I May Just Have to Buy an iPhone Now

jesse said:
Not what I was saying. Brute forcing the actual AES-256 key is entirely different from brute-forcing the way the key is derived. Brute forcing the way the key is derived when the key is likely a 4 digit pin is really silly simple. Of course, they can't do that, because of the self-destruct feature.
Click to expand...

We have no disagreement on that.

And yes, I mixed the two items in my statement.

The government *could* very likely extract the encrypted data from the device. They could then attempt to brute-force the AES-256 key all they want. I keep seeing people say this is a path the Feds could easily take. But what they don't realize is nobody can brute-force an AES-256 key right now. There's not enough compute power in the world to accomplish it within my lifetime using the technology that exists today or will exist 10 years from now (unless there's some absolutely major breakthrough in computer science, but that's very unlikely).
Click to expand...

It may be possible, but would not easy or timely. (and I stress "may" because even if it exists, it would not be made known that it exists).

There are places in government that possess substantially more computational power than would be made available to the agency involved here. Whether or not that is of sufficient power to break AES-256 is not known by anyone that could discuss it, and there are some very good national security reasons that a) the true computational power could not be disclosed, and b) if it were in fact able to be used on this device, it would not be used (or disclosed that it was used), nor would the data be disclosed. The parts of government that might possibly possess the power would not see this as part of an imminent threat, and would have no reason to disclose the data even to the CiC.

What we have at this point is a forensics investigation, not a national security intelligence operation, and therefore there's no need to even try a brute-force of the AES-256.
 
Kritchlow said:
Than why did they unlock the previous 70 phones? Sounds to me like they already set the precedence.
Click to expand...

Do we even know which version of iOS the prior phones were? Those may well not have been encrypted....
 
wsuffa said:
Do we even know which version of iOS the prior phones were? Those may well not have been encrypted....
Click to expand...

Does it matter though? I mean it does from a technological standpoint, but not from a general privacy standpoint. Apple agreed to extract information from those phones. How they did it is truly irrelevant.
 
Kritchlow said:
Does it matter though? I mean it does from a technological standpoint, but not from a general privacy standpoint. Apple agreed to extract information from those phones. How they did it is truly irrelevant.
Click to expand...

Actually it is very relevant. And much different. If the data was not encrypted, then the problem is trivial.

Likewise, if there were no self-wipe feature, there is much less of an issue.

If it was encrypted, it is a significantly different matter.
 
wsuffa said:
Actually it is very relevant. And much different. If the data was not encrypted, then the problem is trivial.

Likewise, if there were no self-wipe feature, there is much less of an issue.

If it was encrypted, it is a significantly different matter.
Click to expand...

That's sort of my point as well... Many here are praising Apple thinking they want to stand a moral ground for privacy. In reality they just don't want to rewrite software. If they truly cared about privacy they would not have unlocked those 70 phones. They would have said no, and let the Feds figure it out.
 
Kritchlow said:
Does it matter though? I mean it does from a technological standpoint, but not from a general privacy standpoint. Apple agreed to extract information from those phones. How they did it is truly irrelevant.
Click to expand...

 
Last edited:
Kritchlow said:
That's sort of my point as well... Many here are praising Apple thinking they want to stand a moral ground for privacy. In reality they just don't want to rewrite software. If they truly cared about privacy they would not have unlocked those 70 phones. They would have said no, and let the Feds figure it out.
Click to expand...

As I understand it, Apple didn't "unlock" the prior phones that were running iOS 7.0 or earlier. On those devices, the user's data was not encrypted and, if legally required to do so, Apple used simple data extraction tools to read the data on the phone without unlocking them.

Beginning with iOS 8.0, Apple re-designed the phones such that the data was encrypted and not accessible even to Apple's data extraction tools.

The encryption key is based on the user's lock code which is usually 4-digits long.

The new phones are also programmed to require progressively longer time between passcode attempts (as much as 1 hour between attempts I believe after a few wrong entries). And, if user set, to scramble the data upon reaching 10 attempts.

