JOHN MCAFEE: I'll decrypt the San Bernardino phone for free so Apple doesn't need to place a back door on its product

[Stuff_]

54 minutes ago, iamdarkyoshi said:

Some decrypting techniques involve dumping the devices RAM to look for the key, I think there was an exploit discovered for bitlocker that would allow you to grab the key, but it required that the key be entered previously

You are talking about Bitlocker. 

 

Apple uses AES-256 with their encryption, and they say:

"No software or firmware can read them directly; they can see only the results of encryption or decryption operations performed by dedicated AES engines implemented in silicon using the UID or GID as a key. Additionally, the Secure Enclave’s UID and GID can only be used by the AES engine dedicated to the Secure Enclave. The UIDs are unique to each device and are not recorded by Apple or any of its suppliers."

 

Furthermore, you can read up about how the filesystem is encrypted on the fly, etc.

 

Source: https://www.apple.com/business/docs/iOS_Security_Guide.pdf

[stconquest]

1 minute ago, Trik'Stari said:

I think they're just using it as an excuse to get something created, that they want created, so they can abuse it in the future.

 

They see an opportunity where they can get the moronic public to agree with them, and shoot themselves (the public) in the foot. Because "it's for your safety!" etc etc.

That's where the lazy part comes in to play.  They could develop a system to crack Apple phones:  For the future as well.

 

The spin is just a side effect of an overly emotional public.  We (as a mass public) have never learned to help one another enough to see through bullshit.  Individuals can, but evil-doers spin a stream of shit and it sounds like the truth to enough people to fuck it all to hell.  

[Ryoutarou97]

McAfee is literally who I want to be when I am rich. 

[Stuff_]

1 hour ago, stconquest said:

That's where the lazy part comes in to play.  They could develop a system to crack Apple phones:  For the future as well.

 

The spin is just a side effect of an overly emotional public.  We (as a mass public) have never learned to help one another enough to see through bullshit.  Individuals can, but evil-doers spin a stream of shit and it sounds like the truth to enough people to fuck it all to hell.  

The system to bruteforce IS already developed, and is easy to develop.

The hard part comes determining which 10 keys you would like to attempt before deleting all data.

 

The system to decrypt AES-256, however, is not real, and currently couldn't be.

[stconquest]

3 minutes ago, Stuff_ said:

The system to bruteforce IS already developed, and is easy to develop.

The hard part comes determining which 10 keys you would like to attempt before deleting all data.

 

The system to decrypt AES-256, however, is not real, and currently couldn't be.

I am not experienced in cracking phones, but...

 

I imagined a process for cloning the drive then installing/reinstalling the clone in a make-shift iPhone (Display/controller/hardware adapted for easy use).  Use the clone to brute force the password let's say.  When the attempts fail, reinstall the clone and continue. 

 

I know it is crude, but it is what I imagined.

[Stuff_]

Just now, stconquest said:

I am not experienced in cracking phones, but...

 

I imagined a process for cloning the drive then installing/reinstalling the clone in a make-shift iPhone (Display/controller/hardware adapted for easy use).  Use the clone to brute force the password let's say.  When the attempts fail, reinstall the clone and continue. 

 

I know it is crude, but it is what I imagined.

The keys are implemented inside the silicon during manufacturing. That means you need the same hardware. This becomes unbearably difficult, if not impossible, because you never knew the key, and you can't clone the silicon.

[stconquest]

1 minute ago, Stuff_ said:

The keys are implemented inside the silicon during manufacturing. That means you need the same hardware. This becomes unbearably difficult, if not impossible, because you never knew the key, and you can't clone the silicon.

So an electron microscope and access to the chip would do it then?

[Stuff_]

Just now, stconquest said:

So an electron microscope and access to the chip would do it then?

https://www.apple.com/business/docs/iOS_Security_Guide.pdf

 

[spartaman64]

isnt he a suspect for murder charges in brazil or something?

