You're kidding, right? The real issue is that Apple has a backdoor to decrypt its customers' private information. That is outrageous.
What's really outrageous is that you post stuff here that you totally pulled out of your arse. There is plenty of documentation out there how Apple's full disk encryption works. It is quite obvious that with a four digit passcode, brute forcing should be possible without any backdoor. I could do it in a few hours manually if if you didn't use the "erase after ten attempts" feature. And it should be obvious that Apple would be capable of preventing the erase. I would think that the manufacturer of the flash memory would capable to remove the flash, copy it to another chip, and then disable writing on the new chip and put the new chip back in.
Four digit passcode is just insecure if someone seriously wants to get the data.
You can crack the 4 digit lock screen in like 2-4 minutes.
_You_ can't, at least not easily, because _you_ can't access the encrypted contents of the iPhone. The maker of the flash memory probably could. Apple can. It seems that up to the iPhone 4, other companies could be exploiting some vulnerability that was fixed on the iPhone 4S.
Once you can access the encrypted contents, it's all a matter of brute forcing. It's made a bit harder because trying each key takes substantial amount of time, but with ten thousand keys as you said it is no problem. You can use more digits, or a password with keys and laters. About 8 truly random digits and characters should make it unbreakable.
I used source control tools in 1991. I used manual source control years before that. If anyone isn't capable of using a source control system today, that isn't "not staying current", that is failing at basic job requirements.
Maybe it's just that writing concurrent code is hard, annoying, prone to buggy results, and should be avoided, except in special circumstances where there is a great advantage.
MacOS X or iOS with Grand Central Dispatch, and concurrent computing is a doodle. And basically anything that does an http request is "special circumstances" where concurrent computing is a great advantage:-)
Phones aren't the only locked-down devices. Several devices are locked down in a sense even when used on Wi-Fi.
You are confusing "locked down" and "locked to a carrier". If you are not interested at all in a phone but you want an iPod, you could look on eBay for a cheap used iPhone. But because it is locked to the carrier it won't work without the right SIM card. Obviously you can't make phone calls without a SIM, but because of the carrier lock, you can't use it at all. You have to find out the carrier, and get a SIM card, in order for the phone to be used just as an iPod. (No big problem in the UK because most carriers will give you a free SIM card, but if you bought one from a foreign country, it won't work).
... If consumers are not violating copyright or some other law,
It was always the case that phone unlocking would be against the DMCA. For many years there was a DMCA exemption that allowed unlocking even though it was against the DMCA, that is not gone. So unlocking _does_violate copyright.
So Rep. Lofgren has to change his bill a bit: To declare the act of unlocking your phone not a copyright violation.
iOS devices (and many other devices) use the known locations of wireless access points to determine their own location. (They check which wireless access points they can see, with which signal strength, and compare the results with a database of wireless access locations). What this guy found was that he could access the same database. So he can find locations of wireless access locations, which are _not_ iPads or iPhones, and there is no reason to assume that they would be owned by Mac or iOS device owners.
That said, the information should not be available to anything but the operating system on a device.
Case 1: Company A labels their phone, company B doesn't. Customers looking at a phone from A get scared, look at phone from B and buy it because it doesn't come with the scary warning.
Case 2: Customer looks at various phones in a shop in San Francisco. They all have the scary warning, so the customer doesn't buy. Next time he visits Los Angeles, he goes to a phone shop, looks at all the wonderful phones without a scary warning, and buys one that he likes.
In the end, if mobile phones emit radiation that is dangerous for you, the perfect solution is to use the phone less.
Interesting idea, but I think there would be serious scalability problems. Imagine if this was in each room in your home, and the doors to the rooms were open. Whistling in one room would almost certainly trigger the lights in the adjacent rooms as well.
Typical slashdot combination of the Nirvana fallacy (a solution that isn't 100% perfect is not acceptable), and a totally defeatist attitutude to technical problems.
You know what I fear?
That Apple does just what you describe: Change the words of their privacy policies, but don't actually change the processes used to handle data.
