* Posts by John H Woods

3577 publicly visible posts • joined 14 Nov 2007

Latest in Apple v FBI public squabble over iPhone crack demand

John H Woods Silver badge

Re: Will it apply to other technology too?

"It cost Apple more to write Tom Crook's letter than it would do to for them to disable the pin retry counter."

Depends what you mean by cost: in one sense, it didn't cost Gerald Ratner anything to say that his products were "total crap" -- in another you could easily argue it cost £0.5 billion.

John H Woods Silver badge

Re: "... the data in the memory chips is not encrypted."

"I believe it's very likely possible to 'crack' their way past the phone's security, but I don't think it's "very easy"." -- JeffyPoooh

This is the key issue: whilst brute forcing the cryptography is probably infeasible (and if it were possible those capable of it would would be very reluctant for that to become known), that does not mean the device itself cannot be hacked open.

If the phone were suspected of containing the date, time and location of a credible NBC attack, government would have deployed a good deal more effort: even the lack of forensic care during custody is evidence against any such effort having been considered. That leaves us with, at best, the possibility the FBI is trying to do this "on the cheap" without regard for significant ramifications; and at worst that it is a deliberate attempt at setting a precedent.

John H Woods Silver badge

Re: Overreach

"I read that the couple had other mobile phones which they destroyed before their rampage - surely those would have been the most likely to have produced some evidence" -- Mitoo Bobsworth

Perhaps the Farooks forgot that this was a (possibly MDMd) work phone and were careless. And perhaps they just forgot to destroy this phone. And perhaps the iPhone has contact details for the Mr Big behind it all. And perhaps they never called Mr Big so there are no phone records. So perhaps this is necessary for the FBI to get his number ...

But Mr Big probably reads the news. So he's probably destroyed his burner phone anyway.

John H Woods Silver badge

Re: FBI's Comey

". . . we have awesome new technology that creates a serious tension between two values we all treasure – privacy and safety," -- Coney

I wonder if one of the obstacles to useful debate is the presentation of this as a simple tension between the privacy and safety. My view is that anything that causes the innocent to have less privacy tends to decrease their safety, even if you were to accept (and I don't necessarily agree) that governments to pose no threat to such safety.

John H Woods Silver badge

Re: Will it apply to other technology too?

"So, based on the FBI's reasoning, ASSA ABLOY, SentrySafe, etc. might be required to break into every safe or strongbox they manufacturer that might be used by criminals... and at their own cost? Muppets." -- Lobotoman

In a small way, it's better than that -- it won't be at their own cost (although it seems unlikely they will be able to charge their reputational damage as cost). But in a bigger way, it's worse: not so much that they might be required to break into their own products but they might be required to create tools to allow others to do so.

John H Woods Silver badge

"Apparently Apple has worked on some 70 phones for the FBI previously. Now how much of this real, how much is BS, and how much is theatre, I have no idea." -- Mark85

It'll make it harder for you to come to a decision if you don't dig a bit deeper.

Plane food sees pilot grounded by explosive undercarriage

John H Woods Silver badge

"Isn't there some rule in place that states that if the pilots partake of a meal while flying they must pick different meals? I remember reading that somewhere." -- PassiveSmoking

In the bottom two lines of the article?

FBI says it helped mess up that iPhone – the one it wants Apple to crack

John H Woods Silver badge

Re: Right v. Wrong

"Why are they doing the right thing?"

When you have been given leave to do so, appealing a judgment with which you disagree may well be the right thing to do. People have to stop painting this as outright defiance of the court -- it isn't, at least, not yet.

John H Woods Silver badge

Re: Right v. Wrong

"Do you mean fourteen victims have no right to be sure all the people involved in their murder are found, or innocent dischaged?" -- AC

No, I didn't mean that, and I (a) struggle to see how you can have inferred that and (b) despair that you should respond to a plea to move away from simplistic arguments with a simplistic argument.

