Posted on 07/31/2015 9:30:30 PM PDT by Swordmaker
p>The Obama administration’s central strategy against strong encryption seems to be waging war on the companies that are providing and popularizing it: most notably Apple and Google.
The intimidation campaign got a boost Thursday when a blog that frequently promotes the interests of the national security establishment raised the prospect of Apple being found liable for providing material support to a terrorist.
Benjamin Wittes, editor-in-chief of the LawFare blog, suggested that Apple could in fact face that liability if it continued to provide encryption services to a suspected terrorist. He noted that the post was in response to an idea raised by Sen. Sheldon Whitehouse, D-R.I., in a hearing earlier this month.
“In the facts we considered,” wrote Wittes and his co-author, Harvard law student Zoe Bedell, “a court might — believe it or not — consider Apple as having violated the criminal prohibition against material support for terrorism.”
FBI Director James Comey and others have said that end-to-end encryption makes law enforcement harder because service providers don’t have access to the actual communications, and therefore cannot turn them over when served with a warrant.
Wittes and Bedell argue that Apple’s decision to “move aggressively to implement end-to-end encrypted systems, and indeed to boast about them” after being “publicly and repeatedly warned by law enforcement at the very highest levels that ISIS is recruiting Americans” — in part through the use of encrypted messaging apps — could make the company liable if “an ISIS recruit uses exactly this pattern to kill some Americans.”
The blog compares Apple’s actions to a bank sending money to a charity supporting Hamas — knowing that it was a listed foreign terrorist organization.
“The question ultimately turns on whether Apple’s conduct in providing encryption services could, under any circumstances, be construed as material support,” Wittes and Bedell write. The answer, they say, “may be unnerving to executives at Apple.”
One way to avoid such liability, Wittes and Bedell argue, would be to end encrypted services to suspected terrorists. But, they acknowledge, “Cutting off service may be the last thing investigators want, as it would tip off the suspect that his activity has been noticed.”
In a hearing on July 8 before the Senate Judiciary Committee, Justice Department officials insisted that companies need to be able to provide them with unencrypted, clear access to people’s communications if presented with a warrant.
The problem is that eliminating end-to-end encryption or providing law enforcement with some sort of special key would also create opportunities for hackers.
Within minutes of the Lawfare post going up, privacy advocates and technologists expressed outrage: Chris Soghoian, principal technologist for the American Civil Liberties Union, called it a continuation in Wittes’ “brain-dead jihad against encryption,” while Jake Laperruque, a fellow at the Center for Democracy and Technology, wrote that Wittes’ post “equates selling a phone that’s secure from hackers with giving money to terrorists.”
If Apple and Google were to cave under the pressure of being likened to terrorist-helpers, and stop making end-to-end encryption, that could be the start of a “slippery slope” that ends the mainstream availability of strong encryption, said Amie Stepanovich, U.S policy manager for Access.
But even so, strong encryption will always exist, whether produced by small companies or foreign outlets. Terrorists can take their business elsewhere, while normal Americans will be left without a user-friendly, easily accessible way of protecting of their communications. “These tools are available and the government can’t get to all of them,” says Stepanovich.
Wittes, while couching his post as hypothetical, left little doubt about his personal sentiment. “All that said,” he and his coauthor wrote, “it’s a bit of a puzzle how a company that knowingly provides encrypted communications services to a specific person identified to it as engaged in terrorist activity escapes liability if and when that person then kills an American in a terrorist incident that relies on that encryption.”
The authors didn’t say what exactly they wanted Apple to do instead. Wittes tweeted after publishing the post that he is “not sure at all that Apple is not doing the right thing by encrypting end to end.”
Correction: An earlier version of this article misquoted Wittes’ tweet, mischaracterizing its meaning.
If you want on or off the Mac Ping List, Freepmail me.
If you want on or off the Mac Ping List, Freepmail me.
Encryption backdoors are simply a way for the government to do this, at will, to anyone at any time, for fun and profit (along with legitimate reasons). The US wants to have full and easy access to anyone’s device.