The government wants Apple to make the shooter's phone "lower its shields" so that it's a trivial matter for them to automatically try all 10,000 possible codes (assuming a standard 4-digit code).

It is a form of decryption in that the information is quite literally decrypted by the phone itself upon entry of the correct unlock code.

They are not concerned about the effort it takes to "rewrite software," but rather the implications of doing so.
 
Last edited:
This all still does not make sense to me...

If the phone was owned by San Bernadino, and the FBI instructed a San Bernadino employee to change the 4 digit code to keep other bad guys out...

Why not just ask the San Bernadino employee that changed the password what the new 4 digit code is...:dunno::dunno::dunno::dunno::dunno::dunno::dunno:
 
N801BH said:
This all still does not make sense to me...

If the phone was owned by San Bernadino, and the FBI instructed a San Bernadino employee to change the 4 digit code to keep other bad guys out...

Why not just ask the San Bernadino employee that changed the password what the new 4 digit code is...:dunno::dunno::dunno::dunno::dunno::dunno::dunno:
Click to expand...

That's a good question. Based on the idiocy of the FBI so far, I can't help but wonder if they might have already entered the code too many times...
 
SkyHog said:
That's a good question. Based on the idiocy of the FBI so far, I can't help but wonder if they might have already entered the code too many times...
Click to expand...

You can bet your ass that is what happened...:yes::yes:
 
jesse said:
what they don't realize is nobody can brute-force an AES-256 key right now. There's not enough compute power in the world to accomplish it within my lifetime using the technology that exists today or will exist 10 years from now
Click to expand...

Not ever. Not until "computers are built from something other than matter and occupy something other than space".

http://miguelmoreno.net/wp-content/uploads/2013/05/fYFBsqp.jpg

This is really about SHA256, but the same principle applies to AES-256.

You can't even count to 2^256 within the laws of physics - brute force anything will be more complicated than that.
 
N801BH said:
This all still does not make sense to me...

If the phone was owned by San Bernadino, and the FBI instructed a San Bernadino employee to change the 4 digit code to keep other bad guys out...

Why not just ask the San Bernadino employee that changed the password what the new 4 digit code is...:dunno::dunno::dunno::dunno::dunno::dunno::dunno:
Click to expand...


There are two password like thingies at issue here.

One is the numeric lock code on the phone which is typically 4-digits long, but could be longer.

The other is the username (always an email address) and associated password for the iCloud account associated with the same iPhone.

The iPhone had previously had its contents backed up onto the iCloud account, but not for several weeks.

Anybody with access to the email account (presumably Farook's county email), could have gone to www.icloud.com and clicked the "Forgot Password" link. Then, the system would send an email to the associated email account with another link that would let you reset the password to something new. Easy peasy. Click the link, enter a new password for iCloud and, Voila!

Only problem is that once that was done, the still locked phone has the OLD iCloud password stored inside of it, changeable only if you had the numeric lock code, and it will no longer do an automatic backup to the cloud. Oops.

The screw-up was not getting the phone near a Wi-Fi network that it already knows and see if it automatically performed a newer backup to the cloud. Now, it won't, ever.
 
Last edited:
register@teamandras.com said:
There are two password like thingies at issue here.

One is the numeric lock code on the phone which is typically 4-digits long, but could be longer.

The other is the username (always an email address) and associated password for the iCloud account associated with the same iPhone.

The iPhone had previously had its contents backed up onto the iCloud account, but not for several weeks.

Anybody with access to the email account (presumably Farook's county email), could have gone to www.icloud.com and clicked the "Forgot Password" link. Then, the system would send an email to the associated email account with another link that would let you reset the password to something new. Easy peasy. Click the link, enter a new password for iCloud and, Voila!

Only problem is that once that was done, the still locked phone has the OLD iCloud password stored inside of it, changeable only if you had the numeric lock code, and it will no longer do an automatic backup to the cloud. Oops.

The screw-up was not getting the phone near a Wi-Fi network that it already knows and see if it automatically performed a newer backup to the cloud. Now, it won't, ever.
Click to expand...

