don't tread on me conservatives.

    In what way are "the liberal socialists for more freedoms"? The FBI requested the court order in the first place, and the FBI is part of the executive branch, under the Democratic president.

    In addition, under the Pew poll, the percentage of people who say "should unlock" is pretty much the same under Republicans and Democrats (56% vs. 55%); both parties stand for big, intrusive government. A pox on both your houses.

  10. Re:Good thing this isn't a democracy on More Than Half of Americans Think Apple Should Comply With FBI, Finds Pew Survey (theverge.com) · · Score: 1

    A funny thing about a republic is that no one can vote away another person's rights. Let's say we do live in a true democracy. I get enough people to agree with me on something, like perhaps that people that take welfare should not get to vote.

    I agree with the principle you are expressing, namely that in a free society, majorities shouldn't be able to deprive minorities of their rights. But much as some people like to use a distinction between the terms "republic" and "democracy" to capture the distinction between majority rule and a free society, those terms are just no good for expressing that distinction: there are plenty of "republics" in the world that not only let this happen in practice, they even enshrine such principles in their constitutions. Both "republic" and "democracy" really just mean that political power is wielded by the people in some way, and it can refer to anything from oppressive majoritarianism to a minarchy.

    The name for what you are trying to express used to be "liberal" and "enlightened", namely the idea that the job of government is to guarantee negative rights and nothing more. But the term "liberal" has gotten corrupted and now is synonymous with "social liberalism" or "ordoliberalism" (which really aren't "liberalism" at all). True liberalism requires that people are willing to live with the consequences of their choices if necessary, and that's something many voters can't stomach. Nowadays, the political view of government that you're taking is called "classically liberal" or (in the US) "libertarian". Social liberalism and ordoliberalism relate to classical liberalism like "real imitated wood" relates to "real wood".

  11. Apple is fighting a battle not worth fighting here, because what they are fighting over is FBI access to a badly designed device. That is, Apple is refusing to help even though technically it is possible, and it is technically possible because the iPhone 5c already effectively has a backdoor. What Apple should have done is quietly complied with the FBI request (they have done it before anyway based on other ways of accessing phone content), while at the same time making future phones actually secure against this kind of hacking, which is not hard to do.

    Why would that be a better thing to do? Because the house was just considering a bill banning state-mandated back doors into phones. By having this debate now, over a device with badly designed security that was used in a horrific crime, Apple is risking the failure of such bans and the possibility that state-level bans on encryption are simply allowed to stand.

  12. Re:So the vulnerability is the updating mechanism? on Apple's iPhone Already Has a Backdoor · · Score: 1

    The gist is that iPhone's "Secure credential storage" firmware is part of the regular firmware, and can be updated without authentication.

    Every iPhone with a SIM card has secure credential storage inside the SIM card. Furthermore, modern iPhones (I don't know about the 5c) have some form of cryptographic chip that attempts to store some key securely. So, the hardware seems to be there. The question is why Apple isn't using it.

    I'm not sure what you're talking about for the second part. The changes the FBI is asking for are pretty simple. Disable the auto wipe after 10 bad attempts, and remove the delay between password retries. With both of those removed brute forcing the password is easy.

    The way this should work on a system without cryptographic hardware is that the system keeps a key ring of encryption keys, but those encryption keys are themselves encrypted with a long and secure pass phrase. After you boot your system, you need to enter the pass phrase to decrypt the encryption keys into volatile memory. After that, when you enter your PIN (or use the fingerprint reader or whatever), the system uses the decrypted encryption keys to actually decrypt data for you. But the decrypted keys should be erased from memory after a time limit, when the case is opened, after too many unlock attempts, on reboot, or before an OS update (signed or not). That way, "brute forcing" the PIN simply doesn't help. Again, this is what you would do on a system without any secure hardware. It's less secure than actually having secure hardware, but it would still prevent most attacks.

    The BIG IMPORTANT PART is the new firmware requires Apple to sign it to run.

    Signed firmware is a pointless security measure.

    I suspect Apple engineers roughly thought like you did, tried to secure the iPhone 5c with "signed OS upgrades", and therefore got into this pickle, instead of actually doing the right thing.