The answer should be a resounding, “NO!”
Anything good after True Crypt?
“...national security establishment raised the prospect of Apple being found liable for providing material support to a terrorist.”
You mean like giving $150 billion to Iran and enabling them to build the bomb?
You bet Apple aided terrorists or anyone else who has cash and hates the US, just exactly like Goggle and the current US regime do.
JMHo
No, they cannot. Apple itself does not have the keys. Only the user has the key. To insert a device in the Lightning port (a vulnerability which has been CLOSED) they would have to have physical possession of the computer.
Even The Hacker Team, the highly respected company that sells the tools to break into mobile devices to the government agencies such as NSA, FBI, and Police forces in multiple nations, said a couple of weeks ago when they offered to sell their entire arsenal of tools to another company, that they have software that was guaranteed to hack into every phone, tablet, etc. in the wild, including Android, Microsoft, Symbian, RIM, jailbroken iPhones and iPads . . . but not unjailbroken iPhones or iPads. The Hacker Team stated they had been unsuccessful in breaking into iOS devices.
Now let's talk about off-line decryption of iOS and Apple iCloud files. Apple mobile devices are encrypted to a 256 bit AES standard using the user's passcode entangled with the devices UUID. That passcode is hashed as is the entangled key and both are put into a secure location INSIDE the device's processor called FileVault, not accessible outside the device. Everything leaving the device to be stored on the iCloud is already encrypted to that 256 AES standard to which Apple does not have the key. Got it?
Apple then splits your encrypted data into four sections, entangles it with other at least four other users' data, and then encrypts it again to an additional 256 bit AES standard to when Apple does have the key. . . but remember, what they are encrypting is already just so much entangled gobble-do-gook. Only the original user, using his passcode AND the UUID of the device can access it. OOPS, that means any attempt to get at it requires it be done FROM that device.
How long would it take for the hypothetical authorities to break your encryption?
You apparently don't have a grasp of the sheer magnitude of the numbers involved. Do you even have an inkling of how long it would take to brute force your way into an even moderately complex passcode? I calculated the time a supercomputer capable of checking 50,000 potential passcodes per second would take to check all possible passcodes.
Frankly, ConservativeMind, that supercomputer would probably decompose into subatomic particles—given the assumed half-lives of protons and neutrons—before it finished. There still might be some electrons wandering around. I literally had to look up the names of really huge numbers to talk about it sensibly, because no one uses numbers this big!
Apple allows us to use every single character one of the 223 characters accessible from the keyboard in our passcode. . . and your passcode can be up to 256 characters long. And they've allowed that for some time. Most people don't bother with huge, complicated codes.
Although Apple does prohibit having any three characters sequentially identical, you are free to do anything else. Essentially, your passcode can be any character string combination. That gives you the possibility of having up to 256223 passcode combinations. I'm not going to try and figure out how much smaller a number the Apple limitation of no more than two consecutive characters would make it, since that would eliminate triple, quadruple, etc., all the way up to 256 identical characters in the passcode. I'm not sure I would even know where to begin calculating that. . . But no matter, it's still a huge number.
Think about that very huge number. Just 16 numeric numbers plus a four digit date code makes it almost impossible for fraudsters to hit on a valid credit card number. Adding the three digit security code makes it even harder. Nine numbers in our Social Security numbers makes it almost impossible to hit valid SSNs. Here we have a possible combinations almost infinitely larger than either of those that can be used to encrypt your data.
But it is even better than that, ConservativeMind . . . because after YOU select your passcode to use, your Apple computer or device entangles that passcode with the 128 bit Universally Unique IDentifier (UUID) assigned to your device. Now, that gives a potential 384223 possible passcode combinations.
That combined, entangled KEY is then converted to a HASH on your device so that it cannot be reverse calculated from the HASH, and then used to encrypt your data to a 256 bit Advanced Encryption Standard (AES) file, unlockable only with the original key. . . which is kept only on the device's FileVault as a hash.