[Deli]

Isn't it obvious? The real aim is to have  back door installed for all smartphones so FBI can do whatever they want. Cracking San Bernadino's phone is just an convenience excuse. If the FBI doesn't get it this time. They will just find another opportunity, until they get what they want.

[Roawoao]

Also for anyone who is not reading things carefully the iPhone that Apple has a court order for does not contain the secure enclave hardware element so no deep reverse engineering is required to extract any CPU protected keys. The iPhone 5c has no secure elements.

 

Apple is also lying about the software eventually getting out there as that would also require their private signing keys to get compromised which would in itself be far worse than any backdoor as that would allow anyone to write anything and the hardware would accept it as official firmware/OS/killswitch updates. It is like saying the entire central trust model will always fail (which is technically true but is still used regardless by all major players which include the internet in general (Root certificate holders)).

 

A far simpler solution on the weak security iPhone 5c is to just dump the flash memory chip and then it is open to a brute force attack. No secure element means no complications. This doesn't need a backdoor OS update or a non-apple official service.

 

Edit: Apple is conveniently forgetting that strong encryption technology also protects their software updates and hardware firmware (Public private key model) and is totally controlled by Apple and there is no easy way for malicious hackers to crack such protections.

[PlayStation 2]

I'm probably more capable of breaking into an iPhone than John McAfee is.

[Roawoao]

4 hours ago, Stuff_ said:

https://www.apple.com/business/docs/iOS_Security_Guide.pdf

 

What apple is neglecting to mention is just because they don't store this burned in key doesn't mean they can't retrieve it later using advanced imaging and reverse engineering techniques (which being the designer and contract mfg would be trivial but expensive). Even more moot is the fact there is no secure element on the iPhone 5c so no fancy microscope needed. 

 

Because of the central trust model if Apple lost their root private keys it doesn't really matter if they made a backdoor OS version or not all Apple devices would be totally insecure regardless of user pin codes. Of course everyone knows this and it isn't exactly ground breaking news as the internet has been using this so-so model for ages because it works good enough for 99% of users.

[Stuff_]

1 hour ago, Roawoao said:

What apple is neglecting to mention is just because they don't store this burned in key doesn't mean they can't retrieve it later using advanced imaging and reverse engineering techniques (which being the designer and contract mfg would be trivial but expensive). Even more moot is the fact there is no secure element on the iPhone 5c so no fancy microscope needed. 

 

Because of the central trust model if Apple lost their root private keys it doesn't really matter if they made a backdoor OS version or not all Apple devices would be totally insecure regardless of user pin codes. Of course everyone knows this and it isn't exactly ground breaking news as the internet has been using this so-so model for ages because it works good enough for 99% of users.

My personal stance on this is encryption should be available for ALL TO USE. It is for our protection. If a consumer becomes a terrorist, then that is not Apple's fault, nor is it the fault of the millions of other consumers. 

 

What you're neglecting to remember (as are most pundits) is that Apple is an international corporation. If this applies to the FBI, why wouldn't it apply to any other agency in another country? Apple is a BUSINESS, not a government service. Once you set a precedence that Apple is allowed to do this for the FBI, then other agencies want their share, and certainly other countries. 

 

 

[Briggsy]

mcAfee software was the end of america, maybe he's doing a solid for once.

[Guest]

11 hours ago, Samfisher said:

That's really not what social engineering is though. That's just digging through piles of crap for a folder with TOP SEKRET PASSWORD on it.  Social engineering is combing through your life to see who and what kind of person you are, and making educated guesses on what could possible be your password.

Not quite - social engineering when used in a negative sense can be used to grant access to services by resettting passwords. Eg, you have a name and date of birth for someone, Amazon needs that information to reset your password. Once in there is has the email address of an account plus their purchase history. You then go to the email provider, request a lost password and answer the security questions. Generally you can guess the answers based of someones Amazon history if they're a big user of it. Now you've got their email. Next you can look for bank statements, now you've got their bank ID. You can then go to the bank, request password reset - you've got the account number, DoB, full name and address - you can then get access to their accounts.