But the _words_ of their privacy policy _is_ what was wrong. Nobody in Germany requested Apple to change its policies; they requested that Apple lists precisely what they do so that customers can make an educated decision whether to agree or not.
You don't have to- you only have to make sure its legal in the countries you sell it in. Germans aren't suing because of Apple violating their law in America, they're suing them for violating it in Germany. If you aren't willing to abide by the laws, then don't sell in that country.
Germans are not actually suing. They don't need to sue. Parts of Apple's policy have been declared invalid, which means that legally these parts don't exist.
Actually, the Judge has gone a bit further than that - he has referred all of the individuals identified as actively culpable to the Bar Associations for the districts where they are legally allowed to practice due to their lack of "moral turpitude".
Actually, quite the opposite. Not for the lack of moral turpitude, but for the presence of it. Turpitude = depraved or wicked behaviour or character.
So is a home-made gun legal? Maybe in the US, but not in the more civilized parts of the world. It certainly wouldn't be legal for me without a proper license.
It would make perfect sense if there were the same legal requirements for purchasing a gun and for building one. Of course, printing a gun might be easier and less risky than stealing one from a gun store.
Then applications for playing major studio movies would put a password box on the screen just to keep users from mirroring the video to more than one monitor without the movie studio's permission.
You are not thinking clearly. I said an application should disable display on external monitors or projectors while a password is entered. That means the application disables the monitor. An application for playing movies that _wanted_ to disable other monitors would just do that.
This ignores the fact that they wouldn't be able to convince me to rent movies on iTunes and pay them money if I couldn't watch them on my TV but only on my laptop.
The log-in and sign-up pages on Phil's Hobby Shop have a "Show password as I type" checkbox. Is this what you were looking for?
As a MacOS X developer, the developer can mark text entry fields as "password". A major effect of this that other applications (like external spelling checkers, for example) don't have access to what you are typing. The other effect is that the input is hidden.
At the moment, you can't have a password field that gives protection against malware that could be on your computer, _and_ at the same time displays the password. Only one or the other.
They better design the network to be able to withstand the extra load that an emergency situation would create.
A good example of what is called the "Nirvana fallacy". Rejecting a good solution because it is not perfect. Do you have any idea what kind of overcapacity you need to handle the case where everyone wants to call everyone else simultaneously? I'm sure the good people of whatever this town is called wouldn't be willing to pay for it.
If you can afford a Mac, or a computer newer than XP, you don't need to be sucking off the public teat.
That, my friend, is total nonsense. This site is for people getting benefits for disabilities etc. For example, I have a well-paying job. With some bad luck, I might get some illness that makes it impossible for me to drive a car. If I can't drive to work, I can't drive to work and lose my job. The UK benefits system would (possibly) pay to have me driven to work. Which is a lot, lot cheaper because of the taxes that I would continue paying than paying me unemployment benefits. In other words, people with disabilities might be in good jobs and have plenty of money while still receiving benefits.
1. Apps should be aware of password entries, and should turn of mirroring monitors, projectors etc. during password entry.
2. Showing nothing of the password is bad. Some applications actually added random numbers of stars as you type, that is worse. Showing a single character is slightly useful. Dimming out a few characters is better.
3. People are very good at detecting that someone is looking over their shoulder.
Anti-virus software is sold by making promises to the buyer. For example, promises to protect their privacy. Anti-virus software that gave the police access to your computer, even if that was legal, would be in breach of the promises they made when they sold the software. That would be false advertising.
Could you imagine millions of customers asking for their money back when anti-virus software that claims to protect their data intentionally doesn't protect it?
I went to the website using the Safari browser on MacOS X, and without any problems opened the PDF form (which supposedly cannot be opened), started filling it in, and printed it (to a PDF file to avoid wasting paper, but that's the same thing). So this works absolutely fine if you have a modern Mac running MacOS X 10.8 (I didn't try older versions), and you either have a printer, or you have the e-mail address of a friend who has a printer (on a Mac, the "Print" function lets you print to your own printer, to a PDF file, to a PDF file stored in "Web receipts" which is quite handy, or to a PDF file that is mailed somewhere). You put the paper into an envelope and mail it in. That's it.