A Googol, is 10100, a very large number indeed. This number of possible passcode combinations is FAR larger than a Googol.
Any encrypted data is either kept on the iPhone or then uploaded by YOU to the iCloud as an encrypted file. Apple does NOT have a key that can unlock it. No one but you can unlock it.
THAT, my FRiend is what is known as secure. If your upload is intercepted by anyone, all they see or record, is gobble-de-gook, garbage code. Un-intelligible noise.
Apple may be required to hand over to the government what they are holding. . . and even be required by law to help the government gain access to what they have. But what can they do if they do not have the technology to do ANYTHING to gain access to the data they have stored? That is the situation as it stands.
How long would it take to try every possible combination of characters and numbers and symbols that could have been used to encrypt your data by brute force, ConservativeMind? Good question. Because that is what would be required, unless they can force YOU to reveal your passcode.
Of course, most people are NOT going to use a 256 character passcode. But a sufficiently complex shorter one is sufficient.
Let's assume your Passcode was a short, but complex, 16 character code. Recall, however, that it was entangled with your computer's or device's 128 character UUID, so the base is now 16 + 128 or 223144, not quite so large as the that previous number, but still huge. . . and quite a bit larger than a Googol.
1,052,019,282,033,700,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000.000,000,000,000,000,000,000,000,000,000,000, 000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000
That's 1.052 duovigintillion possible combinations, give or take a few.
If the government's supercomputer could check 50,000 passcodes every second, It therefore test 1.5 TRILLION possible passcodes a year. Let's grant the government agency a 33% faster supercomputer and say they could check 2 TRILLION passcodes a year, OK? That means it would take their supercomputer only a mere. . .
5,260,096,410,168,500,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000.000,000,000,000,000,000,000,000,000,000,000,000,000, 000,000,000,000,000,000,000,000,000,000,000,000,000 YEARS. . .
to check all the possible passcodes to decipher your encrypted file that had been encoded with your 16 character complex passcode entangled with a 128 character UUID. It is possible they could, if they were outrageously lucky, get the data deciphered next week, but it more likely will take them a good portion of 5.26 Billion vigintillion (10195) Years to break into your data. Double, triple, quintuple, or even multiply the speed of the government's super computer by a factor of 10,000. . . it makes only infinitesimal differences in the amount of time it would take to break your passcode. That's the law of very large numbers at work.
By that time, I think the interest in what you've hidden in your files might be moot, don't you think?
Obama vs Apple. Homo catfight.
Mind boggling, that encryption is.
One thing about Obama going after Apple is that Al Gore is on the board of directors at Apple: Things that make you go hmmm....
How else can Apple or another entity get your Apple security information? They can keylog your computer to capture your password entry. Is there yet another way? Yes, because, by default, Apple doesn't encrypt your iCloud information. You can, however, set an encryption key. Without that encryption key, your information is not secure at Apple.
Is there any other way? Yes, there is. You say “everything on iCloud is encrypted to 256 bit.” Apple says you are wrong! From Apple: “iCloud uses a minimum of 128-bit AES encryption—the same level of security employed by major financial institutions—and never provides encryption keys to any third parties.” (https://support.apple.com/en-us/HT202303)
Do you notice something else in that sentence? Apple says it has the keys, but won't provide them. It does not say that it can't provide them.
Let's get back to the official Apple link above that you've never read. There is a table below that sentence that says all of the security to and from Apple is only 128-bit minimum. That sort of blows a TON of your diatribe out of the water.
Do you note yet another way to get into your device? It goes on to say two-factor is optional. Even with two-factor, if the government has access to your email accounts and channels to receive the token (or can guess the security answers) they can reset your password and have full access to your iCloud information.
Apple last updated the information I used on June 3, 2015. Is your 256-bit information any more recent?
One more thing: If you've ever used iCloud, you are able to be compromised, as CNN states, here: http://money.cnn.com/2014/09/18/technology/mobile/apple-ios-8-security/index.html.
So, do you have more authoritative links you can provide to counter what Apple and CNN are saying about iOS 8?
