Cigar Asylum Cigar Forum

Cigar Asylum Cigar Forum (http://www.cigarasylum.com/vb/index.php)
-   General Discussion (http://www.cigarasylum.com/vb/forumdisplay.php?f=48)
-   -   Apple addressing security concerns. (http://www.cigarasylum.com/vb/showthread.php?t=71122)

AdamJoshua 02-17-2016 08:08 AM

Apple addressing security concerns.
 
Well it's come down the government trying to push Apple into building a special version of iOS that would allow them (the government) to access data on any phone in their possession. Interesting enough, Apple has always worked with the FBI to unlock / remove data from iPhones when requested, now that doesn't seem to be enough, I'm sorry but I really don't trust the government or their security, I have a feeling this piece of software would be on the internet within days of being handed off to the feds.

Here's the letter from Tim Cook to Apple users.

http://www.apple.com/customer-letter/

mosesbotbol 02-17-2016 08:32 AM

Re: Apple addressing security concerns.
 
Apple should only comply with decryption when there is a warrant. I am not much for Government back door's to software. What's the point of encryption if it's not really encrypted and secure?

AdamJoshua 02-17-2016 09:20 AM

Re: Apple addressing security concerns.
 
To be honest I'm actually surprised at how strong their encryption really is, usually these things are not as advertised but it seems in this case it is and some.

dave 02-17-2016 10:17 AM

Re: Apple addressing security concerns.
 
Unfortunately, we're getting pummeled by fear mongers...I worry that a lot of previously sane-ish folk will be getting behind the government on this.

mosesbotbol 02-17-2016 10:35 AM

Re: Apple addressing security concerns.
 
RSA encryption key had a Govt back door; didn't go over well when the public found out. No way Govt can control this as anyone could just write their own encryption software or just keep the files off of US servers with another encryption product.

Weelok 02-17-2016 12:00 PM

Re: Apple addressing security concerns.
 
Herr is what I have read.

1. The government did get a search warrant for the data as without the warrant Apple said it could not help.
2. This is not software for a back door.
3. No back door is being requested of Apple now or in the future.
4. The software request is to disable the deleting of the database on 10 password failures. If you look at your settings, it's normally disabled however you can have your phone delete data when 10 failed password attempts have occurred.
5 The FBI would like to be able to disable this feature so they can run password checks and unlock the phone without deleting the data.
6. Brute force authentication is at worst 6 ^^ 6 attempts or 46,656 tries.
7. It's far easier to enter a passcode then break the encryption which I assume is AES 128 but could be 256. AES 256 is extremely difficult to break and that's all I will say on that.

The Poet 02-17-2016 01:31 PM

Re: Apple addressing security concerns.
 
Riddle me this. If terrorists or criminals utilize these encryption tools to hide their activities, and successfully plan attacks, human trafficking, child abuse, drug smuggling, illicit arms deals, or whatever, are you going to blame the government or Apple for any bad consequences?

I can understand the public having mistrust of governmental intrusion, abuse, or failings. I do NOT understand why one would trust a profit-driven corporation more.

markem 02-17-2016 02:10 PM

Re: Apple addressing security concerns.
 
This topic has wandered far. The Apple notice was basically them patting themselves on the back for what they, and many others, have insisted for years; namely, a security backdoor is not guaranteed to only be used by the good guys. Being good capitalists, they do not want to dissuade consumers and so want to tout how well they are protecting the average citizen. Point in fact is that any reputable company is adopting the same policies. They are no better nor worse than Microsoft or Google or anyone else that hopes to succeed.

They are, however, US-based, which presents some challenges given the political environment. Samsung is not US-based and so can easily avoid US machinations, for example. For them, the US market is not dominant in their sales figures. For Apple it is.

If you are obsessed about the US government and its potential for overreach, then you applaud the Apple letter and believe that Apple is striking a blow for freedom and the American Way (TM).

If you are a realist, then you know that it is Apple marketing.

Weelok's last comment is weird in this context and he implies that he is a cryptography expert. I am not, but the whole wink-wink-nudge-nudge thing grates as it usually comes from wannabes. No comment on the whole RSA thing as I just snorted on that comment.

markem 02-17-2016 02:11 PM

Re: Apple addressing security concerns.
 
