Slashdot Mirror


User: ooloorie

ooloorie's activity in the archive.

Stories
0
Comments
5,136
First seen
Last seen
Profile
(view on slashdot.org)

Comments · 5,136

  1. Re: Finally the debate is here on Why Are Apple's Competitors Staying Silent On the iPhone Unlocking Fight? · · Score: 2

    It isn't in the UK otherwise David Cameron wouldn't be demanding that US companies weaken their encryption and threatening them with new laws if they don't comply.

    Think about what you're saying there. US companies have strong encryption, both in the US and the UK. And it is the UK government that demands that the US companies weaken their encryption for the UK market. What does that tell you?

    but people still have plenty of rights and the state has to justify any violation of those rights in court.

    No, that is false. European legal systems have huge exemptions from the need to justify searches and surveillance for national security and other kinds of situations. That's why the NSA activities in the US were a scandal, while the equivalent activities by European intelligence agencies against their own citizens were not. European governments tried to distract people from that basic fact by getting people all riled up about the NSA spying on Europeans as well, but that is actually the NSA's job, and that too was done in collaboration with European intelligence agencies.

  2. Re: Really? on Why Are Apple's Competitors Staying Silent On the iPhone Unlocking Fight? · · Score: 1

    Whether Apple "wins" this fight or not is completely irrelevant to privacy or security. The only way to make sure that your data is secure is to make the technology secure, not to fight governments or subpoenas. That means that phone backups need to be encrypted with a pass phrase and biometric identifiers (including pins and pass codes) cannot be used as keys and need to be verified by a secure subsystem before performing decryption. Furthermore, in order to be sure that this works as advertised, it needs to be verifiable by users somehow.

  3. Re: Finally the debate is here on Why Are Apple's Competitors Staying Silent On the iPhone Unlocking Fight? · · Score: 1

    US government agencies are no more and no less trustworthy than those in other countries. The difference is that in the US, spying on citizens is actually illegal; the only way to search someone should be by court order. The reason you don't hear about such problems in Europe is because what the NSA did is by and large legal already in Europe in the first place.

  4. they probably don't have this problem on Why Are Apple's Competitors Staying Silent On the iPhone Unlocking Fight? · · Score: 1
    Based on what has come out over the last few days, it seems like there are two ways the FBI can access information on an iPhone: from the backups on Apple's servers and by disabling the limit on the number of passcode attempts in its OS without requiring the user to unlock it first. It's because of those two weaknesses that the FBI can order Apple to help them access information on a phone.

    What's the situtaion with other phones? Hardware manufacturers don't handle Android backups, Google does. And Google seems to encrypt them. And in general, it doesn't seem to be possible to push phone software updates to Android phones without rebooting them, at which point a full pass code is required (of course, if you pick a weak one, that's your problem). In addition, any weakness would be specific to one manufacturer, not to all phones.

    I think Apple's biggest problem is that they are a single, juicy target: compromise iOS and you have compromised half the phone and tablet users in the country. So, even if other manufacturers have similar weaknesses, they all require separate efforts to subvert, making life a lot tougher for people trying to invade our privacy.

  5. Re:network neutrality? on Mobile Giant Three Group To Block Online Advertising (thestack.com) · · Score: 1

    Net neutrality is about point to point neutrality, not about the third parties injecting unwanted content along the way that cuts into their bandwidth allowance.

    You make it sound like some third party injects its ads against everybody's will, but that's bullshit. The ads are there because the content providers (newspapers, gaming companies, etc.) put them there in order to get a revenue stream. The ads pay for the content, in lieu of actual money.

    They are delivering exactly the content that the users want, and delivering all of that content without prioritizing it.

    How do you know the users don't want the ads? I mean, they may or may not want the ads per se, but they probably want the content that the ads pay for. And if they don't want the ads, they shouldn't consume the content either.

    the advertisiers should PAY for that privilege, the same as they do for print media ads

    The advertisers do pay for that privilege, namely to the content providers that allow those ads on their web pages. The content providers then use that money to pay for their costs while delivering free content to you.

  6. Re:Apple - standing alone on DoJ Says Apple's Posture on iPhone Unlocking Is Just Marketing (reuters.com) · · Score: 1

    If Apple develops an unlock tool for this specific case, what prevents it from being used for every legal case in the future?

    My point is: such a tool should be impossible to develop in principle. The fact that such a tool can be written and Apple simply refuses to write it tells you that there must be some security flaw somewhere in iOS, at least on the phone model in question.

