Posted on 07/31/2015 9:30:30 PM PDT by Swordmaker
If you want on or off the Mac Ping List, Freepmail me.
If you want on or off the Mac Ping List, Freepmail me.
Encryption backdoors are simply a way for the government to do this, at will, to anyone at any time, for fun and profit (along with legitimate reasons). The US wants to have full and easy access to anyone’s device.
The answer should be a resounding, “NO!”
Anything good after True Crypt?
“...national security establishment raised the prospect of Apple being found liable for providing material support to a terrorist.”
You mean like giving $150 billion to Iran and enabling them to build the bomb?
You bet Apple aided terrorists or anyone else who has cash and hates the US, just exactly like Goggle and the current US regime do.
JMHo
No, they cannot. Apple itself does not have the keys. Only the user has the key. To insert a device in the Lightning port (a vulnerability which has been CLOSED) they would have to have physical possession of the computer.
Even The Hacker Team, the highly respected company that sells the tools to break into mobile devices to the government agencies such as NSA, FBI, and Police forces in multiple nations, said a couple of weeks ago when they offered to sell their entire arsenal of tools to another company, that they have software that was guaranteed to hack into every phone, tablet, etc. in the wild, including Android, Microsoft, Symbian, RIM, jailbroken iPhones and iPads . . . but not unjailbroken iPhones or iPads. The Hacker Team stated they had been unsuccessful in breaking into iOS devices.
Now let's talk about off-line decryption of iOS and Apple iCloud files. Apple mobile devices are encrypted to a 256 bit AES standard using the user's passcode entangled with the devices UUID. That passcode is hashed as is the entangled key and both are put into a secure location INSIDE the device's processor called FileVault, not accessible outside the device. Everything leaving the device to be stored on the iCloud is already encrypted to that 256 AES standard to which Apple does not have the key. Got it?
Apple then splits your encrypted data into four sections, entangles it with other at least four other users' data, and then encrypts it again to an additional 256 bit AES standard to when Apple does have the key. . . but remember, what they are encrypting is already just so much entangled gobble-do-gook. Only the original user, using his passcode AND the UUID of the device can access it. OOPS, that means any attempt to get at it requires it be done FROM that device.
How long would it take for the hypothetical authorities to break your encryption?
You apparently don't have a grasp of the sheer magnitude of the numbers involved. Do you even have an inkling of how long it would take to brute force your way into an even moderately complex passcode? I calculated the time a supercomputer capable of checking 50,000 potential passcodes per second would take to check all possible passcodes.
Frankly, ConservativeMind, that supercomputer would probably decompose into subatomic particles—given the assumed half-lives of protons and neutrons—before it finished. There still might be some electrons wandering around. I literally had to look up the names of really huge numbers to talk about it sensibly, because no one uses numbers this big!
Apple allows us to use every single character one of the 223 characters accessible from the keyboard in our passcode. . . and your passcode can be up to 256 characters long. And they've allowed that for some time. Most people don't bother with huge, complicated codes.
Although Apple does prohibit having any three characters sequentially identical, you are free to do anything else. Essentially, your passcode can be any character string combination. That gives you the possibility of having up to 256223 passcode combinations. I'm not going to try and figure out how much smaller a number the Apple limitation of no more than two consecutive characters would make it, since that would eliminate triple, quadruple, etc., all the way up to 256 identical characters in the passcode. I'm not sure I would even know where to begin calculating that. . . But no matter, it's still a huge number.
Think about that very huge number. Just 16 numeric numbers plus a four digit date code makes it almost impossible for fraudsters to hit on a valid credit card number. Adding the three digit security code makes it even harder. Nine numbers in our Social Security numbers makes it almost impossible to hit valid SSNs. Here we have a possible combinations almost infinitely larger than either of those that can be used to encrypt your data.
But it is even better than that, ConservativeMind . . . because after YOU select your passcode to use, your Apple computer or device entangles that passcode with the 128 bit Universally Unique IDentifier (UUID) assigned to your device. Now, that gives a potential 384223 possible passcode combinations.
