View Full Version : Apple addressing security concerns.
AdamJoshua
02-17-2016, 08:08 AM
Well it's come down the government trying to push Apple into building a special version of iOS that would allow them (the government) to access data on any phone in their possession.  Interesting enough, Apple has always worked with the FBI to unlock / remove data from iPhones when requested, now that doesn't seem to be enough, I'm sorry but I really don't trust the government or their security, I have a feeling this piece of software would be on the internet within days of being handed off to the feds. 
Here's the letter from Tim Cook to Apple users. 
http://www.apple.com/customer-letter/
mosesbotbol
02-17-2016, 08:32 AM
Apple should only comply with decryption when there is a warrant.  I am not much for Government back door's to software.  What's the point of encryption if it's not really encrypted and secure?
AdamJoshua
02-17-2016, 09:20 AM
To be honest I'm actually surprised at how strong their encryption really is, usually these things are not as advertised but it seems in this case it is and some.
Unfortunately, we're getting pummeled by fear mongers...I worry that a lot of previously sane-ish folk will be getting behind the government on this.
mosesbotbol
02-17-2016, 10:35 AM
RSA encryption key had a Govt back door; didn't go over well when the public found out.  No way Govt can control this as anyone could just write their own encryption software or just keep the files off of US servers with another encryption product.
Weelok
02-17-2016, 12:00 PM
Herr is what I have read.
1. The government did get a search warrant for the data as without the warrant Apple said it could not help.
2. This is not software for a back door.
3. No back door is being requested of Apple now or in the future.
4. The software request is to disable the deleting of the database on 10 password failures. If you look at your settings, it's normally disabled however you can have your phone delete data when 10 failed password attempts have occurred.
5 The FBI would like to be able to disable this feature so they can run password checks and unlock the phone without deleting the data.
6. Brute force authentication is at worst 6 ^^ 6 attempts or 46,656 tries.
7. It's far easier to enter a passcode then break the encryption which I assume is AES 128 but could be 256. AES 256 is extremely difficult to break and that's all I will say on that.
The Poet
02-17-2016, 01:31 PM
Riddle me this.  If terrorists or criminals utilize these encryption tools to hide their activities, and successfully plan attacks, human trafficking, child abuse, drug smuggling, illicit arms deals, or whatever, are you going to blame the government or Apple for any bad consequences?
I can understand the public having mistrust of governmental intrusion, abuse, or failings.  I do NOT understand why one would trust a profit-driven corporation more.
markem
02-17-2016, 02:10 PM
This topic has wandered far. The Apple notice was basically them patting themselves on the back for what they, and many others, have insisted for years; namely, a security backdoor is not guaranteed to only be used by the good guys. Being good capitalists, they do not want to dissuade consumers and so want to tout how well they are protecting the average citizen. Point in fact is that any reputable company is adopting the same policies. They are no better nor worse than Microsoft or Google or anyone else that hopes to succeed.
They are, however, US-based, which presents some challenges given the political environment. Samsung is not US-based and so can easily avoid US machinations, for example. For them, the US market is not dominant in their sales figures. For Apple it is.
If you are obsessed about the US government and its potential for overreach, then you applaud the Apple letter and believe that Apple is striking a blow for freedom and the American Way (TM).
If you are a realist, then you know that it is Apple marketing.
Weelok's last comment is weird in this context and he implies that he is a cryptography expert. I am not, but the whole wink-wink-nudge-nudge thing grates as it usually comes from wannabes. No comment on the whole RSA thing as I just snorted on that comment.
markem
02-17-2016, 02:11 PM
Riddle me this.  If terrorists or criminals utilize these encryption tools to hide their activities, and successfully plan attacks, human trafficking, child abuse, drug smuggling, illicit arms deals, or whatever, are you going to blame the government or Apple for any bad consequences?
If a terrorist drives a Ford Escort to the Superbowl and sets off a nuclear bomb, do you plan to sue Ford?
Depends.  Is The Poet a lawyer?
8zeros
02-17-2016, 02:32 PM
Clone the drive.
Burn lots of copies. 1000 phones gives you 10,000 tries.
Make your ten tries.
Rotate copies to be reburned.
This could be automated. Really fast if there is an emulator.
No need for a hack.
