Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[sevenlayermuddle]

John McAfee is one of my favourite old-school nutters. Today, on the Beeb, I read he has offered to 'break encryption'.

http://www.bbc.co.uk/news/technology-35611763

Anti-virus software creator John McAfee has said he will break the encryption on an iPhone that belonged to San Bernardino killer Syed Farook.

Of course, he may be a nutter but he is also quite intelligent, and understands these things,  and breaking encryption is just not possible.  Or at least we all hope so.   But of course, as is nearly always the case in BBC technology, the Beeb have got it wrong... When you read the detail, what he has actually offered to do is to unlock a terrorist's iPhone, not by breaking the encryption, but by getting the passcode through 'social engineering'.

I began to think... What chance a 4 digit passcode of my own could be guessed?   At face value on odds, nearly nil.  But what if the attacker knew all about me, the date my dog died, my Grandmothers DOB, (*)  other memorable numerics..?  Well, maybe.   

Moreover, we have all seen stage magicians showing tricks... 'Pick a card' etc, that depend on human nature following patterns.  And these tricks nearly always work, so most people are vulnerable. 

I say why not, give McAfee a chance, it at least gets us out of this quandry whether or not Apple should assist.  But if he succeeds in guessing the passcode, let's not say he has 'broken encryption'.

* for avoidance of doubt, my Gran's DoB and death date of my childhood dog would absolutely not reveal my own pass codes, mere examples.

[burakkucat]

I began to think... What chance a 4 digit passcode of my own could be guessed?

Four denary digits. So it would be 1 in 10⁴, i.e. 1 in 10000 

[sevenlayermuddle]

I began to think... What chance a 4 digit passcode of my own could be guessed?

Four denary digits. So it would be 1 in 10⁴, i.e. 1 in 10000 

That is the probability that a single random code would be correct, but he doesn't get 10000 attempts... The device erases itself after 10 failed attempts.

From what the BBC has reported elsewhere, the change that the US authorities are asking of Apple is to install a special version of iOS that removes the 'erase after 10' aspect, so that the code can be brute-forced.  I'd be surprised if it were possible for Apple to do that as you normally need the unlock code to install a new version but even if it were possible, they are making a stand for privacy and refusing to assist.   Not sure I support them, but I can see both sides of the argument.

[Dray]

There's no argument. The government changed the iCloud password which prevented the iPhone's content from being accessible, then asked Apple to hack it.

[sevenlayermuddle]

I think what worries Apple is that it might set a precedent, opening the floodgates to future requests, and betraying customer expectations of privacy and reliable encryption.

But it occurs to me that another way of dealing with that would be to assist if it were possible to do so, and then strengthen iOS so as to make it impossible in future versions.   In fact, regardless of whether they choose to assist, arguably, they ought to be removing any possibility of doing so in future.

[broadstairs]

I think this is a much bigger question that whether or not Apple is right here. We have here a situation where the legal authorities are requesting access to data held by a terrorist and in this or any situation where a legal authority in any jurisdiction requires access to data held by a person like this or a convicted felon then I believe everyone corporate and personal has a duty to comply provided that legal authority has gained a court order for access. I do not accept the argument means that this will reduce security for all. In fact doing what Apple wants will mean those on the wrong side of the law will only use Apple devices, perhaps they want this in order to boost sales!

Stuart

[Dray]

The authorities were always able to recover the data but instead they changed the password which removed that option.

[sevenlayermuddle]

The authorities were always able to recover the data but instead they changed the password which removed that option.

That's not quite what I have heard.  Stuff I've read suggested Apple did supply access to the iCloud account which in turn would give access to backups of the phone's data.   But the authorities also want access to the phone itself, so they can get data that is more recent than the last backups.

But Apple's move, with iOS 8, was not to withdraw co-operating with law enforcement.  It was to supposedly make it impossible for themselves to assist.   If that hasn't worked, and it turns out to be possible after all, I don't really see why they won't co-operate as they (and all tech firms) have done for years.

[Dray]

No need for apple to supply access. The iCloud account is owned by the authorities - and the iPhone.

[sevenlayermuddle]

I see Apple have admitted it is technically possible to comply...

http://www.apple.com/customer-letter/answers/

Yes, it is certainly possible to create an entirely new operating system to undermine our security features as the government wants.

In that case, they have clearly failed to live up the hype surrounding iOS 8 and later, that Apple allowed to be widely reported, suggesting that such a thing  'would not be possible'.   That does not really bother me.  As discussed elsewhere I am far more worried about the massive data leaks from other sources, such as Google's openly declared  (lack of) privacy, Supermarket store cards, Pharmacy-chains who see my prescriptions,  insurance databases, the list is endless.

But now that Apple seem to have admitted that the 'impossibility' of decrypting an iPhone was exaggerated, it is time they threw in the towel and did what's being asked... in my opinion.   

People who track my posts might notice it is unusual for me to be critical of Apple, but this time I am.   

[Dray]

Apple have already said that this operating system does not exist and they are unwilling to write it. This is not news.

[sevenlayermuddle]

But the point is, if it can be written, it is not impossible.

We are all aware (or at least I hope we are) of K&R's 'hello world' code that appeared in the first few pages of their book describing 'C'.  It did not display 'Hello 7LM', but it most certainly proved to any rational mind that a 'hello 7LM' program was possible to write, regardless of whether K&R published the source code.

It would now appear that Apple say that they are capable of writing an iPhone decryption program.  They are referring to it as a 'new operating system', but that is just playing with words, code is code.  If it is possible to write such code then it is not impossible to decrypt an iPhone.   

The question of whether such code already exists is irrelevant, as long as the possibility of writing it exists.

[Dray]

No, it's a new operating system. It doesn't exist but it can be written, which is true of everything.

[sevenlayermuddle]

No, it's a new operating system. It doesn't exist but it can be written, which is true of everything.

No it is not true of everything. 

I have written programs ranging from 'hello world' to full operating systems.   If I could write a program, or an operating system, that would predict the lottery result I may be tempted, but I believe that to not be possible.

Based on what Apple have said however,  I no longer believe that it is not possible to write the code that will decrypt an iPhone.   

[Dray]

As I said, neither do apple. They could do it but they are unwilling to.