Swordmaker never provided links to back his statements up. Please read what Apple and CNN say about iOS 8 security in my post.
“You mean like giving $150 billion to Iran and enabling them to build the bomb” while guaranteeing US protection of Iran’s means to do so?
> The answer should be a resounding, “NO!”
Absofreakinglutely!
Exactly. All this talk about 128 and 256 bit keys is silly. No one is going to do a brute force effort on such encryption when there are other (far easier) ways to get to the unencrypted data.
Uh, I don’t really have a cat in your fight with Swordmaker.
My points were simply
1. Encryption is interesting
2. Funny to see Obama going after something of Al Gore’s
No one should have access to other’s private info and we should all demand our government gtfo of our business
Have a great day.
No, that cannot happen either. The servers are general, not specific, and the update is initiated from the user end. Sorry. Keep trying.
Apple says you are wrong! From Apple: “iCloud uses a minimum of 128-bit AES encryption—the same level of security employed by major financial institutions—and never provides encryption keys to any third parties.”
My apologies, ConservativeMind, but I do not post information that I cannot backup.. . . You failed to read that correctly, ConservativeMind. . . read it again. Here, I will help you:
"iCloud uses a minimum of 128-bit AES encryption—the same level of security employed by major financial institutions—and never provides encryption keys to any third parties."
Do you see that word "minimum" which you oh so conveniently omitted from your rebuttal, ConservativeMind? That's because Apple is rapidly increasing their storage encryption to 256 bit AES standard across all of Apple owned server farms that Apple builds and maintains, but they do lease some storage from Amazon and Google, as well as in China with China Telecom. That storage is limited to the 128 bit AES storage. Apple has almost completed their conversion. Are you trying to argue that 128 bit AES standard is not secure? Tell that to the financial institutions that use it.
Do you notice something else in that sentence? Apple says it has the keys, but won't provide them. It does not say that it can't provide them.
Let's get back to the official Apple link above that you've never read. There is a table below that sentence that says all of the security to and from Apple is only 128-bit minimum. That sort of blows a TON of your diatribe out of the water.
What an assumption that I've never read it. I've read it and also read the complete Apple Technical PDF on Apple iCloud Security which outlines exactly how Apple implements iCloud security and it's policies, and I've read CEO Tim Cook's open letter specifying that Apple will never release any user's data.
Now let me refresh you on what i wrote in my detailed (but in which I did not go completely into all the detail of all their servers as above) response which summarized some of what was in that PDF and Cook letter:
"Apple then splits your encrypted data into four sections, entangles it with other at least four other users' data, and then encrypts it again to an additional 256 bit AES standard to when [damn auto-correct, that had been "which"—Swordmaker] Apple does have the key. . . but remember, what they are encrypting is already just so much entangled gobble-do-gook."
You see, ConservativeMind, I DID tell you that Apple has the key to what THEY encrypted. . . which is the data that is already encrypted when it comes from the user. If the user does not set a passcode for the device, it will use the AppleID for the encrypton and entangle THAT with the UUID of he device. That is somewhat less secure. . . but Apple will not know that.
If the user sets a passcode to his device, which was my point, Apple Apple dies not have it, and therefor cannot provide it to anyone. Your claim that "Apple has the keys" is just completely false as it applies to the users' keys!
One more thing: If you've ever used iCloud, you are able to be compromised.
iCloud has not been compromised. Some celebrities who used weak security questions which could be learned merely by reading fanzine biographies on them had their passwords changed, but iCloud itself has not been hacked.
That article by CNN was simply wrong and prompted CEO Tim Cook to write the open letter to Apple's users telling them that Apple would NOT provide their data from the iCloud and could not in any case because it was encrypted. He categorically stated that user privacy was primary for Apple. If you "share" your information in an open "public" folder on iCloud, then yes, the government can get ahold of anything you put in that public folder. . . but nothing else.
As for "Guessing" security questions, if anyone is smart, the answers to their security questions will NOT be anything that can be guessed by someone who knows anything about them. Nor does your two factor point hold any water. Again, It requires more than mere government snooping and it requires the entry of a password.