I'll do this for them for less than $350,000,000.00. ;)
The Poet
02-17-2016, 02:50 PM
Actually, it depends upon if Ford builds a hidden compartment in their Escorts that is designed to secret cargo from detection.  Ford might insist it was intended to allow the driver to smuggle a six-pack into the Super Bowl, but does that mean they are not responsible if it is used instead to hide a few bricks of C4?  That is a question for a legal expert, not for a poet.
Yes, this statement is ridiculous.  So is Apple's position.  And FYI, Apple will admit the Chinese market is their most vital one now, not the US one.  Plus, Apple has its headquarters in the US, but most of its manufacturing is done in China, and most of its money it stuck away in foreign banks to avoid their corporate tax responsibilities.  Finally, the Apple core labor under the fantasy that Apple dominates the smartphone market.  In fact, they only have about 18% of the market.  Samsung alone has a 27% share, while the others in the market own the rest.  This has nothing to do with the security issue here, yet is germane for those who feel what Apple says should be gospel.
Weelok
02-17-2016, 03:27 PM
This topic has wandered far. The Apple notice was basically them patting themselves on the back for what they, and many others, have insisted for years; namely, a security backdoor is not guaranteed to only be used by the good guys. Being good capitalists, they do not want to dissuade consumers and so want to tout how well they are protecting the average citizen. Point in fact is that any reputable company is adopting the same policies. They are no better nor worse than Microsoft or Google or anyone else that hopes to succeed.
They are, however, US-based, which presents some challenges given the political environment. Samsung is not US-based and so can easily avoid US machinations, for example. For them, the US market is not dominant in their sales figures. For Apple it is.
If you are obsessed about the US government and its potential for overreach, then you applaud the Apple letter and believe that Apple is striking a blow for freedom and the American Way (TM).
If you are a realist, then you know that it is Apple marketing.
Weelok's last comment is weird in this context and he implies that he is a cryptography expert. I am not, but the whole wink-wink-nudge-nudge thing grates as it usually comes from wannabes. No comment on the whole RSA thing as I just snorted on that comment.
Heh, I think you read to much into my last comment. I'm no trying to establish myself as an expert and I withdraw my penis from the measuring contest however the key take-a-way is the iPhone encryption can be broken but it takes significant time and effort.
So if you look at one of my earlier statement, logging into someone's phone would take 46,656 attempts and that is trivial compared to cracking encryption.
Here is some information for those that care on encryption and time to decode. A thing to note is this is the time for a brute force attack.  
https://en.m.wikipedia.org/wiki/Advanced_Encryption_Standard#Side-channel_attacks
Modern techniques used to crack hardware encryption, such as used on the iPhone, are explored in Wikipedia.
Weelok
02-17-2016, 04:06 PM
I forgot to put the links on time to crack. This will be interesting as the first link dated 2012 will discuss the brute force time to crack:
http://www.eetimes.com/document.asp?doc_id=1279619
Now let's see how a modern approach does it and note the article is in the same year:
http://www.maximumpc.com/researchers-crack-923-bit-encryption-set-new-world-record/
But even cracking the encryption in 148 days or less depending on the parallel processors, it's quite a bit easier to crack the password especially if they are just 6 characters in length.
Weelok
02-17-2016, 04:16 PM
And oops, it's not 6^^6 its 10 ^^ 6 or 10 * 10 * 10 ... * 10 = 1,000,000 password combinations for brute force.
The non-expert that I am didn't do my math correctly, for shame. If you assume nobody starts with a 0 it can be done a wee bit faster hah. The true experts have rules they use that "most" people use and it takes about a third of the attempts and if they know a little bit about you, well, it's pretty easy but suffice it to say it's still more then 10 tries so the FBI would like a bit of help from Apple.
markem
02-17-2016, 04:21 PM
A password that is 6 characters in length and is numeric has (10^7)-1 possible passwords. If you have a 2.4 GHz processor capable of generating one password in, say, 100 instructions, then about (2.4 x 10^7) / (10^2) passwords per second can be generated. Testing them to see if they are correct depends on the user interface.
Most people opt for the minimum on their ATM card, which is usually 4 digits. Doesn't make one feel too safe if the ATM card information (not the card, just a skimmer) is grabbed.
