Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.
View this topic in a long page with up to 500 replies per page Create new topic
1 | 2 | 3 | 4
BlinkyBill
1061 posts

Uber Geek


  #2583291 12-Oct-2020 18:36
Send private message quote this post

SaltyNZ:

 

BlinkyBill:

 

No, I’m not particularly expert. But I see no reason why a back door can’t be created by the encryption manufacturer, for which they hold the key and provide the data on a warrant from a judge. In this case the user is the manufacturer.

 

Just saying this approach is ‘not secure’ is not an argument.

 

 

 

 

It doesn’t matter who holds the key. Even the supposed security experts can’t keep their keys to themselves

Or look at it slightly differently. Apple, Microsoft, Nintendo, Sony — all of these companies have more money and experts than god, and spend it trying to make perfectly unbreakable schemes so that they can lock you into using the hardware you bought only in the way that makes them the most money.

 

They all failed. All of them have been broken, fixed, and broken again. Over and over and over.

 

How can you possibly think that a system with a deliberate weakness in it could somehow be completely secure when the ones that are designed to harder than diamond, right down to the hardware, are not?

 

 

What is the deliberate weakness? I can’t recall, for example Apple, being hacked into by criminals. Do yo have a citation?





BlinkyBill


Behodar
7171 posts

Uber Geek

Trusted
Lifetime subscriber

  #2583299 12-Oct-2020 18:39
Send private message quote this post

As an example, this table shows when the bootloader encryption was broken for each iPhone and/or version of iOS.

 

BlinkyBill: What is the deliberate weakness?

 

 

The backdoor is the deliberate weakness.


BlinkyBill
1061 posts

Uber Geek


  #2583308 12-Oct-2020 19:01
Send private message quote this post

Behodar:

 

As an example, this table shows when the bootloader encryption was broken for each iPhone and/or version of iOS.

 

BlinkyBill: What is the deliberate weakness?

 

 

The backdoor is the deliberate weakness.

 

 

I’m not sure Jailbreaks are the same as defeating encryption, but I’m not an expert, why is this the same?

 

Do you use a credit card to buy stuff on the internet? HTTPS? Internet banking? Renew your passport on the internet? Use email?

 

Apart from email (not secure email) all of these rely on encryption with keys - why are these different?





BlinkyBill


shk292
1977 posts

Uber Geek

Lifetime subscriber

  #2583332 12-Oct-2020 20:55
Send private message quote this post

It's a long time since I studied cryptography, but the way I understand it is that with a good crypto system (eg Truecrypt in its day), unless you have the user-defined key, the only way to decrypt is with brute force.  And for a reasonable key length, brute force is not feasible.  So there is no way, other than extorting the key from the user (and only the user), to extract the data.

 

By adding a back door, you're trusting someone, or a group of people, or organisation, not to divulge the back door key.  So it's no longer secure, and sooner or later this key/method will be leaked.  Worse still, if the backdoor is equivalent to a master key, then using/leaking it for one set of data exposes any data encrypted with the same tool.


elpenguino
1485 posts

Uber Geek

Subscriber

  #2583361 12-Oct-2020 22:25
Send private message quote this post

shk292:

 

By adding a back door, you're trusting someone, or a group of people, or organisation, not to divulge the back door key. 

 

 

https://www.dw.com/en/nsa-and-british-spies-hack-into-dutch-company-producing-sim-cards/a-18270000#:~:text=Operatives%20from%20Britain%20and%20the,by%20NSA%20whistleblower%20Edward%20Snowden.

 

 

 

Or as seen in the GSM SIM case, be hacked. After all, that back door key will be a juicy prize to your enemies.


elpenguino
1485 posts

Uber Geek

Subscriber

  #2583366 12-Oct-2020 22:41
Send private message quote this post

BlinkyBill:

 

freitasm:

 

@BlinkyBill would you be happy for the local police station to have a copy of your house keys?

 

It's a simple yes or no question.

 

 

No, BUT, if the lock manufacturer had a master key, and the Police could access this master key on a warrant issued by a judge then I am OK with that.

 

The Police can sledge-hammer open a door on a warrant, if necessary. They can force entry.

 

 

I think Freitasm's analogy could be improved because we don't use encryption to hide from the state. The state has vast powers and, if they want to read your communications but can't, will come into your house and install a camera to watch what your type into your computer and/or install a key logger in your keyboard etc.

 

A better analogy might be: Just because the state asked, would you be happy to live in a rough neighbourhood and just because the police asked, use a lock that takes the key on the left when you could use a lock that takes the key on the right?

 

I wouldn't be.

 

Remember the police asked you to do this just in case they want to drop in and check you're not fiddling with kids or something.


BlinkyBill
1061 posts

Uber Geek


  #2583402 13-Oct-2020 07:51
Send private message quote this post

Neither Elpenguino nor Freitasm seem to get it. Neither analogy is reasonable because I contend that the Police, nor any Government agency would NOT hold the key. Any back-door solution needs appropriate checks and balances and both of the analogies is superficial in the extreme.

