Monday, February 22, 2016

Encryption isn't at stake - What I am reading 2/22/2016

Ars Technica - Encryption isn’t at stake, the FBI knows Apple already has the desired key -

Whether you call it a "backdoor" or not, it's important to recognize that the ordered changes to the iPhone operating system would not circumvent the core of the iPhone's encryption. The court isn't asking Apple to defeat the encryption in any way. Nor does the court require Apple to create a vulnerability that would jeopardize the security of any other phone. Rather, it's asking Apple to do the one thing that Apple alone can do: use the iPhone's built-in method of installing firmware written by Apple.
Hypothetically, if the special firmware were to leak, what exactly would prevent people from making it work with a different unique identifier—or even with any unique identifier. This concern strikes at the very heart of the matter, and it's why Apple is involved at all.
The iPhone requires that its firmware have a digital signature that authentically demonstrates that the firmware was developed by Apple and has not been subsequently modified. The FBI does not have (and is not asking for) access to Apple's signing key. It is instead asking for Apple to use its signing key to sign the custom firmware so that the iPhone will accept it and run it. It is this signature requirement that means the FBI cannot create the software itself.
It's this same requirement that also means that iPhone users would be safe even if the special firmware leaked. Changing the embedded unique identifier within the special firmware would break the signature and thus cause targeted iPhones to reject the firmware. This is why complying with the court demand would not jeopardize the security of any other phones. The cryptographic safeguards don't allow it.
I was discussing this both at work on Friday and with friends on line Friday night.  These are the same points I was trying to make then.  It's my contention that the reason that Tim Cook is fighting this so hard is that it would be a PR disaster for Apple if people think that the can write special firmware that will decrypt their data.  It isn't about the reality of the situation, it's all about perception.

Boing Boing -  Forced arbitration clauses are a form of wealth transfer to the rich -
A federal judge called America's move to forced arbitration and bans on class-action suits -- bans favored and enabled by Scalia -- "among the most profound shifts in our legal history."
I tend to agree, legal disputes should be settled in court, unfortunately there are far too many frivolous suits, but you can decide for yourself.

 Learn Code The Hard Way - Learn C The Hard Way -

Obviously I didn't read the entire thing, but I skimmed thru a couple chapters.  I just thought my non-existent readers my enjoy the free version.

Krebs on Security - This is Why People Fear the ‘Internet of Things’ -

Imagine buying an internet-enabled surveillance camera, network attached storage device, or home automation gizmo, only to find that it secretly and constantly phones home to a vast peer-to-peer (P2P) network run by the Chinese manufacturer of the hardware. Now imagine that the geek gear you bought doesn’t actually let you block this P2P communication without some serious networking expertise or hardware surgery that few users would attempt. This is the nightmare “Internet of Things” (IoT) scenario for any system administrator: 
Like the cloud, IoT is evil stay away.

SANS - California AG Says Not Adopting Critical Security Controls Indicates 'Failure to Provide Reasonable Security' (February 16, 2016) -

Pretty self-explanatory.  Here is a link to the source document.

The Hacker News - Now We Know - Apple Can Unlock iPhones, Here's How to Hack Proof your Device -
And this is the first time when Apple has not denied that it can not unlock iPhones, rather it simply refused to build the FBI a Backdoor for the iPhone, in an attempt to maintain its users trust.
So, now we know that Apple is not doing so, but it has the ability to do so.
Hmmm, I think I read that someplace else.  If only I could remember where.

Post a Comment

Weird Dream Alert

Very weird dream last night.  I was selected to facilitate a SANS Sec660 course that was being put together at the last minute.  I fly down ...