 

That is social engineering. There was actually a high profile case involving Amazon, Apple and XBox/Microsoft a few years agoy ou may want to look into.

 

A lot of this these days is combatted by 2 step verification however a lot of people forget that most 2 step verification programs simply send a text message to a phone and even if that phone is locked, a lot of people have text messages as viewable on their lock screen. Apple combats this through only allowing their verification codes to be shown once the phone is unlocked.

 

 

[Roawoao]

1 hour ago, Stuff_ said:

My personal stance on this is encryption should be available for ALL TO USE. It is for our protection. If a consumer becomes a terrorist, then that is not Apple's fault, nor is it the fault of the millions of other consumers. 

 

What you're neglecting to remember (as are most pundits) is that Apple is an international corporation. If this applies to the FBI, why wouldn't it apply to any other agency in another country? Apple is a BUSINESS, not a government service. Once you set a precedence that Apple is allowed to do this for the FBI, then other agencies want their share, and certainly other countries. 

 

 

I'm almost certain Apple complies with China's requests already. Such as a source code audit (bad news for security) http://qz.com/618371/apple-is-openly-defying-us-security-orders-but-in-china-it-takes-a-very-different-approach/

 

Apple is not breaking your encryption or cracking your user code it is just being compelled to strip away apple user interface measures for security. The government can and will compel corporations to provide assistance which is why there is a court order on the issue. I'm certain China being a big market has used their influence and market access to get concessions on these types of matters. (Weaker encryption, shared root trust for China devices, source code access, ...)

 

I'm of the opinion that if you want security do it yourself its the only way to be certain (Use defence in depth basically). Central trust models are flawed in that governments can compel the organization to assist using such central trust and as Apple clearly states they could in theory bypass everything with such authority. Security is a trade off your going to loss reliability and ease of use for higher security.

 

Example is if Apple required user only use all character type long (>12 chars) passwords then they really can't help the FBI as even if they bypassed everything they still can't crack the encryption based on the strong user key alone.

 

[byalexandr]

Fuckin' love this guy. Quote from the man himself: "Aww, no one should have to watch xHamster..."

[Stuff_]

11 minutes ago, Roawoao said:

I'm almost certain Apple complies with China's requests already. Such as a source code audit (bad news for security) http://qz.com/618371/apple-is-openly-defying-us-security-orders-but-in-china-it-takes-a-very-different-approach/

 

Apple is not breaking your encryption or cracking your user code it is just being compelled to strip away apple user interface measures for security. The government can and will compel corporations to provide assistance which is why there is a court order on the issue. I'm certain China being a big market has used their influence and market access to get concessions on these types of matters. (Weaker encryption, shared root trust for China devices, source code access, ...)

 

I'm of the opinion that if you want security do it yourself its the only way to be certain (Use defence in depth basically). Central trust models are flawed in that governments can compel the organization to assist using such central trust and as Apple clearly states they could in theory bypass everything with such authority. Security is a trade off your going to loss reliability and ease of use for higher security.

 

Example is if Apple required user only use all character type long (>12 chars) passwords then they really can't help the FBI as even if they bypassed everything they still can't crack the encryption based on the strong user key alone.

 

Apple's "user interface measures" are not a user interface measure. I'm not even sure what a "user interface measure" means. But, it is to prevent the ability of unauthorized people to gain access to your device via brute force methods. 

 

I have a problem with those "I'm certain ____" arguments. Where is any proof besides your baseless accusations? 

 

How are you going to build your own encryption system into Apple's closed source system? 

And on top of that, you can't single handily build a secure encryption system. You need the help and work of a loooot of people. 

Furthermore, most people aren't even smart enough to build anything secure anyway. 

 

You need corporations like Apple and Google to protect us by providing us with encryption systems. 

[Roawoao]

1 minute ago, Stuff_ said:

Apple's "user interface measures" are not a user interface measure. I'm not even sure what a "user interface measure" means. But, it is to prevent the ability of unauthorized people to gain access to your device via brute force methods. 

 

I have a problem with those "I'm certain ____" arguments. Where is any proof besides your baseless accusations? 