One doesn't need parallel processors. All the math in the crypto is interger-based, so a graphic processor is way faster. Take a look at the NVidea CUDA tools for crypto processing. A few GPUs and most crypto looks pretty lame.
Weelok
02-17-2016, 05:55 PM
This is fascinating and the use of a graphics processor is a novel idea, if not a bit scary as they are so powerful. With regards to six digits being 10^7 -1 how is it calculated? This will be boring to most but I find it educational. 
I admit to guessing on the 10^6 as I was just thinking 6 positions at 10 digits each but I am assuming it's some sort of combinatorial sequence? It's been a literal 30 years since my statistics and probability class and I can't say I really got it even then.
markem
02-17-2016, 06:00 PM
This is fascinating and the use of a graphics processor is a novel idea, if not a bit scary as they are so powerful. With regards to six digits being 10^7 -1 how is it calculated? This will be boring to most but I find it educational. 
I admit to guessing on the 10^6 as I was just thinking 6 positions at 10 digits each but I am assuming it's some sort of combinatorial sequence? It's been a literal 30 years since my statistics and probability class and I can't say I really got it even then.
Your insights are very close and almost exactly correct.
There are 10^6 passwords of length 6
10^5 of length 5, etc.
Add them together and you get 10^7 - 1
Weelok
02-17-2016, 06:13 PM
Your insights are very close and almost exactly correct.
There are 10^6 passwords of length 6
10^5 of length 5, etc.
Add them together and you get 10^7 - 1
Ahhhh, that makes sense. I'm uncertain what Apple allows in the way of digits but I think your forced to either 4 or 6 digits. My iPhone 6s and mini 4 are basically the same and I think it's 6 digits only or Touch ID. I say think because I don't see any other options but that means little. Earlier Apple products I recollect were 4 or 6 digit pass codes so yes, more digits and combinations hah.
People are dieing while we talk math but we can talk tobacco Beatles and mold anytime.
So I guess back to topic, the issue now becomes not encryption as that's a ***** to crack but not erasing the data on failed pass code attempts. This is kind of a clever approach the FBI is taking as they are letting Apple encrypt but the pass code is so much easier to break all they want is a simple feature disabled? This is where privacy gets confused as technology and law are never at the same point in time.
markem
02-17-2016, 06:35 PM
There are several technical issues at the heart of what Apple and others are championing. The 10-try limit is a way of saying that a normal person should get the password right in a few tries, so 10 or more is someone not authorized. Many issues buried in this. In general, the EFF is a good source on the broader issues (https://www.eff.org/).
The idea that the government wants is closely related to the term "key escrow" which is quite silly and should not be used except in very specific circumstances. Creating a master key (or even an algorithm for generating master keys on a per-phone basis) can never be truly be limited to just those authorized and the weakness it introduces fundamentally weakens the very carefully designed crypto mathematics and the protocols which depend on it.
Think of it kinda like the police saying that you must put a spare key under the back door mat "just in case" and then being assured that no one can find it.
btw, this still doesn't address possible issues with that backup you may have made to the iCloud. Completely different set of problems there.
edit: here is a good article from 2 years back.
https://www.eff.org/deeplinks/2014/10/even-golden-key-can-be-stolen-thieves-simple-facts-apples-encryption-decision
jledou
02-18-2016, 05:12 AM
Love the conversation Mark and Dave.
IMO - If a back door is there, it will be found by someone who wants it bad enough even if "all" precautions have been made to try to ensure that only a limited entity such as the government has the backdoor.
mosesbotbol
02-18-2016, 08:50 AM
My hunch is Apple already gave the NSA the information and they are playing charades to protect the integrity of their product.
I don't feel Apple should be mandated to hand this over, but out of their own conscious probably did under-the-covers.  Better to hand it over in secret than the Govt pursue legal precedent.
markem
02-18-2016, 09:00 AM
Love the conversation Mark and Dave.
IMO - If a back door is there, it will be found by someone who wants it bad enough even if "all" precautions have been made to try to ensure that only a limited entity such as the government has the backdoor.
Statements by Apple and the EFF indicate that the feds seem to want a way to break the security via a "special update". quite novel if auto updates are turned on for the phone. Problematic if the solution is that trivial.