There is obviously a proportionality issue here: I'm not just asserting common sense, the All Writs Act itself says [my emphasis]: "Supreme Court and all courts established by Act of Congress may issue all writs necessary or appropriate in aid of their respective jurisdictions and agreeable to the usages and principles of law."

It is trivial to show that it cannot be the case that absolutely anything is necessary and appropriate for a terrorist shooting of 14 people: for instance, even if the perpetrators were still at large it would probably not be considered "necessary and appropriate" to interrogate every US Citizen on the matter.

Furthermore a Supreme Court ruling in 1977 on an All Writs Act order was that, although it was justified in the case before the court in that instance, "the power of federal courts [using this Act] to impose duties upon third parties is not without limits; unreasonable burdens may not be imposed"

So, it is not nearly as simple a matter as you suggest, which is rather the point of the comment to which you are replying so, rather in a triumph of hope over experience, I'm stating it again.

----

Addendum: Whilst re-reading this reply I also realised that the phrasing of the Supreme Court ruling uses the term "burdens" rather than "resources" and so presumably that includes things that are easy (handing over the signing key) because the burden in terms of corporate/brand damage could be considered unreasonable.

John H Woods Silver badge

Re: Right v. Wrong

"Apple needs to man up, do the right thing, and now." --- Common Guys...

Some of us think they are, and that is what is causing the problem. We know that the All Writs Act is a law on the statute books; that it seems likely the Act would support the order the court has made; that the phone belonged to a terrorist who killed 14 people; that Apple could do it quite easily; that Tim Cook may simply be grandstanding.

Those of us who think Apple are doing the right thing (and that may well include some who think they're doing it for the wrong reasons) will not be persuaded by merely restating the above facts, because they are not in dispute. Are you really expecting anyone you are arguing with here to go "oh, shit, I've just realised which phone we are talking about" and change their mind?

So, let's at least move the discussion on from "come on, you guys, it's simple"

John H Woods Silver badge

Re: they want Apple to do it ~For Free~.

"The refunds to companies that bought iPhones because of marketing people telling them no-one can gain access, not even Apple, etc etc?"

Why not? If I were Tim Cook I would comply on the basis that the cost incurred would be the development of the exploit firmware + the cost of destroying unsold 5c stock + the cost of offering all existing 5c customers a free swap upgrade to a phone model that would not be compromised by the new firmware.

John H Woods Silver badge

Re: This is despicable.

"the government has both a constitutionally allowed search warrant and the phone owner's permission to search the phone." --- tom dial

Surely, even if we disagree about who is in the right we can agree that this is more complex than a search warrant issue. Apple are not preventing the government from searching the phone. The phone and its contents are in the possession of the FBI; it's just likely that it will be rather (if not prohibitively) expensive to make sense of those contents without Apple's assistance. That assistance, whether you think it should be forthcoming or not, is not, as far as I can tell, covered by any outstanding "search warrant"

Presumably, if a search warrant was issued against Apple (maybe on the basis they were a co-conspirator) they would have to hand over their firmware signing key. Then this would be a search warrant issue. As it stands, the direction of the court is 'make this thing then hand it over to (or use it under the supervision of) the FBI." The court has used the All Writs Act because such a direction is not a "search warrant".

Black Monday: Office 365 down and out in Europe

John H Woods Silver badge

Re: News just in...

Achievement unlocked

US DoJ files motion to compel Apple to obey FBI iPhone crack order

John H Woods Silver badge

Re: Honest Question

"Yes, there's also some shuffling and such. " -- JeffyPooh

This "shuffling and such" is far more critical to the cipher than the use of the XOR function. If this did not happen, then a plaintext attack vulnerability would exist. None of what you have quoted supports the statement you made, which I rejected, that "The 'serious' encryption is universally the XOR function"

John H Woods Silver badge

Re: Just give it to Google....

That's pretty condescending. Read my response again properly and you will see that it is a response to someone suggesting cloning the storage and running "a million emulators" --- so none of the side channel, timing attacks etc. are available.