So if you want to get these benefits, there is absolutely no need to use Windows, Windows XP, or Internet Explorer 6.
I've never bought an extended warranty for anything, and I've never needed one. Anecdote annihilation!
I bought a hard disk recorder, which had a power supply rated for 24 Watt, while the hard disk recorder used 23 Watt in standby. That isn't going to work. After 15 months, the power supply broke. Replaced it with a 60 watt one from eBay. Next hard disk recorder I bought extended warranty. Which paid for the next one when the hard disk broke down. I even got a free extended warranty! Which paid for the next one when switching between programs got slower and slower. If they keep breaking down, I'm set for live! Until one lasts beyond the extended warranty period, then I'll have to buy a new one and pay for it myself:-(
Agreed. Also, I remember the 80's when the select few people who had cell phones/car phones where seen as self important douches. Now everyone is a self important douche with a cellphone!
Read many years ago: "Thirty percent of the population fear that using a cellphone might give you brain cancer. Seventy percent hope it does".
What's next? All 3 to 5 friends will have to enter their codes simultaneously to recover the lost account?
No. Three out of five friends need to enter codes. I thought most people posting on Slashdot would know about codes where n out of m keys are needed to uncover a secret. (For example, for 3 out of 5 the keys would be points on something similar to a 2nd degree polynomial; with two points you have no idea what the polynomial is, with three or more points you can reconstruct it).
..why oh why do people think that html5 drm would be open? WHY? how the fuck would that even WORK?!?
You _can_ have open DRM, if you reduce DRM to "Digital Rights Management" and further rely on legal protection instead of trying to create unbreakable encryption. For example, DRM for movie rentals: All you'd need is a movie player that downloads a movie, adds some trivial xor "encryption" which it removes during playback, and deletes it when the rental time is over. That's Digital Rights Management that can easily be implemented in Open Source software, and just hard enough to break for the DMCA act to apply.
Slashdot Mirror
You're kidding, right? The real issue is that Apple has a backdoor to decrypt its customers' private information. That is outrageous.
What's really outrageous is that you post stuff here that you totally pulled out of your arse. There is plenty of documentation out there how Apple's full disk encryption works. It is quite obvious that with a four digit passcode, brute forcing should be possible without any backdoor. I could do it in a few hours manually if if you didn't use the "erase after ten attempts" feature. And it should be obvious that Apple would be capable of preventing the erase. I would think that the manufacturer of the flash memory would capable to remove the flash, copy it to another chip, and then disable writing on the new chip and put the new chip back in.
Four digit passcode is just insecure if someone seriously wants to get the data.
You can crack the 4 digit lock screen in like 2-4 minutes.
_You_ can't, at least not easily, because _you_ can't access the encrypted contents of the iPhone. The maker of the flash memory probably could. Apple can. It seems that up to the iPhone 4, other companies could be exploiting some vulnerability that was fixed on the iPhone 4S.
Once you can access the encrypted contents, it's all a matter of brute forcing. It's made a bit harder because trying each key takes substantial amount of time, but with ten thousand keys as you said it is no problem. You can use more digits, or a password with keys and laters. About 8 truly random digits and characters should make it unbreakable.
I used source control tools in 1991. I used manual source control years before that. If anyone isn't capable of using a source control system today, that isn't "not staying current", that is failing at basic job requirements.
Maybe it's just that writing concurrent code is hard, annoying, prone to buggy results, and should be avoided, except in special circumstances where there is a great advantage.
MacOS X or iOS with Grand Central Dispatch, and concurrent computing is a doodle. And basically anything that does an http request is "special circumstances" where concurrent computing is a great advantage :-)
Phones aren't the only locked-down devices. Several devices are locked down in a sense even when used on Wi-Fi.
You are confusing "locked down" and "locked to a carrier". If you are not interested at all in a phone but you want an iPod, you could look on eBay for a cheap used iPhone. But because it is locked to the carrier it won't work without the right SIM card. Obviously you can't make phone calls without a SIM, but because of the carrier lock, you can't use it at all. You have to find out the carrier, and get a SIM card, in order for the phone to be used just as an iPod. (No big problem in the UK because most carriers will give you a free SIM card, but if you bought one from a foreign country, it won't work).