There *may* be other ways to accomplish what the feds want, but having Apple do it may be the safe way to go.  For example, they may be able to put in a different firmwear chip that bypasses some aspects of the security. I don't think that Apple would design a product to be susceptible to this since this would make certain governments (<cough>China<cough>) very happy. Still, the general technique called a teardown might be a productive route. Teardowns are destructive to the device, but a way around the security might be found.
Maybe IBM should get in to the smartphone business. https://en.wikipedia.org/wiki/IBM_4758
I'm not sure why the FBI doesn't just clone the drive and break in to it via a virtual machine. The RCFLs (FBI regional computer forensic labs) have that ability. At least the one here in Portland does.
Full disclosure, I've done work in the area of computer forensics in the past. Not now though.  http://psuvanguard.com/psu-profs-moonlight-with-detectives/
AdamJoshua
02-18-2016, 02:01 PM
Here's an interesting (at least to those of us not as well informed) article written by the one of the guys that was helping with the jailbreaking apps. 
http://bgr.com/2016/02/18/apple-fbi-backdoor-will-strafach-opinion/
Subvet642
02-18-2016, 04:14 PM
It seems to me that Apple is being forced to create something that doesn't exist yet; something that will, metaphorically, slit their own throats in a business sense. That goes far beyond anything that the 4th Amendment allows. I say let the FBI do their own fuggin' work and not force someone else to do it for them.
EC Ken
02-18-2016, 05:56 PM
"A Dangerous Precedent
Rather than asking for legislative action through Congress, the FBI is proposing an unprecedented use of the All Writs Act of 1789 to justify an expansion of its authority." TC
This is the part that gets me... Not the first time US government used it to compel Apple to comply. Oct 2014 https://www.documentcloud.org/documents/1372280-apple-oakland.html
So maybe it's not unprecedented..... 
Still love Apple and their products.
mosesbotbol
02-19-2016, 06:29 AM
It seems to me that Apple is being forced to create something that doesn't exist yet; something that will, metaphorically, slit their own throats in a business sense. That goes far beyond anything that the 4th Amendment allows. I say let the FBI do their own fuggin' work and not force someone else to do it for them.
I agree and no tech company should be compelled to create a back door on their products.
That being said, I'd just about bet the NSA already has the info and this is a rouse to pretend they don't have as much intel on the phone as they do.  
I would expect/hope any legal challenge to compel manufacturers to have a back door in their products will shot down at every level of court.
I believe when Apple complied with the Govt in earlier cases, the back door was already built into their product, but supposedly is not in the current releases.
shilala
02-19-2016, 07:43 AM
It seems to me that Apple is being forced to create something that doesn't exist yet; something that will, metaphorically, slit their own throats in a business sense. That goes far beyond anything that the 4th Amendment allows. I say let the FBI do their own fuggin' work and not force someone else to do it for them.
This.
And what stops Apple from moving the rest of their operation to China?
Circumvention being the child of Necessity, this whole deal pretty much forces someone to play a hand.
Subvet642
02-19-2016, 02:44 PM
"A Dangerous Precedent
Rather than asking for legislative action through Congress, the FBI is proposing an unprecedented use of the All Writs Act of 1789 to justify an expansion of its authority." TC
This is the part that gets me... Not the first time US government used it to compel Apple to comply. Oct 2014 https://www.documentcloud.org/documents/1372280-apple-oakland.html
So maybe it's not unprecedented..... 
Still love Apple and their products.
Maybe Apple should do what the government does when they receive a Freedom of Information request: charge an outrageous amount of money in order to frustrate it; perhaps charge what is costs to develop the operating system itself and estimated loss in future sales. A few billion should cover it.
https://33.media.tumblr.com/875a3abad6142f145532b3821880b8fa/tumblr_mn38qw3StF1s852lfo2_500.gif
EC Ken
02-19-2016, 04:00 PM
Maybe Apple should do what the government does when they receive a Freedom of Information request: charge an outrageous amount of money in order to frustrate it; perhaps charge what is costs to develop the operating system itself and estimated loss in future sales. A few billion should cover it.
https://33.media.tumblr.com/875a3abad6142f145532b3821880b8fa/tumblr_mn38qw3StF1s852lfo2_500.gif
That might do it.... 