That combined, entangled KEY is then converted to a HASH on your device so that it cannot be reverse calculated from the HASH, and then used to encrypt your data to a 256 bit Advanced Encryption Standard (AES) file, unlockable only with the original key. . . which is kept only on the device's FileVault as a hash.
A Googol, is 10100, a very large number indeed. This number of possible passcode combinations is FAR larger than a Googol.
Any encrypted data is either kept on the iPhone or then uploaded by YOU to the iCloud as an encrypted file. Apple does NOT have a key that can unlock it. No one but you can unlock it.
THAT, my FRiend is what is known as secure. If your upload is intercepted by anyone, all they see or record, is gobble-de-gook, garbage code. Un-intelligible noise.
Apple may be required to hand over to the government what they are holding. . . and even be required by law to help the government gain access to what they have. But what can they do if they do not have the technology to do ANYTHING to gain access to the data they have stored? That is the situation as it stands.
How long would it take to try every possible combination of characters and numbers and symbols that could have been used to encrypt your data by brute force, ConservativeMind? Good question. Because that is what would be required, unless they can force YOU to reveal your passcode.
Of course, most people are NOT going to use a 256 character passcode. But a sufficiently complex shorter one is sufficient.
Let's assume your Passcode was a short, but complex, 16 character code. Recall, however, that it was entangled with your computer's or device's 128 character UUID, so the base is now 16 + 128 or 223144, not quite so large as the that previous number, but still huge. . . and quite a bit larger than a Googol.
1,052,019,282,033,700,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000.000,000,000,000,000,000,000,000,000,000,000, 000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000
That's 1.052 duovigintillion possible combinations, give or take a few.
If the government's supercomputer could check 50,000 passcodes every second, It therefore test 1.5 TRILLION possible passcodes a year. Let's grant the government agency a 33% faster supercomputer and say they could check 2 TRILLION passcodes a year, OK? That means it would take their supercomputer only a mere. . .
5,260,096,410,168,500,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000.000,000,000,000,000,000,000,000,000,000,000,000,000, 000,000,000,000,000,000,000,000,000,000,000,000,000 YEARS. . .
to check all the possible passcodes to decipher your encrypted file that had been encoded with your 16 character complex passcode entangled with a 128 character UUID. It is possible they could, if they were outrageously lucky, get the data deciphered next week, but it more likely will take them a good portion of 5.26 Billion vigintillion (10195) Years to break into your data. Double, triple, quintuple, or even multiply the speed of the government's super computer by a factor of 10,000. . . it makes only infinitesimal differences in the amount of time it would take to break your passcode. That's the law of very large numbers at work.
By that time, I think the interest in what you've hidden in your files might be moot, don't you think?
Obama vs Apple. Homo catfight.
Mind boggling, that encryption is.
One thing about Obama going after Apple is that Al Gore is on the board of directors at Apple: Things that make you go hmmm....
How else can Apple or another entity get your Apple security information? They can keylog your computer to capture your password entry. Is there yet another way? Yes, because, by default, Apple doesn't encrypt your iCloud information. You can, however, set an encryption key. Without that encryption key, your information is not secure at Apple.
Is there any other way? Yes, there is. You say “everything on iCloud is encrypted to 256 bit.” Apple says you are wrong! From Apple: “iCloud uses a minimum of 128-bit AES encryption—the same level of security employed by major financial institutions—and never provides encryption keys to any third parties.” (https://support.apple.com/en-us/HT202303)
Do you notice something else in that sentence? Apple says it has the keys, but won't provide them. It does not say that it can't provide them.
Let's get back to the official Apple link above that you've never read. There is a table below that sentence that says all of the security to and from Apple is only 128-bit minimum. That sort of blows a TON of your diatribe out of the water.
Do you note yet another way to get into your device? It goes on to say two-factor is optional. Even with two-factor, if the government has access to your email accounts and channels to receive the token (or can guess the security answers) they can reset your password and have full access to your iCloud information.
Apple last updated the information I used on June 3, 2015. Is your 256-bit information any more recent?
One more thing: If you've ever used iCloud, you are able to be compromised, as CNN states, here: http://money.cnn.com/2014/09/18/technology/mobile/apple-ios-8-security/index.html.