... If consumers are not violating copyright or some other law,
It was always the case that phone unlocking would be against the DMCA. For many years there was a DMCA exemption that allowed unlocking even though it was against the DMCA, that is not gone. So unlocking _does_violate copyright.
So Rep. Lofgren has to change his bill a bit: To declare the act of unlocking your phone not a copyright violation.
iOS devices (and many other devices) use the known locations of wireless access points to determine their own location. (They check which wireless access points they can see, with which signal strength, and compare the results with a database of wireless access locations). What this guy found was that he could access the same database. So he can find locations of wireless access locations, which are _not_ iPads or iPhones, and there is no reason to assume that they would be owned by Mac or iOS device owners.
That said, the information should not be available to anything but the operating system on a device.
Here's what that kind of labelling does:
Case 1: Company A labels their phone, company B doesn't. Customers looking at a phone from A get scared, look at phone from B and buy it because it doesn't come with the scary warning.
Case 2: Customer looks at various phones in a shop in San Francisco. They all have the scary warning, so the customer doesn't buy. Next time he visits Los Angeles, he goes to a phone shop, looks at all the wonderful phones without a scary warning, and buys one that he likes.
In the end, if mobile phones emit radiation that is dangerous for you, the perfect solution is to use the phone less.
How on earth is it possible at all that an IT related company stores passwords in a form that the information can get leaked?
Interesting idea, but I think there would be serious scalability problems. Imagine if this was in each room in your home, and the doors to the rooms were open. Whistling in one room would almost certainly trigger the lights in the adjacent rooms as well.
Typical slashdot combination of the Nirvana fallacy (a solution that isn't 100% perfect is not acceptable), and a totally defeatist attitutude to technical problems.
You know what I fear?
That Apple does just what you describe: Change the words of their privacy policies, but don't actually change the processes used to handle data.
But the _words_ of their privacy policy _is_ what was wrong. Nobody in Germany requested Apple to change its policies; they requested that Apple lists precisely what they do so that customers can make an educated decision whether to agree or not.
You don't have to- you only have to make sure its legal in the countries you sell it in. Germans aren't suing because of Apple violating their law in America, they're suing them for violating it in Germany. If you aren't willing to abide by the laws, then don't sell in that country.
Germans are not actually suing. They don't need to sue. Parts of Apple's policy have been declared invalid, which means that legally these parts don't exist.
Actually, the Judge has gone a bit further than that - he has referred all of the individuals identified as actively culpable to the Bar Associations for the districts where they are legally allowed to practice due to their lack of "moral turpitude".
Actually, quite the opposite. Not for the lack of moral turpitude, but for the presence of it. Turpitude = depraved or wicked behaviour or character.
So is a home-made gun legal? Maybe in the US, but not in the more civilized parts of the world. It certainly wouldn't be legal for me without a proper license.
It would make perfect sense if there were the same legal requirements for purchasing a gun and for building one. Of course, printing a gun might be easier and less risky than stealing one from a gun store.
Then applications for playing major studio movies would put a password box on the screen just to keep users from mirroring the video to more than one monitor without the movie studio's permission.
You are not thinking clearly. I said an application should disable display on external monitors or projectors while a password is entered. That means the application disables the monitor. An application for playing movies that _wanted_ to disable other monitors would just do that.
This ignores the fact that they wouldn't be able to convince me to rent movies on iTunes and pay them money if I couldn't watch them on my TV but only on my laptop.
The log-in and sign-up pages on Phil's Hobby Shop have a "Show password as I type" checkbox. Is this what you were looking for?
As a MacOS X developer, the developer can mark text entry fields as "password". A major effect of this that other applications (like external spelling checkers, for example) don't have access to what you are typing. The other effect is that the input is hidden.
At the moment, you can't have a password field that gives protection against malware that could be on your computer, _and_ at the same time displays the password. Only one or the other.
