At a news conference on Thursday devoted largely to
combating terror threats from the Islamic State,
Mr. Comey said, “What concerns me about this is companies
marketing something expressly to allow people to hold
themselves beyond the law.”
In the twentieth century, the modern state gained the power to destroy all life on Earth. In the twenty-first century, the modern state and the modern citizen gained the power of private machine-assisted telepathy, memory, and computation. The state and its avatars must recognize that it cannot and must not have the ability to exercise absolute power over citizen's thoughts, computations, and communications if it wishes to foster a healthy and free society.
The state and its avatars recognize that they can and must have the ability to exercise absolute power over citizen's thoughts, computations, and communications if they wish to fester in society.
This sounds lovely, except it's just absolute nonsense. For many thousands of years states have maintained the power to restrict citizens communications and almost since the invention of the telegraph they have been able to be monitored in some form. Despite this we are freer than ever.
Healthy and free societies are not built upon a base of unlimited freedom, that is all but anarchy.
Freedom is not a static thing; it's a constant conflict between various parties. It's a balance.
Various entities within the government are always trying to wrest more control of individuals, more information about their lives, all with the justification of achieving incrementally better service to society and the world.
We the citizens of industrial societies need to come to a consensus as to how much freedom we should have, versus how much we should sacrifice for the sake of collective safety and security. We are nowhere near an agreement at this time.
"Anarchy." You keep using that word. You are equating the potential for absolute privacy in communication with "anarchy." Do you have an explanation for how that is the vanguard of anarchy?
Freedom: Supposedly enlightened places like the US are governed under a system where the rights of individuals are assumed to be open-ended and expanding as new technologies enable more freedom travel, communicate, etc., and the powers of government are fenced-in until the people consent to extend those powers.
Apple now is in the damage control mode, trying to undo the massive credibility hit dealt by Snowden revelations. But since they were in bed with the NSA for several years prior, I really doubt they have an option of divorce. If they were strong-armed into cooperation before, it'd be foolish to assume that they can get out of it on such a flimsy technicality as a in-device encryption. So what's likely to be happening is that Apple started encrypting, the state started saying "Oh, noes! It's unbreakable. Buy American again." and behind the scenes they still cooperate in a less in-your-face fashion. Something as simple as initializing PRNG on the device in a predictable manner - piece of cake to do, very hard to detect, but exploitable on the spot with a bit of foreknowledge. Where there's a will, there's a way. And the will is there.
And it's impossible for a 'normal' citizen to have an idea if and when they are. We simply have no clue or expertise to possibly pick apart statements made and then verify them—as you said in regards to initializing PRNGs. For example, most in the technical communities have no idea how PRNGs work, let alone how to test if they are true. I know I don't.
Is this supposed to be a joke?
A separate article on the same sort of thing. But, I can't help but laugh at how the instant canned response from the FBI was "WON'T SOMEONE THINK OF THE CHILDREN".
It's pathetic, even more so because it keeps working.
http://www.washingtonpost.com/business/technology/2014/09/25...
This one's even more pathetically blatant.
On another note, is anyone disturbed by how even the idea of people being able to store their private data securely being seen as inherently criminal by high level officials? What does that say about these people in power, they literally view your right to privacy as dangerous. Sickening.
Your right to privacy is dangerous. Imagine trying to investigate a murder with unlimited privacy. Unless someone saw the killer kill, you've no chance.
Focusing on solving a murder and being willing to scarifies the privacy of everyone, even the people that are in no real danger is foolish. The billions of dollars spend on spying on regular people are mostly wasted. Taking the same money and directing them towards prevention may yield better results. I'm not talking about the kind of prevention where the FBI pick up some terrorist just before he's about to bomb something. I'm talking about the kind where we avoid that people become terrorists.
If companies and individuals make it impossible for the governments to spy on people infeasible we might get more focus on prevention.
Also, strip away the privacy of the murderer and you strip away the privacy for all of us, including those who fight oppressive regimes and dictatorships. That might not be a sensible tradeoff.
The new security in iOS 8 protects information stored on
the device itself, but not data stored on iCloud, Apple’s
cloud service. So Apple will still be able to obtain some
customer information stored on iCloud in response to
government requests.
Apple gets to sell more phones due to this perception, the FBI get to continue hoovering (no pun intended) up iPhone user's data, and everyone goes home happy. It seems to be a manufactured controversy, with Apple & the FBI both playing their parts and knowing full well the rules of the game haven't changed one bit.
Uh, what? Surely the journalist has missed an important technical detail here, right?
Now if we take their figure of 5.5 years to crack a phone's files and divide, we get 327 seconds (more than 5 minutes) per password they check.
Something is off, though perhaps it's my math so please do double check it for me.
Edit: Argggg. Good corrections. My main problem is that I did my final division in the wrong direction. Fix that by taking a reciprocal: 1/327 = 0.003 seconds. And then correct that by a factor of 2 to assume they get each password in half possible time: 0.003 * 2 = 0.006 or roughly 6 milliseconds. Thanks for the quick check folks.
This issue is compounded by the fact that humans are notoriously bad at randomness. I really don't think many users will be typing the 22 random characters required for just over 128 bits of entropy every time they want to use their phone.
But maybe the 5.5 year figure includes the incrementally increasing delay that Apple insert between tries after x wrong guesses -- assuming a manual brute force, which is pretty much not how it would play out in reality.