    I like the idea that no one — not even the government — can browse through the encrypted data on my iPhone.

    Me too. Which is why I think it is worth pointing out that iOS seems to have an intrinsic security flaw, and that the only thing standing between you and the government is Apple's lack of cooperation with the government. I guarantee you, that won't last.

  7. Re:Apple - standing alone on DoJ Says Apple's Posture on iPhone Unlocking Is Just Marketing (reuters.com) · · Score: 1

    There's no cryptographic way to secure a 4 digit passcode, or a 6 digit passcode. It's physically impossible.

    Look, you don't seem to understand how these systems work. The 4 digit passcode isn't the cryptographic key, it's something that the user can use to identify himself to the phone a limited number of times. The cryptographic key is some long random string that the user likely never sees.

    So don't talk shit about their crypto if their crypto isn't even up for debate. This is about a software workaround possible on an older model to brute force requests into the hardware that is expected to defend a 4 digit passcode against repeated attempts. The crypto isn't even in the conversation.

    Key management is an essential part of a cryptosystem. In this case, the key is managed via a passcode, and the passcode-based key management is apparently vulnerable to attack. That makes the entire cryptosystem vulnerable.

    Really, you are repeatedly stating the obvious and then arbitrarily (in your own personal definition of terms) excluding key management from the components of a secure cryptosystem.

    What this comes down to is that iOS cryptography is vulnerable because their key management appears to be vulnerable. That's something people should realize, and it's something that Apple can and should fix.

  8. Re:Apple - standing alone on DoJ Says Apple's Posture on iPhone Unlocking Is Just Marketing (reuters.com) · · Score: 1

    Again, the current system is secure if you trust the math only by using a crypto secure passphrase. If you don't, you MUST be trusting the hardware or software to guard against the brute force- really the wimp force, because 10k trials is nothing.

    That is correct. And I'm pointing out that you cannot trust the Apple hardware/software combination. It is fairly easy to design a phone like the iPhone that uses short unlock codes yet still is cryptographically secure with high probability (1:1000 with ten trials and a 4 digit code before the short key fails), but Apple doesn't seem to have designed such a system.

  9. Re:something fishy about iOS encryption on DoJ Says Apple's Posture on iPhone Unlocking Is Just Marketing (reuters.com) · · Score: 2

    Yes, Schneier's article is essentially correct as far as it goes. He believes that the problem with the iPhone is a lack of code signing. But there is a more fundamental problem. Normally, Apple seems to require a password for updating the phone software. But it appears that Apple has ways of altering the phone software of a locked, encrypted phone even without unlocking it first, otherwise the FBI demand would make no sense in regards to the San Bernadino phone. That means that there must be an existing, gaping security hole in iOS. Code signing would fix this problem either, since the FBI could always order Apple to sign a software update.

  10. Re:something fishy about iOS encryption on DoJ Says Apple's Posture on iPhone Unlocking Is Just Marketing (reuters.com) · · Score: 1

    The FBI request won't work however for one glaring reason: You can't update a locked device without unlocking it because THE DEVICE REJECTS THE UPDATE REQUEST. Apple designed it that way, intentionally.

    You are missing the point. That is what a properly designed system ought to do. But if this were true, there would be no dispute between Apple and the FBI: in response to the FBI's demand to unlock the San Bernadino phone, Apple could simply say "it is impossible to do that" and that would be the end of it. The FBI might try to exert political pressure on Apple to change their operating system to make unlocking future phones easier, but the legal issues would be instantly over.

    The fact that the FBI and Apple are still talking about the San Bernadino phone, and the fact that Tim Cook is vague on this point leads to the conclusion that Apple can do it, that Apple must have a backdoor for pushing updates even without unlocking it.

  11. Re:Apple - standing alone on DoJ Says Apple's Posture on iPhone Unlocking Is Just Marketing (reuters.com) · · Score: 3, Insightful

    What the FBI wants is for Apple to develop a hacked version of iOS that can be loaded onto the phone and allow external inputs to try different user unlock PINs as well as get rid of both the 10-attempts limit as well as the time-between-tries limit.

    Yes, that is probably what the FBI wants. My point is that if Apple can push such a software update to an existing phone without the user unlocking the device first, then iOS cryptography is broken already. And that is likely the case, because if Apple couldn't push such an update to an existing phone without unlocking it first, then it would make no sense for the court to try to force them to develop such an update, since the court can only order Apple to develop such a tool for a specific case, not for future cases that aren't before the court yet.