They better design the network to be able to withstand the extra load that an emergency situation would create.
A good example of what is called the "Nirvana fallacy". Rejecting a good solution because it is not perfect. Do you have any idea what kind of overcapacity you need to handle the case where everyone wants to call everyone else simultaneously? I'm sure the good people of whatever this town is called wouldn't be willing to pay for it.
If you can afford a Mac, or a computer newer than XP, you don't need to be sucking off the public teat.
That, my friend, is total nonsense. This site is for people getting benefits for disabilities etc. For example, I have a well-paying job. With some bad luck, I might get some illness that makes it impossible for me to drive a car. If I can't drive to work, I can't drive to work and lose my job. The UK benefits system would (possibly) pay to have me driven to work. Which is a lot, lot cheaper because of the taxes that I would continue paying than paying me unemployment benefits. In other words, people with disabilities might be in good jobs and have plenty of money while still receiving benefits.
1. Apps should be aware of password entries, and should turn of mirroring monitors, projectors etc. during password entry.
2. Showing nothing of the password is bad. Some applications actually added random numbers of stars as you type, that is worse. Showing a single character is slightly useful. Dimming out a few characters is better.
3. People are very good at detecting that someone is looking over their shoulder.
Anti-virus software is sold by making promises to the buyer. For example, promises to protect their privacy. Anti-virus software that gave the police access to your computer, even if that was legal, would be in breach of the promises they made when they sold the software. That would be false advertising.
Could you imagine millions of customers asking for their money back when anti-virus software that claims to protect their data intentionally doesn't protect it?
I went to the website using the Safari browser on MacOS X, and without any problems opened the PDF form (which supposedly cannot be opened), started filling it in, and printed it (to a PDF file to avoid wasting paper, but that's the same thing). So this works absolutely fine if you have a modern Mac running MacOS X 10.8 (I didn't try older versions), and you either have a printer, or you have the e-mail address of a friend who has a printer (on a Mac, the "Print" function lets you print to your own printer, to a PDF file, to a PDF file stored in "Web receipts" which is quite handy, or to a PDF file that is mailed somewhere). You put the paper into an envelope and mail it in. That's it. So if you want to get these benefits, there is absolutely no need to use Windows, Windows XP, or Internet Explorer 6.
I've never bought an extended warranty for anything, and I've never needed one. Anecdote annihilation!
I bought a hard disk recorder, which had a power supply rated for 24 Watt, while the hard disk recorder used 23 Watt in standby. That isn't going to work. After 15 months, the power supply broke. Replaced it with a 60 watt one from eBay. Next hard disk recorder I bought extended warranty. Which paid for the next one when the hard disk broke down. I even got a free extended warranty! Which paid for the next one when switching between programs got slower and slower. If they keep breaking down, I'm set for live! Until one lasts beyond the extended warranty period, then I'll have to buy a new one and pay for it myself :-(
Agreed. Also, I remember the 80's when the select few people who had cell phones/car phones where seen as self important douches. Now everyone is a self important douche with a cellphone!
Read many years ago: "Thirty percent of the population fear that using a cellphone might give you brain cancer. Seventy percent hope it does".
What's next? All 3 to 5 friends will have to enter their codes simultaneously to recover the lost account?
No. Three out of five friends need to enter codes. I thought most people posting on Slashdot would know about codes where n out of m keys are needed to uncover a secret. (For example, for 3 out of 5 the keys would be points on something similar to a 2nd degree polynomial; with two points you have no idea what the polynomial is, with three or more points you can reconstruct it).
..why oh why do people think that html5 drm would be open? WHY? how the fuck would that even WORK?!?
You _can_ have open DRM, if you reduce DRM to "Digital Rights Management" and further rely on legal protection instead of trying to create unbreakable encryption. For example, DRM for movie rentals: All you'd need is a movie player that downloads a movie, adds some trivial xor "encryption" which it removes during playback, and deletes it when the rental time is over. That's Digital Rights Management that can easily be implemented in Open Source software, and just hard enough to break for the DMCA act to apply.