I would not be at all surprised if the phone can be cracked. But I would be very surprised indeed if a dump of its storage could be, especially because resistance to known plaintext is a particular characteristic of AES256.

John H Woods Silver badge

Re: Something doesn't compute

"Yeah right. I'm sure you would."

No need for hypotheticals --- one of the victim's mothers, Carole Adams, supports Apple in this matter.

John H Woods Silver badge

Re: Honest Question

The 'serious' encryption is universally the XOR function -- No, it isn't.

The WWII Enigma machine had billions and billions of combinations in the 'keyspace', but because they sent weather reports in standard format, and ended with "HEIL HILTER", the nearly-infinite rotor settings fell out each morning in about 20 minutes. -- Huge oversimplification. Known plaintext played a role, admittedly.

Far too many people stop and stare at the key length, do the 2^N math, and are dazzled by the billions of years. That's why they don't crack codes that way. -- Correct. But AES256 is specifically designed to be resistant to known plaintext attack. The keyspace is about 10^77. You need one heck of a speed up to get anywhere near billions of years here, basically you need to know a fatal flaw: a 10^36 (trillion trillion trillion) speed up wouldn't bring the keysearch within the bounds of feasibility.

"It would be extraordinary that the iPhone 5C just happens to represent the first uncrackable encryption system. So many have claimed that, all have failed so far." So far AES256 has resisted attacks fairly well.

You've made a lot of very authoritative sounding statements without supporting evidence.

John H Woods Silver badge

"

"Perhaps you're right. But don't forget 'never ascribe to malice that which can be ascribed to incompetence'"

Given that it is now being claimed the password was reset whilst in "government" custody, the level of incompetence is starting to become less believable.

John H Woods Silver badge

Re: Just give it to Google....

"I also like the idea of cloning the storage and run a million emulators to brute force it..."

Do you know how big 2^256 is? If, as is suspected, you'll have to, on average, search half the keyspace before hitting paydirt, that is 2^255 or about 6e+76 key attempts. Let's say you can do one per nanosecond (you'd need a hell of a computer, but let's say). That makes 6e+67 seconds. Let's say you have ten million of those computers. That means it'll only take 6e+60 seconds. Let's say there's a weakness in AES256 that you can exploit to give you trillion trillion trillion fold speed up. Now it's only going to take you about 6e+24 seconds.

That's only about 10 million times the current age of the universe.

John H Woods Silver badge

Re: Something doesn't compute

"How would you feel if someone you loved got murdered and Apple refused to play ball?"

How would you feel if someone you loved got murdered because Apple did play ball? For instance someone that ISIS wanted to target, and who was very careful and discrete, is nevertheless killed because one of their kids lost their iPhone and it ended up in the wrong hands?

John H Woods Silver badge

Re: I can see both sides of the argument...

"Quite often thought needs to be given the to the "old way" of doing something, and compare it with a contemporary problem to try and justify what is right and what is wrong with, in this case Tim Cook's stance" -- Ken Moorhouse

A perfectly sensible approach ... but ...

"Let's say someone lodges an incriminating document in the vaults of a Swiss Bank. Would the bank accede to compelling legal requests to release the document?"

Ah, now that's the problem. If you are going to use analogies to form conclusions to the original case, they have to be analogous in the relevant respects. Try this.

A Swiss Bank vault may contain a document of as yet unknown value. There are four ways to open the vault

a) the emergency code, which is well known but will destroy any such document

b) the secret code to the vault, the knowledge of which has disappeared with its deceased owner

c) cracking the door lock somehow

d) drilling through the concrete into the bunker.

Now, the FBI, aided by the DoJ, want to do (c) but they want the vault manufacturer to make a tool which will open this vault. However the vault manufacturer demurs on the grounds that such a tool will open many of the vaults they have already sold.

If there's a good chance the document contains the date, time and location of a nuclear attack, then why not just drill (i.e. attempt to use electron microscopy to read the required info that the chips won't divulge). It's expensive but it might be worth it.