Quote:

Originally Posted by The Poet (Post 2075577)
Riddle me this. If terrorists or criminals utilize these encryption tools to hide their activities, and successfully plan attacks, human trafficking, child abuse, drug smuggling, illicit arms deals, or whatever, are you going to blame the government or Apple for any bad consequences?

If a terrorist drives a Ford Escort to the Superbowl and sets off a nuclear bomb, do you plan to sue Ford?

dave 02-17-2016 02:15 PM

Re: Apple addressing security concerns.
 
Depends. Is The Poet a lawyer?

8zeros 02-17-2016 02:32 PM

Re: Apple addressing security concerns.
 
Clone the drive.
Burn lots of copies. 1000 phones gives you 10,000 tries.
Make your ten tries.
Rotate copies to be reburned.
This could be automated. Really fast if there is an emulator.
No need for a hack.
I'll do this for them for less than $350,000,000.00. ;)

The Poet 02-17-2016 02:50 PM

Re: Apple addressing security concerns.
 
Actually, it depends upon if Ford builds a hidden compartment in their Escorts that is designed to secret cargo from detection. Ford might insist it was intended to allow the driver to smuggle a six-pack into the Super Bowl, but does that mean they are not responsible if it is used instead to hide a few bricks of C4? That is a question for a legal expert, not for a poet.

Yes, this statement is ridiculous. So is Apple's position. And FYI, Apple will admit the Chinese market is their most vital one now, not the US one. Plus, Apple has its headquarters in the US, but most of its manufacturing is done in China, and most of its money it stuck away in foreign banks to avoid their corporate tax responsibilities. Finally, the Apple core labor under the fantasy that Apple dominates the smartphone market. In fact, they only have about 18% of the market. Samsung alone has a 27% share, while the others in the market own the rest. This has nothing to do with the security issue here, yet is germane for those who feel what Apple says should be gospel.

Weelok 02-17-2016 03:27 PM

Re: Apple addressing security concerns.
 
Quote:

Originally Posted by markem (Post 2075586)
This topic has wandered far. The Apple notice was basically them patting themselves on the back for what they, and many others, have insisted for years; namely, a security backdoor is not guaranteed to only be used by the good guys. Being good capitalists, they do not want to dissuade consumers and so want to tout how well they are protecting the average citizen. Point in fact is that any reputable company is adopting the same policies. They are no better nor worse than Microsoft or Google or anyone else that hopes to succeed.

They are, however, US-based, which presents some challenges given the political environment. Samsung is not US-based and so can easily avoid US machinations, for example. For them, the US market is not dominant in their sales figures. For Apple it is.

If you are obsessed about the US government and its potential for overreach, then you applaud the Apple letter and believe that Apple is striking a blow for freedom and the American Way (TM).

If you are a realist, then you know that it is Apple marketing.

Weelok's last comment is weird in this context and he implies that he is a cryptography expert. I am not, but the whole wink-wink-nudge-nudge thing grates as it usually comes from wannabes. No comment on the whole RSA thing as I just snorted on that comment.

Heh, I think you read to much into my last comment. I'm no trying to establish myself as an expert and I withdraw my penis from the measuring contest however the key take-a-way is the iPhone encryption can be broken but it takes significant time and effort.

So if you look at one of my earlier statement, logging into someone's phone would take 46,656 attempts and that is trivial compared to cracking encryption.

Here is some information for those that care on encryption and time to decode. A thing to note is this is the time for a brute force attack.

https://en.m.wikipedia.org/wiki/Adva...hannel_attacks

Modern techniques used to crack hardware encryption, such as used on the iPhone, are explored in Wikipedia.

Weelok 02-17-2016 04:06 PM

Re: Apple addressing security concerns.
 
I forgot to put the links on time to crack. This will be interesting as the first link dated 2012 will discuss the brute force time to crack:

http://www.eetimes.com/document.asp?doc_id=1279619

Now let's see how a modern approach does it and note the article is in the same year:

http://www.maximumpc.com/researchers...-world-record/

But even cracking the encryption in 148 days or less depending on the parallel processors, it's quite a bit easier to crack the password especially if they are just 6 characters in length.

Weelok 02-17-2016 04:16 PM

Re: Apple addressing security concerns.
 
And oops, it's not 6^^6 its 10 ^^ 6 or 10 * 10 * 10 ... * 10 = 1,000,000 password combinations for brute force.

