SoylentNews is people
SoylentNews
from the so-simple-that-a-gov't-employee-could-do-it dept.
Russia Today reports
The US public doesn't need a Digital Security Commission; they need the FBI to stop deceiving everyone and tell the truth that it wants to spy on Americans, John McAfee, developer of the first commercial anti-virus program told RT's Ed Schultz.
[...] "The FBI wants Apple to change their software so that it removes the check for security, so that we don't check for security anymore. Once it has that software, they can use that software on any phone. But they say they only need it for one phone."
[...] "You need a hardware engineer and a [software] engineer. The hardware engineer takes the phone apart and copies the instruction set, which are the iOS and applications, and your memory. And then you run a program called a disassembler, which takes all the ones and zeros and gives you readable instructions. Then the coder sits down and he reads through. What he is looking for is the first access to the keypad, because that is the first thing you do when you input your pad. It'll take half an hour. When you see that, then he reads the instructions for where in memory this secret code is stored. It is that trivial--a half an hour.
...The FBI knows this, Apple knows this."[...] "In either case, if they (the FBI) don't know, that is tragic; if they do know it, then they are deceiving the American public and Apple and everyone else by asking for a universal key."
Video
Do you see any flaws in McAffee's explanation?
Previous: Apple Wants Court To Rule If It Can Be Forced To Unlock iPhones
Seems Like Everyone has an Opinion About Apple vs. the FBI
Update: TPP-Exposing Journalist Ed Schultz Lands on His Feet at RT
John McAfee Announces He Will Run For President of the United States
(Score: 1) by bitstream on Sunday March 06 2016, @06:41AM
One can't get the key using software because the hardware keeps it to itself. So no amount of disassembly would solve it. Thus to extract the key one needs to do the de-cap and probe route which is very risky. And the the code signed system software that handles the user passcode attempts will order the destruction of one of the required keys if too many attempts are made.
(presumed Apple didn't fuckup)
One could perhaps get the key to sign custom system software as this is the same for all phones with the same group key. Probably using the decap route on other phones of the same model. A new custom system software could then allow the passcode tries without attempting to erase anything. Writing it would require a lot of reverse engineering of course.
(Score: 1) by anubi on Sunday March 06 2016, @07:13AM
Speaking of unique "keys" that each user creates for himself... have the phone "marry" its purchaser by having its purchaser speak a key to it. Digitize the voice - 16bit codec? Add every sample, with 16-bit rollover, then every 64'th sample sum to append to the key. The result of a couple of seconds of speech results in a couple of kilobytes of key. It would be damned hard for someone else to come up with that same key.
Even if you played the key, it would not sound like speech because of all the rollovers. It would sound like white noise.
It doesn't make any difference what you said - as neither you nor anyone else will ever be able to say it in exactly the same way again.
The phone now has a unique array of numbers in it now... an array unlike any other phone will ever have.
Reflash the phone? Fine. Its like new again. Gotta speak it another key. Forget all about anything in the phone already. Its a past life. Gone. Forever. The new stuff goes right over the old stuff as if it were never there.
Digitized FM hiss has been a favorite way of mine to get random keys.
"Prove all things; hold fast that which is good." [KJV: I Thessalonians 5:21]
(Score: 1) by bitstream on Sunday March 06 2016, @07:59AM
Your key creation scheme seems good. But I doubt that even the same person can generate the same key again with that method. So it's only good for creating it one time to use as a system key etc. Still some assumptions can be made on amplitude and frequencies to narrow any brute force attempts.
So what matters is how that key is used. If it can be eavesdropped or used when not intended it would still be defeated even if the attacker wouldn't know it.
(Score: 1) by anubi on Sunday March 06 2016, @09:35AM
I'm counting on that! Even the guy who made the key can't duplicate it.
Yup, the only thing this is good for.... a generator of an absolutely unique block of numbers.
Even if you got an exact recording of the guy marrying his phone... even in a precision recording studio, it wouldn't help. Not the same digitizer. Not the same microphone.
Now, as far as the phone leaking out its system key, once it has been assigned by its purchaser by "marriage vow"... that's out of my league.
What I had in mind is "how do I easily generate some string of random stuff, easily, without possibility of anyone recreating the generation - given any "eavesdropping" while the key generation was taking place?"
With this technique, I could marry my phone right at the point of purchase, with anyone taping me, photographing me, whatever. After I marry my phone, it has a key unique to me, and no-one, no matter what technology they used to watch me do it, could re-create the same key. Even I couldn't. All I could do is re-create a new key, which could be used to protect new content, but could not be used to decrypt anything encoded with the old key.