So, do you have more authoritative links you can provide to counter what Apple and CNN are saying about iOS 8?
Swordmaker never provided links to back his statements up. Please read what Apple and CNN say about iOS 8 security in my post.
“You mean like giving $150 billion to Iran and enabling them to build the bomb” while guaranteeing US protection of Iran’s means to do so?
> The answer should be a resounding, “NO!”
Absofreakinglutely!
Exactly. All this talk about 128 and 256 bit keys is silly. No one is going to do a brute force effort on such encryption when there are other (far easier) ways to get to the unencrypted data.
Uh, I don’t really have a cat in your fight with Swordmaker.
My points were simply
1. Encryption is interesting
2. Funny to see Obama going after something of Al Gore’s
No one should have access to other’s private info and we should all demand our government gtfo of our business
Have a great day.
No, that cannot happen either. The servers are general, not specific, and the update is initiated from the user end. Sorry. Keep trying.
Apple says you are wrong! From Apple: “iCloud uses a minimum of 128-bit AES encryption—the same level of security employed by major financial institutions—and never provides encryption keys to any third parties.”
My apologies, ConservativeMind, but I do not post information that I cannot backup.. . . You failed to read that correctly, ConservativeMind. . . read it again. Here, I will help you:
"iCloud uses a minimum of 128-bit AES encryption—the same level of security employed by major financial institutions—and never provides encryption keys to any third parties."
Do you see that word "minimum" which you oh so conveniently omitted from your rebuttal, ConservativeMind? That's because Apple is rapidly increasing their storage encryption to 256 bit AES standard across all of Apple owned server farms that Apple builds and maintains, but they do lease some storage from Amazon and Google, as well as in China with China Telecom. That storage is limited to the 128 bit AES storage. Apple has almost completed their conversion. Are you trying to argue that 128 bit AES standard is not secure? Tell that to the financial institutions that use it.
Do you notice something else in that sentence? Apple says it has the keys, but won't provide them. It does not say that it can't provide them.
Let's get back to the official Apple link above that you've never read. There is a table below that sentence that says all of the security to and from Apple is only 128-bit minimum. That sort of blows a TON of your diatribe out of the water.
What an assumption that I've never read it. I've read it and also read the complete Apple Technical PDF on Apple iCloud Security which outlines exactly how Apple implements iCloud security and it's policies, and I've read CEO Tim Cook's open letter specifying that Apple will never release any user's data.
Now let me refresh you on what i wrote in my detailed (but in which I did not go completely into all the detail of all their servers as above) response which summarized some of what was in that PDF and Cook letter:
"Apple then splits your encrypted data into four sections, entangles it with other at least four other users' data, and then encrypts it again to an additional 256 bit AES standard to when [damn auto-correct, that had been "which"—Swordmaker] Apple does have the key. . . but remember, what they are encrypting is already just so much entangled gobble-do-gook."
You see, ConservativeMind, I DID tell you that Apple has the key to what THEY encrypted. . . which is the data that is already encrypted when it comes from the user. If the user does not set a passcode for the device, it will use the AppleID for the encrypton and entangle THAT with the UUID of he device. That is somewhat less secure. . . but Apple will not know that.
If the user sets a passcode to his device, which was my point, Apple Apple dies not have it, and therefor cannot provide it to anyone. Your claim that "Apple has the keys" is just completely false as it applies to the users' keys!
One more thing: If you've ever used iCloud, you are able to be compromised.
iCloud has not been compromised. Some celebrities who used weak security questions which could be learned merely by reading fanzine biographies on them had their passwords changed, but iCloud itself has not been hacked.
That article by CNN was simply wrong and prompted CEO Tim Cook to write the open letter to Apple's users telling them that Apple would NOT provide their data from the iCloud and could not in any case because it was encrypted. He categorically stated that user privacy was primary for Apple. If you "share" your information in an open "public" folder on iCloud, then yes, the government can get ahold of anything you put in that public folder. . . but nothing else.