Pretty soon the bad guys are going to use the US Mail, at least they will know when their messages are being looked at.
markem
02-20-2016, 01:25 PM
And now the comedians are weighing in...
https://www.yahoo.com/tech/seth-meyers-takes-closer-look-apple-public-war-163012072.html
8zeros
02-20-2016, 04:21 PM
Here's a good artice:  https://www.eff.org/deeplinks/2016/02/technical-perspective-apple-iphone-case
Seems to me like this is all about getting a foot in the door...
AdamJoshua
02-20-2016, 04:44 PM
Seems the county screwed up at ...the FBI's request. 
http://money.cnn.com/2016/02/20/technology/apple-fbi-san-bernardino-shooting/index.html
Subvet642
02-21-2016, 05:18 AM
As to Constitutional issues, it's important to remember that the Constitution was ratified by public plebiscite over the objection of sitting government. Therefore, it belongs to the People directly. It contains within it the limits to which the government is allowed to operate as well as the rights that the People retained for themselves; rights derived from John Locke's (and borrowed by Thomas Paine) "man in the state of nature". It is foolish to trust those who would be bound to by it to refrain from trying to circumvent it; that would be to ignore human nature. It is therefore imperative for "We the People" to protect it from encroachment, ourselves. Our whole Anglo-Saxon adversarial system of justice is based upon this very principle. This is what Tim Cooke is doing, regardless of his other perfectly justifiable business motives; personal and public interests are not mutually exclusive. If his business interests are also serving the public interest of preserving all of our rights, then that speaks to the justness of his (and our) cause. Others are also fighting this battle, even as we speak (figuratively).
Subvet642
02-21-2016, 05:50 AM
As to Constitutional issues, it's important to remember that the Constitution was ratified by public plebiscite over the objection of sitting government. Therefore, it belongs to the People directly. It contains within it the limits to which the government is allowed to operate as well as the rights that the People retained for themselves; rights derived from John Locke's (and borrowed by Thomas Paine) "man in the state of nature". It is foolish to trust those who would be bound to by it to refrain from trying to circumvent it; that would be to ignore human nature. It is therefore imperative for "We the People" to protect it from encroachment, ourselves. Our whole Anglo-Saxon adversarial system of justice is based upon this very principle. This is what Tim Cooke is doing, regardless of his other perfectly justifiable business motives; personal and public interests are not mutually exclusive. If his business interests are also serving the public interest of preserving all of our rights, then that speaks to the justness of his (and our) cause. Others are also fighting this battle, even as we speak (figuratively).
Sorry for the typo, it should read: It is foolish to trust those who would be bound by it to refrain from trying to circumvent it; that would be to ignore human nature.
Weelok
02-21-2016, 11:18 AM
This issue is exciting and refreshing because as everyone is using Facebook to make their lives an open book, along comes a discourse on the desire for privacy. Perhaps this is a public pendulum correction?
But with all of the enthusiastic discussions, hopefully there are some items to learn.
1. Those with Apple products, have you enabled the erase data setting on 10 failed passcode attempts?
http://i1100.photobucket.com/albums/g402/Weelok/7FF68D4D-66C7-4320-918C-6DF48CD4BFA6_zps9po5tytp.png (http://s1100.photobucket.com/user/Weelok/media/7FF68D4D-66C7-4320-918C-6DF48CD4BFA6_zps9po5tytp.png.html)
This would need to be done on iPads as well and it's in the same configuration area.
2. Are you using a passcode that is as long as allowable on the device? Older iPhone products you are stuck with 4 numerals but a long passcode option to go up to 6 numerals exists on later models. I have a 6s and its 6 numerals on my iPhone or a finger print but the numerals can always be entered and are higher in priority.
How many of you had the erase data feature enabled before this controversy? Interestingly enough, I had it enabled on my old phone but forgot to enable it when I upgraded so this controversy was useful in reminding me to check!! Funny how things work out sometimes.
AdamJoshua
02-21-2016, 11:38 AM
You bring up an interesting point, if fingerprint is enabled, it's been proven that with a "good" fingerprint (that has been lifted off of something), you can build up the fingerprint using various things and it's possible to unlock devices using that print, you would think the FBI has some real quality prints from this guy.  Again that's only if the fingerprint security is enabled.
vBulletin® v3.7.4, Copyright ©2000-2025, Jelsoft Enterprises Ltd.