In this case, it's pretty unlikely there is such a document. Vaults known to have been used by the deceased that probably did contain such documents have been destroyed by him. He shared this vault with someone else (his employer) so he probably didn't put any incriminating documents in it.

So it's probably not worth doing (d). And if it's not worth doing (d) I'm not sure it's worth doing (c). However, because the US govt doesn't care about any of the other vaults, bizarrely including the ones belonging to citizen that it is its duty to protect,it is going to insist on (c).

It seems to me that the only thing the vault manufacturer can do is comply with the order but I think they have a reasonable case that the cost of this isn't just the tool, but the necessity of offering free replacement vaults which are invulnerable to that tool to all its existing customers.

Top new IoT foundation (yeah, another one) to develop open standards

John H Woods Silver badge

Re: IoT - Has it's time passed?

"It means I can turn the heating on as I leave the office and have a warm house when I arrive home, without wasting gas by having it come on based on a timer. "

Can I ask you how many degrees your indoor temp has dropped by the time you activate the heating?

Yahoo! is! up! for! sale! – so! how! much! will! you! bid!?

John H Woods Silver badge

Re: Our Highest Bid

upvote for "BARFERAGE"

Q: How many guns to arm nine coachloads of terrorists?

John H Woods Silver badge

Re: Isn't it more worrying ...

Dave 126 you are correct that my point about balance is not relevant here but only because you have shorn it of its context, as an adjoinder to a point that was (the complaint that journalism is increasingly uncritical repetition devoid of analysis).

It is ironic that you have done so because the essence of my original point was the importance of context. It may be perfectly correct to report that "100kg of lead was stolen from the roof of St Mary's, which the vicar noted was enough to poison the local reservoir." It's factually accurate, and amusingly the danger is actually more real: the lead is still at large! But, reported like this, it is just alarmist nonsense.

John H Woods Silver badge

"Does this mean there would also be 72 coachloads of virgins?"

648 by my reckoning.

John H Woods Silver badge

Re: Isn't it more worrying ...

"The BBC just quoted the Detective in charge who made that comparison with coach loads of terrorists." -- Michael B.

If only journalists had some other function than simply repeating what they were told! But the most one appears to be able to hope for these days is that they will try to achieve "balance" by repeating what they are told from people with alternative viewpoints. The idea of actually trying to find out which viewpoint might be closer to the objective truth now appears a quaint notion fading rapidly into the mist of the past.

John H Woods Silver badge

Isn't it more worrying ...

... that the BBC should be using this measurement when the arms cache in question was absolutely nothing to do with terrorism?

Feds look left and right for support – and see everyone backing Apple

John H Woods Silver badge

Re: Optional

You are suggesting that:

A1. There is a supporting network behind terrorists (I agree with this assumption)

A2. ?

A3. ?

<then some logic>

Therefore: It is "intellectually dishonest" to question why the reaction to terrorism is disproportionate.

I won't call it dishonesty, but the logical fuzziness here is all yours. My view is that some liberty is sacrificed for security. I'm satisfied that it is proportionate that I can be compelled to produce a DNA sample if I become a homicide suspect. Well, I'm against homicide you see, terrorist or otherwise. But, given the relatively low risk of homicide, I don't think it is proportionate for the government to track me everywhere I go and monitor everything I do. Even if I thought no harm could come of it (and I don't think that) it would be a massive waste of state resources.

I don't think that everybody should be made more vulnerable to bad actors (criminals, terrorists, foreign spies) on the off chance that it makes it easier to catch the same. Principally because any remotely competent members of these groups cannot be caught by compromising my privacy anyway.

John H Woods Silver badge

Re: rip out the SSD

I do hope you are not the same AC I just flamed, I'm beginning to despair.

John H Woods Silver badge

Re: Would amuse me that after all this fuss...

You appear to be arguing that I'm wrong but: (1) your statement that nuke secrets leaked because of Soviet infiltration does not prove the Chinese or other non friendly states can (or have) not infiltrated Apple -- indeed it rather suggests the reverse; (2) an ad hominem about "the Left" doesn't advance your argument very much. Tell me again why you think the exploit kit won't leak.

