Re: [cryptography] To Protect and Infect Slides
Jeffrey Walton:
On Tue, Dec 31, 2013 at 3:13 PM, Jacob Appelbaum <jacob@appelbaum.net> wrote:
Kevin W. Wall:
On Tue, Dec 31, 2013 at 3:10 PM, John Young <jya@pipeline.com> wrote:
30c3 slides from Jacob Appelbaum:
And you can find his actual prez here: <https://www.youtube.com/watch?v=b0w36GAyZIA>
Worth the hour, although I'm sure your blood pressure will go up a few points.
I'm also happy to answer questions in discussion form about the content of the talk and so on. I believe we've now released quite a lot of useful information that is deeply in the public interest.
It looks like some of your observations were unsettling to some folks at Cupertino: "Apple denies working with the NSA to compromise iPhone security", http://www.bizjournals.com/sanjose/news/2013/12/31/apple-denies-working-with...:
Today, Apple denied helping to create DROPOUT JEEP, saying it had no knowledge of the exploit and remained committed to its customer's safety.
Did anyone ever claim that they helped create DROPOUT JEEP?
Par for the course I suppose... gotta love carefully crafted press releases.
I'm less interested in the payload than how it is deployed - are the Apple signing keys only controlled by Apple? Do they fall under the business records provision of the PATRIOT act? The QUANTUM documents do not sound very good for ios users: http://www.spiegel.de/fotostrecke/nsa-dokumente-so-uebernimmt-der-geheimdien... http://www.spiegel.de/fotostrecke/nsa-dokumente-so-uebernimmt-der-geheimdien... All the best, Jacob
Il 02.01.2014 13:37 Jacob Appelbaum ha scritto:
I'm less interested in the payload than how it is deployed - are the Apple signing keys only controlled by Apple?
Not exactly. There are more moving parts to Apple signing certificates and keys than most people realize. The process for signing an app is: 1) generate a private key, 2) use that to generate a Certificate Signing Request (which you send to Apple), 3) Apple sends you the approved certificate (automated process), 4) convert that file to (.pem/.cer), 5) generate p12 file using that cert and your private key (and its password) together, 6) generate the provisioning file to actually build the signed app in xcode. While that seems like an arduous and in-depth process, getting signed malware only requires a $99 payment to Apple and a super basic "application process" to become an Apple developer. One could probably get more mileage by distributing malware that disables signature check.
Do they fall under the business records provision of the PATRIOT act?
Probably, considering that AFAIK Lavabit's SSL cert was considered such when it was ordered turned over. Open source that shit, Griffin
participants (2)
-
Griffin Boyce
-
Jacob Appelbaum