OOPS....:redface::redface::redface:
 
SkyHog said:
That's a good question. Based on the idiocy of the FBI so far, I can't help but wonder if they might have already entered the code too many times...
Click to expand...

N801BH said:
You can bet your ass that is what happened...:yes::yes:
Click to expand...

If that's the case than if it was set to wipe, it's already wiped. If not, why not just continue with all possible codes?
 
timwinters said:
Than?
Click to expand...

I interpret that as a comparative statement. That said, I did weigh whether or not it was time related. I went with comparative. I could make a case either way.

Do we now critique the slight nuances of the English language?
 
Kritchlow said:
I interpret that as a comparative statement. That said, I did weigh whether or not it was time related. I went with comparative. I could make a case either way.

Do we now critique the slight nuances of the English language?
Click to expand...

Depends on what the definition of IS... IS.....:rolleyes:
 
timwinters said:
You do it often and it makes it hard to take you seriously.
Click to expand...

To the best of my recollection, I have corrected one grammar mistake since I've been here. It was "Please advice me what to do" or similar. That one has always been a pet peeve.
 
deonb said:
Not ever. Not until "computers are built from something other than matter and occupy something other than space".

http://miguelmoreno.net/wp-content/uploads/2013/05/fYFBsqp.jpg

This is really about SHA256, but the same principle applies to AES-256.

You can't even count to 2^256 within the laws of physics - brute force anything will be more complicated than that.
Click to expand...
My computer can count to 2^256. I just wrote a program to do so. The program estimates it will finish running in: 7.3434861e+62 years.

That's like... 5.6488355e+52 years longer then the universe has existed?
I don't think I'm going to bother waiting for the program to finish running.
 
Last edited:
After several days and many posts it is just once again amazing to me how differently we view things. I see terrorism as this real but not terribly significant threat and I weigh constitutional protections and privacy/general protections from government as important enough to risk lives over.

Some people see terrorism as the biggest threat to this country since WWII and I guess trust the government enough to give up whatever rights are necessary to fight this threat.

Something tells me no technical, historical, or philosophical arguments are going to significantly change anyone's mind simply because we weigh these things differently...
 
cowman said:
After several days and many posts it is just once again amazing to me how differently we view things. I see terrorism as this real but not terribly significant threat and I weigh constitutional protections and privacy/general protections from government as important enough to risk lives over.

Some people see terrorism as the biggest threat to this country since WWII and I guess trust the government enough to give up whatever rights are necessary to fight this threat.

Something tells me no technical, historical, or philosophical arguments are going to significantly change anyone's mind simply because we weigh these things differently...
Click to expand...
The biggest threats to this country is a populace that is willing to give up their rights for some temporary convenience and a government only too happy to have no constraints.
 
cowman said:
After several days and many posts it is just once again amazing to me how differently we view things. I see terrorism as this real but not terribly significant threat and I weigh constitutional protections and privacy/general protections from government as important enough to risk lives over.

Some people see terrorism as the biggest threat to this country since WWII and I guess trust the government enough to give up whatever rights are necessary to fight this threat.

Something tells me no technical, historical, or philosophical arguments are going to significantly change anyone's mind simply because we weigh these things differently...
Click to expand...
Some people lack the ability to see the big picture. At this point, our economy, military, finances and national security DEPEND on strong encryption. If we start backdooring everything -- then society will face a lot worse then any of the terrorist attacks we've had (no offense to anyone).
 
cowman said:
Yes, as long as they understand that their opinions are bad and they should feel bad :lol:
Click to expand...

I was going to compliment your nice summary in post 304 above, but now I take it back. :D

I agree with you, by the way, when it comes to protecting freedoms over reducing them to fight terrorism. Feels like they've already won when we do that.
 
Last edited:
denverpilot said:
I think I'll just go upload some genetic data to a database I don't control... Should work out great.