  12. Re:Apple - standing alone on DoJ Says Apple's Posture on iPhone Unlocking Is Just Marketing (reuters.com) · · Score: 4, Insightful

    That's not the deal at all. Apple can't decrypt it. The FBI wants them to remove the safety measure where the phone will discard the encryption key altogether after 10 failed attempts at guessing the passcode.

    Yes, that is likely what this is about (see my other posting). And if they can push a software update with this safety feature to an existing phone without the user unlocking it first, then Apple's software is not secure. That's exactly my point.

    That is, Apple is right that such an update would make future iOS devices much less secure, but what this whole spat reveals is that the current system is already not secure precisely because governments can make demands like the US government is making. That is, the fact that we're even having this debate is due to a bad implementation of cryptography on Apple iOS.

  13. Re:Apple - standing alone on DoJ Says Apple's Posture on iPhone Unlocking Is Just Marketing (reuters.com) · · Score: 4, Informative

    That's the FBI's position. Apple says it can't be done.

    That simply isn't true. Apple is facing a specific order to decrypt a specific iPhone in a specific legal case. If this can't be done, there is nothing for Apple to fight, because the court order only applies to this phone. The fact that Apple is fighting this order and is saying that they are refusing to develop an unlock tool implies that they believe it can be done but are simply refusing to do it.

  14. Re:Apple - standing alone on DoJ Says Apple's Posture on iPhone Unlocking Is Just Marketing (reuters.com) · · Score: -1, Redundant

    Assume that every other hardware manufacturer that is NOT getting threatened by the Federal Government has already rolled over.

    Another explanation is that their encryption actually works properly, while Apple's doesn't. The fact that Apple can somehow push software onto an existing iPhone that allows the federal government to decrypt the data on that phone without the key seems like a fundamental flaw in iOS. Any manufacturer that implements encryption properly can simply say "there is no way we can access the data on that phone, no matter what software we write" and the discussion ends right there.

  15. something fishy about iOS encryption on DoJ Says Apple's Posture on iPhone Unlocking Is Just Marketing (reuters.com) · · Score: 1
    It's one thing for the government to talk to Apple about mandating encryption backdoors in future iOS updates. But this spat between the government and Apple is not about that, it is about data on a phone running current iOS software. Apple is essentially saying that they could access data on encrypted iPhones by pushing a software update. That is not how a cryptographic system ought to work. A correctly implemented cryptographic system should allow access to the data only with the key. When a cryptographic system is combined with a biometric identifier like a fingerprint, the biometric identification needs to take place in a tamper-proof environment that only releases the key when the biometric identifier has been given. Upon operating system updates and restarts, the phone should require an actual decryption key from the user.

    What the discussion may be about is the fact that the normal iOS keys are weak (4-6 digits), so what the government may be asking for is an operating system update that removes a limit on the number of unlock attempts before the phone erases itself. However, again, Apple should not be able to push such an update to an existing phone without having the user unlock the phone first.

    So, while the government position is generally bad, it also seems that, in addition, there is something fishy about Apple's use of encryption on iOS.

  16. invalid assumptions on Even On eBay, Women Get Paid Less For Their Labor (sciencemag.org) · · Score: 3, Interesting

    They are making the same invalid assumption as the Github study, namely that sellers that identify their gender are statistically the same as those that don't. In fact, the Github study itself showed that they don't. The difference is probably something harmless; for example, it is possible (even likely) that older people tend to use their first names more frequently, and are more likely to have first names that can be classified by gender.

  17. Suppose the FDA is not currently approving a drug, and I think it should be available. I may distrust the scientific principles being used, and that's irrational (assuming that the science is good, which it is AFAICT).

    But that's the problem: what is "irrational" and what is "ignorant" is something reasonable people can disagree on. As far as the FDA is concerned, the scientific literature is full of incorrect results and frauds, the studies submitted to it are often manipulated and fraudulent, there is massive selection bias, and the statistical methods it uses are outdated. In addition, the FDA makes decisions that are in the best interest of the FDA as an organization, not with the interests of individuals. The idea that FDA drug approvals are objectively "rational" in a universally agreed on way is just not compatible with reality.

    I don't want people doing that out of ignorance or lack of understanding. [...] I lean pretty hard libertarian on some issues, this being one of them

    That view is intrinsically incompatible with libertarianism, or even liberalism. Classical liberalism means that people make their own decisions and are responsible for the consequences of their choices.