 

How are you going to build your own encryption system into Apple's closed source system? 

And on top of that, you can't single handily build a secure encryption system. You need the help and work of a loooot of people. 

Furthermore, most people aren't even smart enough to build anything secure anyway. 

 

You need corporations like Apple and Google to protect us by providing us with encryption systems. 

It is a user interface measure the lock screen timeout and auto-wipe are governed by the UI (the operating system) not the non-existent secure element on the iPhone 5c. Apple won't comment on what they gave China and only says they never let China access their internal servers. What does that tell you when the Chinese media says Apple agreed to a security audit. (Probably just gave them a usb drive with what China was asking for so they could say no one ever access Apple servers)

 

How do you build your own encryption system.

Step 1) Don't use an iPhone.

Step 2) Build your own app that runs off open source peer reviewed code which you yourself understand for whatever purpose you want it for

Step 3) Your security is now in your own hands.

Step 4) Sell it to others for profit in a Kickstarter then get a secret court order to hack it.

Step 5) You get found out no one buys your software anymore.

Step 6) Retire with lots of money while commenter's argue about everything else.

 

If your not smart enough to build your own security using off the shelf code (copy paste programming is easy) then you will just have to accept using lesser solutions that are vulnerable to such measures. 

 

You think Google and Apple really care about user privacy it is just a marketing tick. If public opinion really took a swing in the other direction (where privacy was generally frowned upon by everyone for some reason) then they would market the reverse, customer is always right. Also Google's product is your information so yeah... (I'm fine with that it is a free service after all)

[Stuff_]

35 minutes ago, Roawoao said:

It is a user interface measure the lock screen timeout and auto-wipe are governed by the UI (the operating system) not the non-existent secure element on the iPhone 5c. Apple won't comment on what they gave China and only says they never let China access their internal servers. What does that tell you when the Chinese media says Apple agreed to a security audit. (Probably just gave them a usb drive with what China was asking for so they could say no one ever access Apple servers)

 

How do you build your own encryption system.

Step 1) Don't use an iPhone.

Step 2) Build your own app that runs off open source peer reviewed code which you yourself understand for whatever purpose you want it for

Step 3) Your security is now in your own hands.

Step 4) Sell it to others for profit in a Kickstarter then get a secret court order to hack it.

Step 5) You get found out no one buys your software anymore.

Step 6) Retire with lots of money while commenter's argue about everything else.

 

If your not smart enough to build your own security using off the shelf code (copy paste programming is easy) then you will just have to accept using lesser solutions that are vulnerable to such measures. 

 

You think Google and Apple really care about user privacy it is just a marketing tick. If public opinion really took a swing in the other direction (where privacy was generally frowned upon by everyone for some reason) then they would market the reverse, customer is always right. Also Google's product is your information so yeah... (I'm fine with that it is a free service after all)

It is a core OS security measure, it is not a "User Interface measure." 

I'm talking about encryption of your OS file system, not some application encryption. 

 

You are assuming using the encryption is as easy as copy-paste code, and there is no incorrect way to implement it.

There is.

 

Apple and Google DO care about user privacy and encryption. You are mixing up a lot of things, and quite frankly, sounds like you're really ignorant about the subject and til-foil hat-y.

 

 

[Roawoao]

Just now, Stuff_ said:

It is a core OS security measure, it is not a "User Interface measure." 

I'm talking about encryption of your OS file system, not some application encryption. 

 

You are assuming using the encryption is as easy as copy-paste code, and there is no incorrect way to implement it.

There is.

 

Apple and Google DO care about user privacy and encryption. You are mixing up a lot of things, and quite frankly, sounds like you're really ignorant about the subject.

 

 

Core software OS obviously the lock screen UI is pretty core ui element. The file system is protected on the phone only by a salted (User pin + UID) and the OS is not needed to brute force this. There is no secure element. Arguably application encryption is more secure especially when the phone is off because you can't ever ask Apple to help as the user could have wrote it themselves or customized the application in their own way. This is why there are advantages to an open system as the user could even protect the entire volume.