The non-expert that I am didn't do my math correctly, for shame. If you assume nobody starts with a 0 it can be done a wee bit faster hah. The true experts have rules they use that "most" people use and it takes about a third of the attempts and if they know a little bit about you, well, it's pretty easy but suffice it to say it's still more then 10 tries so the FBI would like a bit of help from Apple.

markem 02-17-2016 04:21 PM

Re: Apple addressing security concerns.
 
A password that is 6 characters in length and is numeric has (10^7)-1 possible passwords. If you have a 2.4 GHz processor capable of generating one password in, say, 100 instructions, then about (2.4 x 10^7) / (10^2) passwords per second can be generated. Testing them to see if they are correct depends on the user interface.

Most people opt for the minimum on their ATM card, which is usually 4 digits. Doesn't make one feel too safe if the ATM card information (not the card, just a skimmer) is grabbed.

One doesn't need parallel processors. All the math in the crypto is interger-based, so a graphic processor is way faster. Take a look at the NVidea CUDA tools for crypto processing. A few GPUs and most crypto looks pretty lame.

Weelok 02-17-2016 05:55 PM

Re: Apple addressing security concerns.
 
This is fascinating and the use of a graphics processor is a novel idea, if not a bit scary as they are so powerful. With regards to six digits being 10^7 -1 how is it calculated? This will be boring to most but I find it educational.

I admit to guessing on the 10^6 as I was just thinking 6 positions at 10 digits each but I am assuming it's some sort of combinatorial sequence? It's been a literal 30 years since my statistics and probability class and I can't say I really got it even then.

markem 02-17-2016 06:00 PM

Re: Apple addressing security concerns.
 
Quote:

Originally Posted by Weelok (Post 2075626)
This is fascinating and the use of a graphics processor is a novel idea, if not a bit scary as they are so powerful. With regards to six digits being 10^7 -1 how is it calculated? This will be boring to most but I find it educational.

I admit to guessing on the 10^6 as I was just thinking 6 positions at 10 digits each but I am assuming it's some sort of combinatorial sequence? It's been a literal 30 years since my statistics and probability class and I can't say I really got it even then.

Your insights are very close and almost exactly correct.

There are 10^6 passwords of length 6
10^5 of length 5, etc.

Add them together and you get 10^7 - 1

Weelok 02-17-2016 06:13 PM

Re: Apple addressing security concerns.
 
Quote:

Originally Posted by markem (Post 2075627)
Your insights are very close and almost exactly correct.

There are 10^6 passwords of length 6
10^5 of length 5, etc.

Add them together and you get 10^7 - 1

Ahhhh, that makes sense. I'm uncertain what Apple allows in the way of digits but I think your forced to either 4 or 6 digits. My iPhone 6s and mini 4 are basically the same and I think it's 6 digits only or Touch ID. I say think because I don't see any other options but that means little. Earlier Apple products I recollect were 4 or 6 digit pass codes so yes, more digits and combinations hah.

People are dieing while we talk math but we can talk tobacco Beatles and mold anytime.

So I guess back to topic, the issue now becomes not encryption as that's a ***** to crack but not erasing the data on failed pass code attempts. This is kind of a clever approach the FBI is taking as they are letting Apple encrypt but the pass code is so much easier to break all they want is a simple feature disabled? This is where privacy gets confused as technology and law are never at the same point in time.

markem 02-17-2016 06:35 PM

Re: Apple addressing security concerns.
 
There are several technical issues at the heart of what Apple and others are championing. The 10-try limit is a way of saying that a normal person should get the password right in a few tries, so 10 or more is someone not authorized. Many issues buried in this. In general, the EFF is a good source on the broader issues (https://www.eff.org/).

The idea that the government wants is closely related to the term "key escrow" which is quite silly and should not be used except in very specific circumstances. Creating a master key (or even an algorithm for generating master keys on a per-phone basis) can never be truly be limited to just those authorized and the weakness it introduces fundamentally weakens the very carefully designed crypto mathematics and the protocols which depend on it.

Think of it kinda like the police saying that you must put a spare key under the back door mat "just in case" and then being assured that no one can find it.

btw, this still doesn't address possible issues with that backup you may have made to the iCloud. Completely different set of problems there.

edit: here is a good article from 2 years back.
https://www.eff.org/deeplinks/2014/1...ption-decision


All times are GMT -6. The time now is 05:11 AM.

Powered by vBulletin® Version 3.7.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.