As for "Guessing" security questions, if anyone is smart, the answers to their security questions will NOT be anything that can be guessed by someone who knows anything about them. Nor does your two factor point hold any water. Again, It requires more than mere government snooping and it requires the entry of a password.
Sorry, you just are not correct in your assumptions, either about me or my knowledge about Apple's security. This is an area that I know more about that you.
You keep throwing anti-Apple spit wads but you are missing your target because you really don't know anything factual about it. I do.
No, that cannot happen either. The servers are general, not specific, and the update is initiated from the user end. Sorry. Keep trying.
Apple says you are wrong! From Apple: “iCloud uses a minimum of 128-bit AES encryption—the same level of security employed by major financial institutions—and never provides encryption keys to any third parties.”
My apologies, ConservativeMind, but I do not post information that I cannot backup.. . . You failed to read that correctly, ConservativeMind. . . read it again. Here, I will help you:
"iCloud uses a minimum of 128-bit AES encryption—the same level of security employed by major financial institutions—and never provides encryption keys to any third parties."
Do you see that word "minimum" which you oh so conveniently omitted from your rebuttal, ConservativeMind? That's because Apple is rapidly increasing their storage encryption to 256 bit AES standard across all of Apple owned server farms that Apple builds and maintains, but they do lease some storage from Amazon and Google, as well as in China with China Telecom. That storage is limited to the 128 bit AES storage. Apple has almost completed their conversion. Are you trying to argue that 128 bit AES standard is not secure? Tell that to the financial institutions that use it.
Do you notice something else in that sentence? Apple says it has the keys, but won't provide them. It does not say that it can't provide them.
Let's get back to the official Apple link above that you've never read. There is a table below that sentence that says all of the security to and from Apple is only 128-bit minimum. That sort of blows a TON of your diatribe out of the water.
What an assumption that I've never read it. I've read it and also read the complete Apple Technical PDF on Apple iCloud Security which outlines exactly how Apple implements iCloud security and it's policies, and I've read CEO Tim Cook's open letter specifying that Apple will never release any user's data.
Now let me refresh you on what i wrote in my detailed (but in which I did not go completely into all the detail of all their servers as above) response which summarized some of what was in that PDF and Cook letter:
"Apple then splits your encrypted data into four sections, entangles it with other at least four other users' data, and then encrypts it again to an additional 256 bit AES standard to when [damn auto-correct, that had been "which"—Swordmaker] Apple does have the key. . . but remember, what they are encrypting is already just so much entangled gobble-do-gook."
You see, ConservativeMind, I DID tell you that Apple has the key to what THEY encrypted. . . which is the data that is already encrypted when it comes from the user. If the user does not set a passcode for the device, it will use the AppleID for the encrypton and entangle THAT with the UUID of he device. That is somewhat less secure. . . but Apple will not know that.
If the user sets a passcode to his device, which was my point, Apple Apple dies not have it, and therefor cannot provide it to anyone. Your claim that "Apple has the keys" is just completely false as it applies to the users' keys!
One more thing: If you've ever used iCloud, you are able to be compromised.
iCloud has not been compromised. Some celebrities who used weak security questions which could be learned merely by reading fanzine biographies on them had their passwords changed, but iCloud itself has not been hacked.
That article by CNN was simply wrong and prompted CEO Tim Cook to write the open letter to Apple's users telling them that Apple would NOT provide their data from the iCloud and could not in any case because it was encrypted. He categorically stated that user privacy was primary for Apple. If you "share" your information in an open "public" folder on iCloud, then yes, the government can get ahold of anything you put in that public folder. . . but nothing else.
As for "Guessing" security questions, if anyone is smart, the answers to their security questions will NOT be anything that can be guessed by someone who knows anything about them. Nor does your two factor point hold any water. Again, It requires more than mere government snooping and it requires the entry of a password.
Sorry, you just are not correct in your assumptions, either about me or my knowledge about Apple's security. This is an area that I know more about that you.
You keep throwing anti-Apple spit wads but you are missing your target because you really don't know anything factual about it. I do.
You don’t know the first thing about encryption and the fact that the government doesn’t brute force keys.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.