John H Woods Silver badge

Re: rip out the SSD

"If they need the info that bad then they should just rip out the SSD and brute force it. It's common for hard disks to be examined in this way so why does this need to be anything different" -- AC

It's understandable that you don't get how it works, it's technical and complex. It is, on the other hand, utterly incredible that you can pull an idea out of your arse in 5 minutes and think that the FBI has not considered that approach in the months they have had the phone.

John H Woods Silver badge

Re: Optional

"In short, are you willing to die for your principles?" -- Neverwas

Aren't you? Maybe should have another name for them.

John H Woods Silver badge

Re: Forced Labour

"Don't be silly. Courts the world over order the disclosure of "evidence" from innocent parties every hour of every day."

Don't be silly yourself; Apple is not refusing to disclose evidence. They are refusing to build an Apple-cracking machine in much the same way Chubb would probably refuse to build a safe-cracking machine, even if the government said it would pay for the work.

John H Woods Silver badge

Re: Optional

"Tell it to the families and loved ones of the 14 dead...."

Why are the terrorist dead so much more important than those in school shootings? In RTAs? Being poisoned by the water suppliers? Responses need to be proportionate and despite the Department of Lets Big Up the Jihadi Threat the statistics really show that to be negligible in the USA and Western Europe.

"I can see it now, sales of idevices to terrorists goes through the roof."

If you think serious terrorists cannot communicate in unbreakable undetectable ways, perhaps reading some John le Carre novels might help; all that cold war tradecraft is in the public domain, you know.

John H Woods Silver badge

Re: Would amuse me that after all this fuss...

"never leaves the lab" is not possible. Even the NSA couldn't stop Snowden, the OPM couldn't stop the Chinese and remind me how long "how to build a nuke" stayed secret from the Soviets.

The Chinese would have a copy of this tool within seconds of it compiling.

John H Woods Silver badge

Just seen on Viz Top Tips ...

FBI. Apple not cooperating? Simply call Bono. He got into everyone’s fucking iPhone without permission.

Facebook and Twitter back Apple's privacy stance

John H Woods Silver badge

The FBI are increasing the terror risk ...

... if they were to be successful, any person in a remotely sensitive job will be at greater risk of terrorist attack if they, one of their friends or family members has their iPhone stolen.

Confused as to WTF is happening with Apple, the FBI and a killer's iPhone? Let's fix that

John H Woods Silver badge

"Then the FBI will put out a story that he coughed up the PIN" --- Gordon861

Now THAT would be a story!

Terrified robots will take middle class jobs? Look in a mirror

John H Woods Silver badge

Re: GPs

"So, NHS, perhaps there's an opportunity for you - recruit not fully qualified doctors but disillusioned techies?" -- MyffyW

Isn't this what they are doing with 111 agents? But I've always thought you were right, GPs need to be "people people" and prepared to refer to other experts!

Why Tim Cook is wrong: A privacy advocate's view

John H Woods Silver badge

"I don't have my life on my mobile. I don't use it for banking. I very rarely use it for securely accessing any web sites. If spooks are transfixed on my phone, then good luck to them." -- msknight

is approximately equivalent to

"I have nothing to say, so I don't care about freedom of speech"

Five Eyes nations must purge terrorists from the web, says Theresa May

John H Woods Silver badge

I think she should concentrate on killing bees and wasps ...

... they kill more people in the UK than terrorists, and she is the HOME secretary.

All-American Apple challenges US gov call for iOS 'backdoor'

John H Woods Silver badge

Re: Reverse engineering not possible?

"Surely, with their resources they could reverse engineer these devices to allow them to brute force the encryption." -- alcopops

well, they could use electron microscopy perhaps, depending on any counter measures used by the crypto hardware. Now that would be a specific-to-the-object approach. If the material is that important, then this is what they should try.