|
|
Post by dannusmaximus on Mar 11, 2016 0:41:10 GMT
Should lock manufacturers be required to give .gov a master key that will work on every lock they make, to be carried by every LEO wit the promise that it will only be used if a warrant is issued? Short answer is no, but that's not what LE is asking for, if my research is right. It is more akin to asking lock manufacturers to defuse the bomb they have wired to the lock so the authorities can use their crowbars to access the safe without destroying the contents. Nameless, help me out here, but ios has a security feature built in that wipes the phone if 'x' number of failed password attempts are tried. This feature eliminates .gov from being able to launch a 'brute force attack' to try and determine the password. Uncle Sam wants to be able to deactivate that feature so they can crack the phone open, they aren't asking for an effortless way to unlock any phone they want. Is that right? ALSO, Google 'Knox Box'. It's an entry feature that many businesses use (occasionally compelled by building codes, which I know make you furious...) where a lockbox is embedded into an exterior wall of a business with entry keys or keycards stored inside. Out big red trucks carry a master key, so instead of having to destroy a $5,000 plate glass door to try and make entry to a building with a fire alarm going off after hours, we just grab our key, unlock the Knox Box, and investigate the alarm. The FD company officer is required to account for the key each morning during shift changeover, and we have to announce over the radio when we're using it, as well as when the box has been resecured. If we use the key for nefarious purposes, we'll get fired and probably sued by the business. We essentially 'promise it will only be used' if we need to use it. Works great! Trust me! I'm with the government! |
|
|
|
Post by dannusmaximus on Mar 11, 2016 0:47:20 GMT
.. what powers do YOU think the police should have to investigate and try to prevent crimes? Precognition.
You know, maybe of we could get everyone to wear smart watches linked to a big computer that monitors the activities of the wearer for any signs of criminal behavior,flags such cases to have a search warrant issued by a pet judge for LE to review the data, and if the reviewing LEO determines that criminal charges are warranted he/she (however it chooses to "self identify") can trigger a sedative injector in the suspects smart watch, along with a strobe light and siren to alert other monitored citizens to stay away from the crime scene.
Then the suspect can be picked up by the police without any risk of physical confrontation.
Why should anyone object to something like this? They can already track all of the data in your smart phones and remotely turn on your web cameras and microphones. We should just formally recognize this and grant this horrible invasion of our privacy progressive common sense public safety tool legality and statutory recognition. We can even create a club of cronies to rubber stamp all of our actions an oversight committee to prevent abuses of this power.
See nothing to worry about.
Next up, we can explain to a person being raped that they should just relax and try to enjoy it because it's inevitable.
Uh. Wouldn't your libertarian side argue that people/gubmints/corporations should be allowed to do whatever they want, and if damages occur you can sue the person/gubmint/corporation to attempt to prove and recoup said damages? If in the above scenario, you feel like you have suffered damages, sue the government, right? Just gathering data is not illegal. It shouldn't be illegal to drive a dumptruck loaded with explosives at 85 mph through a crowded schoolyard UNLESS you actually hurt somebody or squish the playground equipment, correct?  |
|
|
|
Post by LowKey on Mar 11, 2016 5:13:06 GMT
Uh. Wouldn't your libertarian side argue that people/gubmints/corporations should be allowed to do whatever they want, and if damages occur you can sue the person/gubmint/corporation to attempt to prove and recoup said damages? If in the above scenario, you feel like you have suffered damages, sue the government, right? Just gathering data is not illegal. It shouldn't be illegal to drive a dumptruck loaded with explosives at 85 mph through a crowded schoolyard UNLESS you actually hurt somebody or squish the playground equipment, correct? I don't know if you really just don't understand libertarian philosophy and how such a society would function, or if you selectively ignore portions to make it look unworkable. 1- The libertarian side of me wouldn't have public sector police, ems, or fire services in the in the first place, they'd be private. But granting the existence of <govt> police in your question I'd ask you to consider this...when you win a suit against a government entity, who pays the penalty? Answer: The Taxpayers. Not the government official or employee that committed the offense. So no, this doesn't work well in modifying or correcting bad behavior. May as well spank Timmy every time every time Bobby misbehaves. In most cases you can't sue the individual government official or employee as they have immunity if they were on the clock. Lastly, throw in the glacial slowness of our current court system. Ever heard the phrase, "A right delayed is a right denied"? Well, that reasoning applies to justice as well, "Justice delayed is justice denied". There's a reason our founders included, "the right to a speedy and public trial" in our Constitution and it's a horrible shame that the citizens of this country seem to have forgotten this and permitted the system to apparently ignore the "speedy" portion of this right. Backlog of the system doesn't justify the lack of trials being "speedy". 