|
9082365 wrote: The crucial point, as I understand it, is that the encryption key is not part of the data or OS but is hardwired in the chip in a way that cannot be read.
I guess that last part is assumption that I'm questioning. I don't know that it cannot be read and I'm trying to find where and if Apple's actually said that. They do say the UID is "fused ... into the application processor." I'd like to know a little more about what that means exactly.
According to this article, the UID (sorry I've been calling it the PID) is actually encoded in binary somewhere on the chip's physical structure, which makes sense, and could be examined with a microscope. The author doesn't cite any sources for this, but if he's right, it seems like a perfectly viable option particularly if Apple were on hand to tell the government exactly where to look and what they needed to know to perform the procedure safely.
I'm not saying it would be easy or not labor intensive - but the "GovtOS" option is no easier, and the burden SHOULD be on the government anyway, not the innocent third party. Moreover, this method leaves no risk of easy repetition (it'll take precisely as much effort to do this to the next phone as it would to the current one) and doesn't unconstitutionally compel Apple to create a hacking device for the government to use whenever it pleases. In the end all it would require Apple to do is provide INFORMATION, which the law does permit the government to obtain.
|
|
|
|
|
Most experts seem to be saying that in older models there is a theoretical possibility of retrieving the UID from the chip but only using an electron scanning microscope and accepting a strong possibility of damaging the chip or destroying the UID in the process which makes it effectively a non starter. In newer models the chip is constructed specifically to exclude any possibility at all. Apple's reluctance to actually make the exact details public is, of course, totally understandable so we are left to rely on reports from those hackers (both white and black hatters) who have tried. So far I've not been able to find anyone who thinks it can be done with any guarantee of success.
I am not a number. I am a ... no, wait!
|
|
|
|
|
Well, ok, but you seem to still be overlooking my main assumption: Apple being involved. There's a huge difference between hacking without guidance, and having the designer of the device give you the information that would enable you to find the precise location of the UID and read it.
My argument is not that the FBI should try this themselves (as others have suggested). It's that they should be asking the court to compel Apple to divulge its knowledge and provide reasonable assistance to the FBI while making the attempt. This is a better legal solution, and maybe a better technological solution (depending on what kind of passcode is at issue), than the one ordered.
|
|
|
|
|
Surely we can draw some conclusion from the fact that this is not what the FBI is asking for though? It cannot be the case that they don't have access to plenty of technical advisors nor that there were not protracted discussions with Apple prior to the decision to invoke this arcane piece of legislation to compel action bringing it out into the public arena. It seems to me that we have to conclude that Apple has persuaded them, and their own experts have confirmed, that even within Apple's labs the process is either impossible or so risky as to be impractical. I find it impossible to believe that they're going to the very edge of legality for the 'solution' they've hit on unconvinced that no other option is available. The only alternative explanation would be legal advice that it is so blatantly illegal that there is zero chance of getting a court order on that basis but clearly that is not your opinion so it seems unlikely.
I am not a number. I am a ... no, wait!
|
|
|
|
|
My guess based on something I read somewhere at some point.. is that there is more to this than Apple releasing the data to the FBI.
Apple are perhaps having to play a very careful political/marketing game here - if Apple agree to help the FBI then hackers around the world may be given something of a clue as to the vulnerability of Apple devices.
Apple may need to play the 'our device is impossible to crack' game in order to impress their market, while trying to figure out how they are going to get the FBI the data they need without the whole think 'leaking out to the public.
As I have read elsewhere - I doubt there is much to do with ethics in this whole thing, as there are a number of serious ethical issues connected with mineral mines and factories that are connected with the mobile device market and Apple have not so far made a point of proving how clear they are of these problems.
“That which can be asserted without evidence, can be dismissed without evidence.”
― Christopher Hitchens
|
|
|
|
|
GuyThiebaut wrote: as there are a number of serious ethical issues connected with mineral mines and factories that are connected with the mobile device market and Apple have not so far made a point of proving how clear they are of these problems. Actually they have...
Environment - Apple[^]
Supplier Responsibility - Apple[^]
There are two types of people in this world: those that pronounce GIF with a soft G, and those who do not deserve to speak words, ever.
|
|
|
|
|
|
I watched the video. Apparently this is a spectator sport - at least for the blokes sporting English accents.