 

Here is the scenario: Apple develops an encryption system for their iMessage system, and builds in a back door to which their Chief Security Officer alone holds the key. The Police suspect Fred Bloggs of committing a heinous child-trafficking crime via iMessage and put a case to access the iMessage messages to a judge. The judge agrees and issues a warrant accordingly. Police then present the warrant to Apple, who use the key to decrypt Fred’s messages and revert to the Police.

 

Why is this approach inappropriate for assisting in securing public safety?

 

By the way, iMessage is already decryptable by Apple, who have been subject to court-cases and injunctions to provide the decrypted messages. This capability hasn’t impacted the use of iMessage and I know that I for one prefer iMessage over other open or less-secure technologies, I trust Apple more.





BlinkyBill


SaltyNZ
5480 posts

Uber Geek

Trusted
Lifetime subscriber

  #2583409 13-Oct-2020 08:19
Send private message quote this post

BlinkyBill:

 

I’m not sure Jailbreaks are the same as defeating encryption, but I’m not an expert, why is this the same?

 

 

 

 

Because the encryption is the jail. Jailbreaking is the act of defeating the encrypted locks that stop unapproved code from running. And the point is that these schemes are designed to be unbreakable by the best minds in the business, and they still have unintended weaknesses that get them broken. A back door is a deliberate weakness, deliberately named after the act of building an underground vault with a 20 ton door, robot machine gun sentries, poison gas filled building outside with nuclear landmines leading up the entrance ... and an unlocked manhole with a ladder that leads directly to the interior of the vault guarded only by a sign that says "Please do not climb down this ladder".

 

 

 

 

Do you use a credit card to buy stuff on the internet? HTTPS? Internet banking? Renew your passport on the internet? Use email?

 

Apart from email (not secure email) all of these rely on encryption with keys - why are these different?

 

 

 

 

These are different because these systems do not have a deliberate weakness built into them. And unless you've had your head buried under a rock you'll know that these get broken all the time too - but when they are, it's not because of the encryption, it's because someone screwed up. If there's some master key to crack the entire scheme, than that screw up now doesn't just affect one business, it affects everyone.

 

You keep on saying you're not an expert; that's fine, but there are plenty of people who are, and they all say no. You don't need to listen to us, but you should listen to them. You could spend a year non-stop reading about all the stuff that the supposed elite couldn't keep safe, like Vault 7 (the CIA) or Snowden (the NSA). If they can't keep their secrets to themselves, how can PC Plod from the Huntly police station?





iPad Pro 11" + iPhone XS + 2degrees 4tw!

 

These comments are my own and do not represent the opinions of 2degrees.


SaltyNZ
5480 posts

Uber Geek

Trusted
Lifetime subscriber

  #2583413 13-Oct-2020 08:26
Send private message quote this post

BlinkyBill:

 

Neither Elpenguino nor Freitasm seem to get it. Neither analogy is reasonable because I contend that the Police, nor any Government agency would NOT hold the key.

 

 

 

 

Well, as ten seconds of Googling will show you, if even the elite government agencies can't keep their secrets, how will a private company? Remember, the Apple you cite in the rest of this comment has already had their schemes broken repeatedly. And before you say 'Oh but that was the iPhone, not iMessage' then firstly, it has, and secondly, that's because iMessage is designed not to be easily vulnerable to some master hack which is why the cracks already found only affect individual devices.

 

Once it is, you bet your arse someone will hack it. People learn to crack iPhones because it's fun. How much more awesome would it be to crack the entire iMessage system?





iPad Pro 11" + iPhone XS + 2degrees 4tw!

 

These comments are my own and do not represent the opinions of 2degrees.


Lias
4258 posts

Uber Geek

Trusted
Lifetime subscriber

  #2583430 13-Oct-2020 09:14
Send private message quote this post

Those of you, who like me, have been involved with the tech world since last the millenium may be feeling a sense of dejavu.

 

The US tried this in the early-mid 90's with the clipper chip. They failed.

 

The US tried laws on the books declaring that cryptographic software was legally considered munitions, and they tried to prevent the export of software with strong encryption. They failed.

 

The US has repeatedly tried to weaken encryption systems during planning phases, or slip backdoors into them. They have mostly failed.

 

I like to think they will fail again, because for every big government tinpot dictator that thinks this is a good idea, there is someone who believes in privacy, free speech, and small government.





antonknee
492 posts

Ultimate Geek


  #2583440 13-Oct-2020 09:35
Send private message quote this post

BlinkyBill:

 

freitasm:

 

@BlinkyBill would you be happy for the local police station to have a copy of your house keys?

 

It's a simple yes or no question.

 

 

No, BUT, if the lock manufacturer had a master key, and the Police could access this master key on a warrant issued by a judge then I am OK with that.

 

The Police can sledge-hammer open a door on a warrant, if necessary. They can force entry.