2- Who owns the playground? Because they're the one who gets to make the call about the speeding dump truck with explosives. If he gives his approval to it, then yes, the dump truck driver can do just that, and both the driver and the property (playground) owner would be liable for any damages to the children IF the children and their parents weren't informed. If they were informed and elected to have the children stay on the playground then they'd assume the risk as well. Consensual agreements with full disclosure of risks and responsibilities. I recall a discussion sometime back about privatizing fire departments and you said something to the effect of, "What if I started lighting houses on fire to boost business?" as a way of deriding and dismissing the idea. I should have answered that question at the time; you'd be sued for the cost of the home, all the work, possessions, injuries, medical care, ect, ect, ect. In short, you'd loose your home, your car, your savings, and your pension as they'd go towards paying the judgment. If you haven't already, I recommend reading The Adventures of Jonathan Gullible as it does a good job of illustrating the libertarian philosophy. For the TL:DR version- www.jonathangullible.com/mmedia/PoL.English.The.Philosophy.of.Liberty.swf |
|
|
|
Post by NamelessStain on Mar 11, 2016 12:12:15 GMT
Nameless, help me out here, but ios has a security feature built in that wipes the phone if 'x' number of failed password attempts are tried. This feature eliminates .gov from being able to launch a 'brute force attack' to try and determine the password. Uncle Sam wants to be able to deactivate that feature so they can crack the phone open, they aren't asking for an effortless way to unlock any phone they want. Is that right? It is partially correct. They want several actions by Apple: - The want them to disable the failed logon attempt counter which can wipe the phone if the feature is turned on. They are not even sure if it is activated, but they don't want to take that chance which is what I would do.
- The current system will increase the interval for retries between unsuccessful logon attempts. Example: after the first failed attempt you must wait 1 second, after the second failed attempt 5 seconds, 3rd failed attempt 15 seconds, and so on. So even if the deletion functionality is turned off, brute force attacks would take forever. This would most likely be built into the OS somewhere and not some configurable parameter. They would have to find the OS function within the encrypted data and either not call the function OR have it return 0 each time. I know with my company, if I fail a logon 3 times in a row it locks the account for 1 hour. Fail 3 more and the account is permanently locked and you have to call the system admins to unlock your account.
- Finally they want to be able to use an electronic means to input passwords. Right now it is only input via the screen. They want to be able to use the plug-in adapter/charger to input password values which is currently not a feature Apple allows and would have to create and install it. This makes an electronic means of brute force attack against the device possible. So instead of a human trying the combinations (let's say 2 seconds for 1 input try) vs. a program which can try 100 attempts per second (honestly, probably closer to 500-1000/sec), you get the idea.
Also to change any of these features would require the information to be reencrypted since any change will impact all encrypted information downstream in the data stream. From my forensics class, I would say it is doubtful that the data modified by this means would be admissible as evidence since it technically has been altered to account for the changes in encryption. At least for that bit of information which required the change. Hope that helps. |
|
|
|
Post by NamelessStain on Mar 29, 2016 11:55:23 GMT
|
|
|
|
Post by NamelessStain on Mar 29, 2016 17:22:51 GMT
|
|
|
|
Post by NamelessStain on Apr 27, 2016 15:54:17 GMT
|
|
|
|
Post by NamelessStain on Apr 28, 2016 10:55:41 GMT
|
|
|
|
Post by NamelessStain on Jun 1, 2016 13:55:14 GMT
www.security-database.com/detail.php?alert=VU482135Seems someone forgot to remove a hard coded password from their software. Updates are available to fix, but this is medical data since 2015 out in the open. No details on how many attackers used this to get info and disappear.
|
|
|
|
Post by NamelessStain on Jun 2, 2016 10:40:01 GMT
|
|
|
|
Post by NamelessStain on Sept 15, 2016 11:09:06 GMT
|
|
|
|
Post by NamelessStain on Oct 28, 2016 11:02:43 GMT
|
|
|
|
Post by scbrian on Oct 28, 2016 18:43:31 GMT
|
|
|
|
Post by NamelessStain on Dec 13, 2016 13:48:05 GMT
|
|