  13. Here is a nice example of what I complained about yesterday: people that like to push irrelevant facts like their gender, sexuality, skin color, political leaning etc. into things where it ISN*T BLOODY RELEVANT!

    It is quite relevant, in that it explains my strong desire for living there, in the same way that Tania Jane explained that she wanted to live in the Bay Area because of her father.

    I think your brain doesn't work very well - perhaps that why you can't afford to live in SF.

    Actually, I was simply responding in the tone of the poster I was responding to, hence the quotes around "asshole".

    See I can insult people too! The difference is that my insult actually may be relevant...

    I'm afraid your insults are merely spurious and irrelevant, based on your inability to follow a simple conversation.

  14. Re:iPhone 7 will use SE to authorize any OS update on Apple's iPhone Already Has a Backdoor · · Score: 1

    Making phones immune to firmware upgrades is probably not sufficient, since a determined attacker can still load software into RAM and then boot into that. It's also not necessary to prevent the proposed FBI attack. (It's still a good idea for many other reasons.)

  15. Re:Android on Apple's iPhone Already Has a Backdoor · · Score: 1
    Your phone backups on Android are encrypted with your Google password AFAIK, so that's not a "backdoor".

    Based on the press releases surrounding the San Bernadino iPhone, the same does not appear to be the case with the iPhone backups Apple "scoops up".

  16. Re:Android on Apple's iPhone Already Has a Backdoor · · Score: 1

    I would like to have the same analysis about the state of Andriod. Can it be made secure against such backdoors?

    Android software provides APIs for storing encryption keys in secure hardware. However, whether the secure hardware storage your phone uses is actually secure depends on the manufacturer, how they implement the hardware and what kinds of modifications they have made to the software.

    Android also provides hooks for external security devices. And you can use the SIM card for storing encryption keys; see this open source project. So, it seems likely that you can create an app on top of Android that secures Android phones against the kind of hack the FBI is proposing.

  17. Re:So the vulnerability is the updating mechanism? on Apple's iPhone Already Has a Backdoor · · Score: 1

    Literally EVERY OS has this concern.

    Secure credential storage doesn't have this concern because its firmware can't be updated (at least not without first successfully authenticating). iPhones have secure credential storage, both inside their cryptographic processor and inside their SIM cards. So it is hard to understand why iPhones have this vulnerability at all. It's either a big screw-up or deliberate.

    Even without secure credential storage hardware, you can still make PIN numbers reasonably secure against OS upgrades by requiring a full password to decrypt the cryptographic keys inside the credential storage before giving the user PIN-based access for a limited time only. This would also prevent the hack the FBI wants, so even if there was no special hardware on the device, it is still hard to understand how the FBI hack is even possible in principle.

  18. yes, and it's hard to understand why it's there on Apple's iPhone Already Has a Backdoor · · Score: -1
    The fact that Apple is even having this conversation shows that their phones are inherently not secure. It is easy to prevent the kind of attack the FBI is trying to make on the iPhone 5c. Apple's only response to the FBI letter should have been something like: "Our iPhone 5c has a potential security exploit that hasn't been a big concern in the past (since it requires detailed insider knowledge to exploit). However, in future iPhones, we will ensure that this exploit is eliminated so that user data is intrinsically secure against all hacking attempts, even from people with full access to Apple source code." This wouldn't be hard to do.

    The way pin numbers and encryption are supposed to work together is that the encryption key itself is a long (256 bit in the case of the iPhone) key stored in a secure piece of hardware, and that hardware allows only a limited number of pin number attempts before erasing the encryption key. The restriction on the number of attempts needs to be implemented in the secure hardware itself. The only way to circumvent that restriction should be to tamper with the chip hardware itself; no firmware upgrade or circuit probing should be able to get at it. If you get a maximum at 10 attempts to get a 4 digit pin code, your risk of having your phone unlocked is about 1:1000; for a 6 digit pin code it's 1:100000.