"Prove all things; hold fast that which is good." [KJV: I Thessalonians 5:21]
(Score: 1) by bitstream on Sunday March 06 2016, @10:33AM
My thoughts on eavesdropping was when moving bits inside the device itself in digital form. Like from the CPU to memory etc.
(Score: 1) by anubi on Sunday March 06 2016, @10:58AM
That's where it starts getting snicky.... where system-on-chip comes into play. Gotta keep that golden nugget completely under wraps where no one - even armed with a logic analyzer on all circuit paths to the chip - can deduce the key.
I have come to the conclusion its impossible to really secure my stuff... so I mostly do open-source Arduino-based stuff. I can generally harden it against outside attack ( my stuff is way too dumb to execute anything coming in - if its not the right format, it just gets confused and ignores it. ). But if the attacker ever gets physical possession of my stuff... game over. Its wide open.
When I was in Aerospace, it was an interest of mine to secure stuff, but it was almost impossible to have other people take me seriously. I could rant and rave till I was blue in the face about mixing code and data - and all it would get me is a high ranking on a layoff list.
"Prove all things; hold fast that which is good." [KJV: I Thessalonians 5:21]
(Score: 1) by bitstream on Sunday March 06 2016, @11:49AM
My tip: When "idiots" wants to be just that. Let them! You job is the get the cash ;)
The downside is that one accommodate bad habits so it's a good idea to look for a new job. Being able to be proud of ones work is a life quality by itself.
And the reason is just as you pointed out. Negative feedback and nothing to compensate for it. Even if you would get a bonus for a secure product but would be sacked for trying to correct errors. The cost of being without a salary would negate the bonus very easily. The laws of perverted incentives are quite pervert.
Regarding security. One have to take a cost/benefit analysis.
(Score: 2) by q.kontinuum on Sunday March 06 2016, @10:48AM
Basically you'd try to find a new way to generate "random" numbers. Only the input is not 100% random really. It might work due to the longer key, but other than that you wouldn't need to reproduce the exact sound patterns, you'd just have to narrow down the key -space by finding the right assumptions for possible samples. If that is possible, start brute forcing.
You trade good random/short length against poor random/long key. Not sure this is safer or unsafer, or how it impacts performance. But one ground-rule of Cryptography is afaik "never role out your own crypto".
Registered IRC nick on chat.soylentnews.org: qkontinuum
(Score: 1) by anubi on Sunday March 06 2016, @11:21AM
So true! That's why I won't even try to generate the numbers mathematically.
And also why I posted.
Personally, I think - given the lack of any deterministic procedure for generating the numbers - it would be extremely difficult, if not impossible, to generate a duplicate key.
Except, of course, brute forcing. And a several kilobyte key is gonna be pretty hard to brute force.
I am looking at a one-time generation from about the noisiest thing I can think of that's part of a phone. Something that can generate a prodigious amount of data, quickly, and not likely ever generate it again. ( statistically speaking ). So its gonna be the microphone or the camera.
Another way of getting a bunch of numbers that you will not likely ever see again involves streaming data from the camera while twirling it around....
My feeling is this is something the customer has to do to marry his device, to make damn sure no hanky panky takes place before purchase.
If the customer ever needs to wipe his device, he is free at any time to re-do his marriage vow and start off anew. He does not lose his device, but all the files within are now permanently lost - to be treated as available memory for new files.
Like Bitstream noted above... this is for generating a system key. Even the person generating the key won't be able to generate the same key again. The only reason I would ask the customer to do it is to make sure its a fresh key.
"Prove all things; hold fast that which is good." [KJV: I Thessalonians 5:21]
(Score: 0) by Anonymous Coward on Sunday March 06 2016, @10:57AM
have the phone "marry" its purchaser by having its purchaser speak a key to it.
Speaking the code is not very secret. Can't do that during a meeting, etc. Plus, when you have a cold you're screwed. You'll still need a manual way of entering it ... which will be easy to break because everyone has heard you tell your phone "Siri, I'm in the mood" every time you accessed it.
(Score: 1) by anubi on Sunday March 06 2016, @11:31AM
This is a one-time thing to make a system key. To make sure that you have just generated several kilobytes of numbers in a unique order.
My intention is even if you married your phone to a high quality MP3 player, you could not get the same key again even if you played the exact same music... because your sampling is taking place at a slightly different time resulting in completely different digitizations. Add to that all the rollovers... there is so much random noise induced by quantizing errors and phase shifting that I claim it will be impossible to recreate a duplicate of a key made this way.
"Prove all things; hold fast that which is good." [KJV: I Thessalonians 5:21]