Sorry, you just are not correct in your assumptions, either about me or my knowledge about Apple's security. This is an area that I know more about that you.
You keep throwing anti-Apple spit wads but you are missing your target because you really don't know anything factual about it. I do.
No, that cannot happen either. The servers are general, not specific, and the update is initiated from the user end. Sorry. Keep trying.
Apple says you are wrong! From Apple: “iCloud uses a minimum of 128-bit AES encryption—the same level of security employed by major financial institutions—and never provides encryption keys to any third parties.”
My apologies, ConservativeMind, but I do not post information that I cannot backup.. . . You failed to read that correctly, ConservativeMind. . . read it again. Here, I will help you:
"iCloud uses a minimum of 128-bit AES encryption—the same level of security employed by major financial institutions—and never provides encryption keys to any third parties."
Do you see that word "minimum" which you oh so conveniently omitted from your rebuttal, ConservativeMind? That's because Apple is rapidly increasing their storage encryption to 256 bit AES standard across all of Apple owned server farms that Apple builds and maintains, but they do lease some storage from Amazon and Google, as well as in China with China Telecom. That storage is limited to the 128 bit AES storage. Apple has almost completed their conversion. Are you trying to argue that 128 bit AES standard is not secure? Tell that to the financial institutions that use it.
Do you notice something else in that sentence? Apple says it has the keys, but won't provide them. It does not say that it can't provide them.
Let's get back to the official Apple link above that you've never read. There is a table below that sentence that says all of the security to and from Apple is only 128-bit minimum. That sort of blows a TON of your diatribe out of the water.
What an assumption that I've never read it. I've read it and also read the complete Apple Technical PDF on Apple iCloud Security which outlines exactly how Apple implements iCloud security and it's policies, and I've read CEO Tim Cook's open letter specifying that Apple will never release any user's data.
Now let me refresh you on what i wrote in my detailed (but in which I did not go completely into all the detail of all their servers as above) response which summarized some of what was in that PDF and Cook letter:
"Apple then splits your encrypted data into four sections, entangles it with other at least four other users' data, and then encrypts it again to an additional 256 bit AES standard to when [damn auto-correct, that had been "which"—Swordmaker] Apple does have the key. . . but remember, what they are encrypting is already just so much entangled gobble-do-gook."
You see, ConservativeMind, I DID tell you that Apple has the key to what THEY encrypted. . . which is the data that is already encrypted when it comes from the user. If the user does not set a passcode for the device, it will use the AppleID for the encrypton and entangle THAT with the UUID of he device. That is somewhat less secure. . . but Apple will not know that.
If the user sets a passcode to his device, which was my point, Apple Apple dies not have it, and therefor cannot provide it to anyone. Your claim that "Apple has the keys" is just completely false as it applies to the users' keys!
One more thing: If you've ever used iCloud, you are able to be compromised.
iCloud has not been compromised. Some celebrities who used weak security questions which could be learned merely by reading fanzine biographies on them had their passwords changed, but iCloud itself has not been hacked.
That article by CNN was simply wrong and prompted CEO Tim Cook to write the open letter to Apple's users telling them that Apple would NOT provide their data from the iCloud and could not in any case because it was encrypted. He categorically stated that user privacy was primary for Apple. If you "share" your information in an open "public" folder on iCloud, then yes, the government can get ahold of anything you put in that public folder. . . but nothing else.
As for "Guessing" security questions, if anyone is smart, the answers to their security questions will NOT be anything that can be guessed by someone who knows anything about them. Nor does your two factor point hold any water. Again, It requires more than mere government snooping and it requires the entry of a password.
Sorry, you just are not correct in your assumptions, either about me or my knowledge about Apple's security. This is an area that I know more about that you.
You keep throwing anti-Apple spit wads but you are missing your target because you really don't know anything factual about it. I do.
You don’t know the first thing about encryption and the fact that the government doesn’t brute force keys.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.