 

Obviously you can do it wrong but it is all under your control that is the only way to have control.

 

Apple and Google care about user privacy and encryption as much as it makes sense from a business perspective. If the public opinion hypothetically changed they would flip instantly on a dime to follow.

[Stuff_]

37 minutes ago, Roawoao said:

Core software OS obviously the lock screen UI is pretty core ui element. The file system is protected on the phone only by a salted (User pin + UID) and the OS is not needed to brute force this. There is no secure element. Arguably application encryption is more secure especially when the phone is off because you can't ever ask Apple to help as the user could have wrote it themselves or customized the application in their own way. This is why there are advantages to an open system as the user could even protect the entire volume.

 

Obviously you can do it wrong but it is all under your control that is the only way to have control.

 

Apple and Google care about user privacy and encryption as much as it makes sense from a business perspective. If the public opinion hypothetically changed they would flip instantly on a dime to follow.

A component of the UI is displaying the passcode. Using that passcode to unlock the device is a completely different system, a much lower level OS part. 

 

Even businesses now do encryption wrong. We've seen it many times. It's not something you read a 10 page paper on and suddenly you can implement and protect yourself. 

 

Public opinion on encryption hasn't been all-in-favor. Cryptography isn't a new system by any means, and generally has been reserved for the more important issues (user data not being one). Only now, with the "Internet of Things" we now need to protect more than just the governments, or corporations. End users need to have their stuff encrypted as well.

 

[Roawoao]

Just now, Stuff_ said:

A component of the UI is displaying the passcode. Using that passcode to unlock the device is a completely different system, a much lower level OS part. 

 

Even businesses now do encryption wrong. We've seen it many times. It's not something you read a 10 page paper on and suddenly you can implement and protect yourself. 

 

Public opinion on encryption hasn't been all-in-favor. Cryptography isn't a new system by any means, and generally has been reserved for the more important issues (user data not being one). Only now, with the "Internet of Things" we now need to protect more than just the governments, or corporations. End users need to have their stuff encrypted as well.

 

The OS from UI to low level code is just software the iPhone 5c in question has no secure enclave and in the end just a salted (UDID + User pin) is being used to protect the actual encrypted data.

 

Well technically speaking it is impossible to have perfect security there is some balance depending on your needs. 

 

Exactly my point public opinion in general isn't all in favour of unbreakable encryption but the target audience of users that Google/Apple find valuable do care more such as yourself. But if everyone using Apple devices and Google services started say rioting for some random reason to have no encryption any more they would dump encryption like a hot potato. Of course that is never going to happen realistically but Google/Apple only care about what their customers want they themselves are not going to suddenly defy their market/product demands.

 

End users do not all need total encryption there are a number of pitfalls when using strong security models where you don't need it. Say you self manage your own FDE for everything from your family photos to your business documents. One day your drive crashes and you lost the recovery key. Now data recovery is impossible especially if the encrypted volume key was corrupted.

 

Say you have a smart fire detector with perfect encryption and one day a forgetful employee fails to update the certificates when pushing an update out and bricks all your devices due to a security chain failure and the device fails to operate in an actual fire.

 

Say you have a thermostat with a bad update due to high security certificates being wrong in some minor way and the device drops out into recovery mode in the dead of winter and your pipes freeze and your insurance company is sad.

 

Strong security causes trade offs. Self managed security is the only way to have extremely strong security but yes it too is full of pitfalls as well.

 

Frankly I don't care if my thermostat is encrypted or not. It is just not connected to the internet because that is stupid. Why pay 50$ more for a wifi floor heater thermostat with encryption and all the bells and whistles when you just set it to a low idle temp and turn it up when you want it warmer.

[spellmanuk]

He won't do it no way there's been four jailbreak teams each of abut 4-20 people looking for vulnerability in iOS 9.1 and up and so far they've come up with nothing so if 80 people can't find a vulnerability in 6 months almost how the hell is he gunna find one in 3 weeks!