 

 

Now imagine that master key gets lost by the lock manufacturer. Imagine Bob the Burglar steals this master key. Imagine a couple of copies of the key are made (by the manufacturer just in case they need a spare, or a disgruntled employee who wants to damage their employer). Imagine the manufacturer decides to "check the master key works". Imagine an employee of the manufacturer is curious about your home and its contents.

 

Are you still comfortable that this access to your home exists?





Ant  Reformed geek | Referral links: Electric Kiwi  Sharesies  Stake


frankv
3935 posts

Uber Geek

Lifetime subscriber

  #2583468 13-Oct-2020 10:05
Send private message quote this post

Here is another scenario, a variant on BlinkyBill's:

 

 

Huawei develops an encryption system for their routers, and builds in a back door to which their Chief Security Officer alone holds the key. The Police suspect Fred Bloggs of committing a heinous child-trafficking crime and put a case to access the messages to a judge. The judge agrees and issues a warrant accordingly. Police then present the warrant to Huawei, who use the key to decrypt Fred’s messages and revert to the Police.

 

 

Are we happy with this? Because the government certainly isn't. And why is Apple (and Facebook and Google) any more trustworthy than Huawei?

 

 


Rikkitic
Awrrr
12951 posts

Uber Geek

Lifetime subscriber

  #2583496 13-Oct-2020 10:49
Send private message quote this post

I don't have specialist knowledge in this area, but just on general principles this seems to me like a very bad idea. How many data breaches have there not been in recent years by various government departments and official agencies? These are followed by a profuse apology (sometimes), assurance that it won't happen again, and a proclamation that they take our privacy very seriously. I don't trust any official body to possess the competence and judgement to have unrestrained and unsupervised access to everyone's personal secrets. If this kind of thing is to exist at all, there needs to be a proper review process for it, and I don't think a judge issuing a warrant meets that standard.

 

 





I don't think there is ever a bad time to talk about how absurd war is, how old men make decisions and young people die. - George Clooney
 


freitasm

BDFL - Memuneh
68841 posts

Uber Geek

Administrator
Trusted
Geekzone
Lifetime subscriber

  #2583504 13-Oct-2020 10:57
Send private message quote this post

"Your privacy is important to us" is a boilerplate excuse...





 

 

These links are referral codes

 

Geekzone broadband switch | Eletcricity comparison and switch | Hatch investment (NZ$ 10 bonus if NZ$100 deposited within 30 days) | Sharesies | Mighty Ape | Backblaze | Coinbase | TheMarket | My technology disclosure


BlinkyBill
1061 posts

Uber Geek


  #2583509 13-Oct-2020 11:06
Send private message quote this post

antonknee:

 

Now imagine that master key gets lost by the lock manufacturer. Imagine Bob the Burglar steals this master key. Imagine a couple of copies of the key are made (by the manufacturer just in case they need a spare, or a disgruntled employee who wants to damage their employer). Imagine the manufacturer decides to "check the master key works". Imagine an employee of the manufacturer is curious about your home and its contents.

 

Are you still comfortable that this access to your home exists?

 

 

 Imagine that the manufacturer is required to have appropriate controls in place to prevent inappropriate risks.





BlinkyBill


1 | 2 | 3 | 4
View this topic in a long page with up to 500 replies per page Create new topic



News »

Vodafone enables 5G roaming - for when international travel comes
Posted 30-Oct-2020 15:03


Spark awards funding to Kiwi businesses in 5G funding initiative
Posted 30-Oct-2020 14:58


Huawei launches IdeaHub Pro in New Zealand
Posted 27-Oct-2020 16:41


Southland-based IT specialist providing virtual services worldwide
Posted 27-Oct-2020 15:55


NASA discovers water on sunlit surface of Moon
Posted 27-Oct-2020 08:30


Huawei introduces new features to Petal Search, Maps and Docs
Posted 26-Oct-2020 18:05


Nokia selected by NASA to build first ever cellular network on the Moon
Posted 21-Oct-2020 08:34


Nanoleaf enhances lighting line with launch of Triangles and Mini Triangles
Posted 17-Oct-2020 20:18


Synology unveils DS16211+
Posted 17-Oct-2020 20:12


Ingram Micro introduces FootfallCam to New Zealand channel
Posted 17-Oct-2020 20:06


Dropbox adopts Virtual First working policy
Posted 17-Oct-2020 19:47


OPPO announces Reno4 Series 5G line-up in NZ
Posted 16-Oct-2020 08:52


Microsoft Highway to a Hundred expands to Asia Pacific
Posted 14-Oct-2020 09:34


Spark turns on 5G in Auckland
Posted 14-Oct-2020 09:29


AMD Launches AMD Ryzen 5000 Series Desktop Processors
Posted 9-Oct-2020 10:13



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Support Geekzone »

Our community of supporters help make Geekzone possible. Click the button below to join them.

Support Geezone on PressPatron



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.