  18. Re:network neutrality? on Mobile Giant Three Group To Block Online Advertising (thestack.com) · · Score: 1

    The amount people pay to deliver the ads is a huge factor here. The ad companies are using someone else's bandwidth for free,

    Ad delivery is a deal between users, content providers, advertisers, and ad companies. The user wants to see content, but that content needs to be paid for. One way of doing that is showing ads.

    I agree with the idea that, no, we don't owe them a damned thing, and we also can't trust them. I don't care about their revenue, I'll keep blocking them.

    I have no problem with you blocking them. I don't even have a problem with Three blocking ads in principle. You should realize, though, that either of those things makes it a lot harder for people to start new companies and offer free content.

    I'm pointing out the hypocrisy and inconsistency of simultaneously advocating net neutrality and ad blocking by carriers. Net neutrality is questionable enough to begin with, but if you impose net neutrality and then carve out exceptions for ad blocking and other "content we don't like", the whole thing just becomes a means of total control of network content over the choices of users.

  19. Re:network neutrality? on Mobile Giant Three Group To Block Online Advertising (thestack.com) · · Score: 1

    none of the EU member countries have yet created legislation to enact the 2015 "net neutrality" laws

    Nor did I say they had. All I did in my OP was to ask whether this violated network neutrality, a principle that many in the EU are pushing for. See here. The rest is a bunch of delusions and straw men on your part.

    Common carrier in the US has a legal meaning, it does not in the UK.

    What a brilliant insight! Next you'll tell us that there are no elevators in the UK! And to top it off you'll observe (correctly) that ISPs don't have common carrier status in the US! You are just amazingly good at missing the point!

  20. Re:network neutrality? on Mobile Giant Three Group To Block Online Advertising (thestack.com) · · Score: 1

    Your questions are very US-centric

    No, they are not. Europe has also adopted a principle of net neutrality.

    Three is already obliged to make content decisions for currently standing court orders blocking

    So? Do you seriously think that US ISPs are not required to comply with court orders?

    and there is no flat "common carrier" status that Three currently enjoys anyway.

    Of course there is: European ISPs and phone companies are no more (and no less) responsible for the contents of user generated traffic as American ISPs and phone companies are.

  21. Re:Supporters on Where Do the Presidential Candidates Stand On Encryption? (windowsitpro.com) · · Score: 1

    Obama was consistent too; he promised hope and change.

    Here is Obama on government surveillance: https://www.youtube.com/watch?... Note how he turned from a forceful speaker before the election into a spineless buffoon after the election.

  22. Well, we already knew that all the presidential candidates were both technically illiterate and leaned towards totalitarian government. However, their statements give an Onionesque comical characterization of what their deficiencies actually are, from Ben Carson's inconsistent ramblings, to Clinton's "we need a Manhattan project", to Sanders "corporations are evil even when they try to protect privacy".

    I suppose it's better than the last guy, who made strong promises before the election and then did a shifty-eyed retreat when he had become president: https://www.youtube.com/watch?...

  23. network neutrality? on Mobile Giant Three Group To Block Online Advertising (thestack.com) · · Score: 2

    Doesn't this violate network neutrality? And if they place themselves in the position of being arbiter of what is advertising and what is not, don't they run the risk of being forced to make other content decisions as well? Don't they risk losing common carrier status?

  24. I think, though, that the popularity of irrational movements based on questionable authorities means that we could really use more such understanding in society.

    And I think that the idea of "society" or "scientific authority" are fictions to begin with. One man's "irrational movement" is another man's "rational revolution". What matters in the end is what each individual wants to do and how government interferes with that.

    Take access to new medical drugs and devices. The FDA currently places strict limits on that based on scientific grounds and cost/benefit analyses. But even if their scientific methodology were sound, their cost/benefit analysis may be different from mine. They are interested in maximizing average benefits across the population and keeping average costs down across the population. A treatment that may be irrational for them may be quite rational for me. And treatments that aren't rational for me may be quite rational for Bill Gates.

  25. Re:trying to rewrite Polish history on Auschwitz Museum Releases Software To Rewrite Holocaust Nomenclature (thestack.com) · · Score: 1

    Ok, so if the Nazis had set up death camps in conquered France, you could legitimately refer to them as 'French Death Camps?'

    Yes, you could do so. Of course, it always depends on context. "French death camps" might refer to Nazi Germany's "death camps" in France, or it might refer to "death camps" established by the French government in their colonies. The fact that the phrase is legitimate doesn't mean it's always used correctly.

    Where they were was irrelevant.

    Where they were was quite relevant. The Polish concentration camps were dedicated to the extermination of Polish Jews and select Polish people, as opposed to the French or German concentration camps the Nazis had set up.