"The difference between genius and stupidity is that genius has its limits." - Albert Einstein | "As far as we know, our computer has never had an undetected error." - Weisert | "If you are searching for perfection in others, then you seek disappointment. If you are seek perfection in yourself, then you will find failure." - Balboos HaGadol Mar 2010 |
|
|
|
|
|
Does that imply that there is a scenario where there is not a nasty surprise when trying to eat an elephant through the anus?
"the debugger doesn't tell me anything because this code compiles just fine" - random QA comment
"Facebook is where you tell lies to your friends. Twitter is where you tell the truth to strangers." - chriselst
"I don't drink any more... then again, I don't drink any less." - Mike Mullikins uncle
|
|
|
|
|
Science, I've got your coat.
Did you ever see history portrayed as an old man with a wise brow and pulseless heart, waging all things in the balance of reason?
Is not rather the genius of history like an eternal, imploring maiden, full of fire, with a burning heart and flaming soul, humanly warm and humanly beautiful?
--Zachris Topelius
Training a telescope on one’s own belly button will only reveal lint. You like that? You go right on staring at it. I prefer looking at galaxies.
-- Sarah Hoyt
|
|
|
|
|
The hyena might find success in Washington D.C.
|
|
|
|
|
The hyena has a remarkable resemblance to Trump!
Marc
|
|
|
|
|
In The Zone[^], by Richard Elliott
Yeah, it's elevator music. So?
Software Zen: delete this;
|
|
|
|
|
Quote: This video is not available.
"These people looked deep within my soul and assigned me a number based on the order in which I joined."
- Homer
|
|
|
|
|
Hmm. Not to quote a line, but it works at my desk. Try this[^] instead.
Software Zen: delete this;
|
|
|
|
|
Richard Deeming wrote: This video is not available. Consider yourself lucky.
There are only 10 types of people in the world, those who understand binary and those who don't.
|
|
|
|
|
Gary Wheeler wrote: So?
So, I don't live, work, or otherwise exist in an elevator? I go out of my way to avoid elevators at least in part because of elevator music (plus the stairs are always healthier and usually quicker anyway!) There are clubs for people who like muzak. Please take it there!
I am not a number. I am a ... no, wait!
|
|
|
|
|
I just found out about this and thought it was very cool.
Edit: fixed link
If you get the latest version of the free SysInternals tool Process Explorer[^], you can easily scan your running processes using VirusTotal.com (which checks against 57 different virus scanner's definitions).
It's super fast and very cool.
Unfortunately, I can't paste images in here to show you but here are steps to using it shown in the following linked images.
1. Start up ProcessExplorer
2. Start the virustotal.com scan of running processes:
http://raddev.us/images/sysinternals/procexp3.png[^]
You'll see ProcExp examining all the hashes of the running procs:
http://raddev.us/images/sysinternals/procexp1.png[^]
Finally, you'll see the results.
0/57 means none of the 57 virus checkers saw any problem.
You can see that one virus scanner thought my notepad++ was possibly malicious.
If you click the link it'll take you to virustotal.com so you can examine more info.
http://raddev.us/images/sysinternals/procexp2.png[^]
Check it out, I think you'll like it.
Disclaimer: I am not affiliated with sysinternals at all. I wish I was.
modified 26-Feb-16 11:18am.
|
|
|
|
|
|
|
When something is reported it is too late because the malicious code is already running and the system is compromised.
So it is a good feature for a quick check but you would know that a lot of work is ahead when something is reported.
But more important, there is malicious code meanwhile that can detect the virustotal requests.
|
|
|
|
|
Jochen Arndt wrote: When something is reported it is too late
You are right about that.
I just know that at times my various machines (laptops, desktops, etc) become extremely slow due to I/O and I wonder what it is. I was using this for that and to determine that something malicious isn't running at present time.
Of course, the answer to the killer I/O is always due to Microsoft updates.
Jochen Arndt wrote: there is malicious code meanwhile that can detect the virustotal requests
That is extremely interesting and terrible!!!
|
|
|
|
|
raddevus wrote: extremely interesting and terrible
What's really interesting and terrible is the quality of the coders that produce this crap. They are extremely good, some of them - it takes real work to avoid or bypass some of the security. If they put their effort into "legitimate" activities, they'd probably make more money, and the whole world would be a happier place.
I don't understand the mindset that writes this stuff, really I don't.
Bad command or file name. Bad, bad command! Sit! Stay! Staaaay...
|
|
|
|
|
|
OriginalGriff wrote: I don't understand the mindset that writes this stuff, really I don't
Code that can successfully exploit previously unknown/undisclosed flaws can sell for serious money. I'm sure you can understand that mindset.
|
|
|
|