Maybe they'll even tell me the data is encrypted... Oh. Wait.

http://fusion.net/story/215204/law-...stry-com-and-23andme-for-their-customers-dna/
Click to expand...

I read an article sometime back about a guy who got a pre-paid credit card with an alias, used an alias to register, and used his workplace to send/receive the package so that nobody could trace his DNA back to him but he could still do the test. I've considered trying this because I'm really curious but don't want my DNA on file anywhere.

I mean it sounds paranoid but unlike a password you can't change DNA and even if law enforcement isn't a worry if this site ever gets hacked it's out there... or who knows what may happen in the future. We know the FAA doesn't have to comply with HIPPA for example, what if 20 years in the future they get this data and start denying medicals or requiring extra testing based on your genetic predisposition to something?
 
cowman said:
I read an article sometime back about a guy who got a pre-paid credit card with an alias, used an alias to register, and used his workplace to send/receive the package so that nobody could trace his DNA back to him but he could still do the test. I've considered trying this because I'm really curious but don't want my DNA on file anywhere.

I mean it sounds paranoid but unlike a password you can't change DNA and even if law enforcement isn't a worry if this site ever gets hacked it's out there... or who knows what may happen in the future. We know the FAA doesn't have to comply with HIPPA for example, what if 20 years in the future they get this data and start denying medicals or requiring extra testing based on your genetic predisposition to something?
Click to expand...

You can bet that is coming....:rolleyes:.........:mad2:
 
jesse said:
My computer can count to 2^256. I just wrote a program to do so. The program estimates it will finish running in: 7.3434861e+62 years.

That's like... 5.6488355e+52 years longer then the universe has existed?
I don't think I'm going to bother waiting for the program to finish running.
Click to expand...

If you leave your computer on that long it will use about 4.948379e+55 kWh of power. The sun can only produce around 1.7e+37 kWh more power before it dies out.

So you will need to consume the energy of 2.91e+18 stars. All of their energy. With 0 waste.

Yeah, no.
 
deonb said:
If you leave your computer on that long it will use about 4.948379e+55 kWh of power. The sun can only produce around 1.7e+37 kWh more power before it dies out.

So you will need to consume the energy of 2.91e+18 stars. All of their energy. With 0 waste.

Yeah, no.
Click to expand...

Please do not consume all the sun's power, as we're hoping for an early Spring. Thanks!

Jim
 
cowman said:
I read an article sometime back about a guy who got a pre-paid credit card with an alias, used an alias to register, and used his workplace to send/receive the package so that nobody could trace his DNA back to him but he could still do the test. I've considered trying this because I'm really curious but don't want my DNA on file anywhere.

I mean it sounds paranoid but unlike a password you can't change DNA and even if law enforcement isn't a worry if this site ever gets hacked it's out there... or who knows what may happen in the future. We know the FAA doesn't have to comply with HIPPA for example, what if 20 years in the future they get this data and start denying medicals or requiring extra testing based on your genetic predisposition to something?
Click to expand...

Don't count on that working. If it matches someone else in your ancestry, it still could be traced down to you. You are not nearly as anonymous as you think, and submitting DNA makes it worse.

Gerhardt said:
It's not difficult to foresee medical facilities collecting DNA on every patient, then cops tapping into that information as they see fit.
Click to expand...

It could simply be mandated by Federal or other law. Much the way certain tests and advice ware mandated in certain states. And it becomes even more likely if we move to single-payer or more under the ACA in a bid to hold down costs or rationalize healthcare.
 
Did anybody see the interview with Michael Hayden last night on FOX? Hayden is a former head of both NSA and CIA. He was asked what he thought about the situation between the FBI and Apple, and back doors and such. Basically, he said that security is very important, and that encryption is a very good thing. He would never support any kind of back door that was implemented into an operating system for widespread use. However, while not having all of the facts, he tended to think that Apple could probably break into this one phone without compromising the security of all phones, and if that was the case, they should. He believed the information on that phone was very important. Very interesting interview. He also talked about Hillary's email server!
 
You must log in or register to reply here.
Back
Top