    Generally, the hardware that checks the pins and stores the encryption keys is a special, tamper-resistant embedded processor, and there are plenty of those on the market. Most mobile phones have such a special embedded and tamper resistant processor in their SIM card (meaning, they are mass produced, cheap, and widely available), but they also come inside crypto chips and other hardware. iPhones, I believe, have a special tamper-resistant crypto chip that could easily implement this kind of behavior securely, at no extra cost.

    It is hard to understand why Apple phones still have the vulnerability that lets the FBI even make the demands that they are making. Either Apple engineers screwed up big time, or the vulnerability is there deliberately.

    (The "we could have recovered this data from backups if the FBI hadn't changed the password" suggests that there is another serious vulnerability in Apple's software ecosystem somewhere; backups should require the full user password to decrypt, and the user password itself should never be stored by Apple.)

  19. I'm irrational if I can't come up with good arguments to support my attitudes. [...] As I said, the FDA seems to work on good science, so unless I'm wrong there (which is possible; I'm ignorant across a vast array of fields of knowledge), opposition on that basis is irrational.

    Your mistake there is that you assume that rationality is something that is objectively and universally true. But what is a rational decision for the FDA and what is a rational decision for me are two very different things, even if both the FDA and I employ entirely valid logical reasoning in reaching our conclusions. The rationality of a decision depends both on your state of knowledge and on your objectives, not just on the validity of your reasoning. And the FDA has both different objectives from individuals, and it knows a lot less about individuals than they themselves know about themselves.

    For the record, I lean libertarian on things like victimless crimes and laws designed to prevent people from doing things that may be stupid but will only harm themselves.

    Based on what you have written, I don't consider you a libertarian.

  20. Re: how is that relevant? on Alleged Kalamazoo Shooter Picked Up Uber Fares During, After Killing Spree · · Score: 1
    More generally, you tried to give doctors as an example of self-policing within a profession, but doctors are, if anything, a counterexample. Medical errors are widespread and so is a reluctance on the part of other doctors to come forward and criticize or testify against their colleagues. That's also why malpractice insurance is such a big deal in the medical system. A large percentage of patients get sick in hospital, either due to hospital acquired infections, incorrect treatments, or other medical errors. We are talking millions of cases a year. Wake up and stop being such a fool.

    That doesn't mean one should condemn the entire medical profession or not go to the doctor. What it means is that one shouldn't trust doctors just for being doctors. Doctors frequently make mistakes, and they are frequently shielded from accountability because other doctors don't want to rock the boat.

  21. Re: how is that relevant? on Alleged Kalamazoo Shooter Picked Up Uber Fares During, After Killing Spree · · Score: 1

    Acting on a doctor's diagnosis is the same as trusting them.

    For anything important, I usually see several doctors. Guess what: they frequently disagree with one another, both on the diagnosis and on the treatments.

    Unless you are trying to make the case that Googling gives you as much medical expertise as he/she has.

    You didn't ask me whether you should trust your doctors; you seem to be enough of a fool that you don't have a choice. You asked me whether I trust my doctors, and I told you: I don't.

  22. Re: how is that relevant? on Alleged Kalamazoo Shooter Picked Up Uber Fares During, After Killing Spree · · Score: 1

    I listen to my doctor and take his advice into consideration, but only a fool would trust his doctor.

  23. Re:how is that relevant? on Alleged Kalamazoo Shooter Picked Up Uber Fares During, After Killing Spree · · Score: 1

    Because someone who is a psychotic killer is far less likely to engage in a profession where they know who you are, and have all kinds of information on you including fingerprints.

    You're confusing a "psychotic killer" with a "rational individual". So stop being delusional and making things up like "far less likely".

  24. Re: how is that relevant? on Alleged Kalamazoo Shooter Picked Up Uber Fares During, After Killing Spree · · Score: 2

    When people of a single profession hang out together, they usually collude to screw their customers and protect themselves from prosecution. You see that with police, stock brokers, doctors (malpractice), lawyers (lobbying and regulation), publishers and authors (copyright lobbying), etc. It's a recipe for collusion and coverups. Destroying such collusion and replacing it with public reviews and statistics is a good thing.

  25. If you get out of college with no marketable skills, you did it wrong.

    Yes, that's the point: she is doing a lot of things wrong, yet she still expects a better lifestyle than people who are making far better choices than her.