For pure brute force you'd want to make some assumption about the mean time taken to find the correct password, but lets argue that you find it after checking exactly 1/2 of the possible combinations.
2.8400e+10 passwords checked in 1.7300e+8 seconds => ~0.6 milliseconds per check. ish. I think.
Edit: as comment below points out, humans are crap. In reality any hack would use dictionary attacks rather than pure brute force. I was just addressing the maths.
On a tangent, I trust Apple's competence but I have seen no information on the technicalities of this feature. I would like to hear specifics so we can estimate how secure the design is based on facts.
https://www.apple.com/privacy/docs/iOS_Security_Guide_Sept_2...
The computational burden likely cannot be too high, as it is running on mobile hardware and people expect rapid access to their data after entering their passcode.
I would privately thank them for putting in another backdoor that actually lets me read all the data I want from them.
It's a win-win. Apple gets to look like a privacy crusader. The NSA gets access to all phones. And best of all, iPhone users get to believe that their phone is unhackable, so they won't take the same precautions to hide their illegal activities.
"The notion that someone would market a closet that could never be opened — even if it involves a case involving a child kidnapper and a court order — to me does not make any sense."
The whole point of our system is that this guy can be as ignorant and disrespectful of our liberties as he likes, without actually endangering our society.
Which isn't to say that attitudes like his won't do damage. Really we ought to have officers -- in ALL stations of government -- with a far better understanding than this. Who, exactly, appointed this guy?
I could talk about safe-cracking as an art, but I'd direct you to go look up a YouTube video a plasma cutter going through steel. The reality is most safes you buy commercially can be broken in under 30 minutes by an experience locksmith without such tools.
People at high levels of government (Director of FBI, US Attorney, etc) should at least spend some time on the other side to better understand how the whole system works.
Of course it won't happen - all the career paths to the top are through the prosecutorial side. That leds to people like Comey, the AG for Swartz case, etc have such overbearing attitude about our rights.
Samsung Android phones the proprietary modem can r,w /sdcard and /data unless you either install Replicant or use some kind of permission controls like SEAndroid to lock out modem.img access to everything. Apple likely has a similar proprietary baseband with full remote control over the whole application OS they can offer the FBI to quietly activate targeted spying.
This is a huge blanket blaming statement. Our intent can be protecting someone's privacy without ever addressing their intent to do harm to another. And, given the propensity of people who don't wish harm on others, I'm totally OK in supporting and pushing for these types of protections in consumer goods.
If anyone has tried to go beyond the law here, it's the NSA.
The big issue as I see it, though, is that Apple isn't advertising this as a means of protecting yourself from criminals. Instead, they advertised it as a means of preventing Apple from complying with warrants. Warrants constitute an violation of a person's privacy which is explicitly allowed in the constitution. There's a good reason we have them, and a process that's been in place for a few centuries to limit their abuse. More often than not, the bad guy is not the federal government, and the public is served by allowing the police to investigate specific individuals under reasonable suspicion with specific limitations as authorized by the courts. If people have a problem with the way warrants are issued or how the police carry out investigations, they should seek to change that process, not try to circumvent them.
This isn't going to keep out the NSA. It only affects that data physically residing on your phone, and when was the last time the NSA had your phone physically in its possession? This likely isn't going to stop actual law enforcement officials from getting access to the data on your phone. Unless you're typing in a strong password every time you pull your phone out of your pocket, the FBI will likely be able to brute force your phone to gather evidence with little difficulty, providing the courts allow them to do so. On that front, the only thing this has really accomplished is allowing Apple to give the middle finger to the feds in an attempt to appease a customer base who thinks the government is out to get them.
The benefits of being able to crack phones quickly in the few cases where it is in the public interest to do so do not outweigh the harm that would be done to the public if it were possible. Further, the types of people that really want to harm us are using third party or custom tools that encrypt everything anyway.
The feds and local police will lose a few more low-level drug cases, and maybe a few insider trading cases, due to Apple's security enhancements. I'm OK with that.
If you're typing in passwords, it might take a while.
If you've disassembled and imaged the storage device, and have physical access to the hardware security module (HSM), does that improve your rate or ability to parallelize?
I've been a little annoyed at how the FBI (for itself and again as proxy for the NSA) is playing helpless, as if the Director of the NSA or FBI is going to be stuck tapping unlock codes into a suspect's phone while the countdown timer on a 100 mega-pedophile nuke ticks down, somewhere in The City.
The next logical step is for Apple to encrypt my private iCloud data as well, and protect it from anyone except me (not sure if the technology exists to do this yet.)
Is it though? The implementation can be tricky to get right, building it in takes resources, and (perhaps until recently) most consumers do not seem to value that kind of safeguard for their communications. Enabling encryptoed encrypted increases the cost to the manufacturer, all for something that most people did not think was important (before there was strong evidence that there was a lot of warrantless wiretapping going on).
That corresponds to a 22 character mixed-case alphanumeric password. (62 choices per character, 62^22 > 2^128). But only if the characters are chosen randomly by a password generator; characters chosen by a human will have patterns and therefore lower entropy.
80 bits of entropy should still be enough to occupy a large amount of specialized hardware for a long time. That would correspond to 14 characters.
These people literally think on the level of schoolyard bullies.
"These people literally think on the level of schoolyard bullies." - That statement could go either way.