Instead of Apple tasking a coder to work on cracking that iPhone...
FWIW I don't see how the feds can force Apple to assign an employee to do anything not in their job description without violating that employee's contract, or their civil rights, and writing code to crack phones isn't in any Apple job description, but tightening phone security is... This is getting interesting. -- RR "Through counter-intelligence it should be possible to pinpoint potential trouble-makers ... And neutralize them, neutralize them, neutralize them" Apple Is Said to Be Working on an iPhone Even It Can’t Hack By MATT APUZZO and KATIE BENNER FEB. 24, 2016 WASHINGTON — Apple engineers have already begun developing new security measures that would make it impossible for the government to break into a locked iPhone using methods similar to those now at the center of a court fight in California, according to people close to the company and security experts. If Apple succeeds in upgrading its security — and experts say it almost surely will — the company would create a significant technical challenge for law enforcement agencies, even if the Obama administration wins its fight over access to data stored on an iPhone used by one of the killers in last year’s San Bernardino, Calif., rampage. The F.B.I. would then have to find another way to defeat Apple security, setting up a new cycle of court fights and, yet again, more technical fixes by Apple. The only way out of this back-and-forth, experts say, is for Congress to get involved. Federal wiretapping laws require traditional phone carriers to make their data accessible to law enforcement agencies. But tech companies like Apple and Google are not covered, and they have strongly resisted legislation that would place similar requirements on them. “We are in for an arms race unless and until Congress decides to clarify who has what obligations in situations like this,” said Benjamin Wittes, a senior fellow at the Brookings Institution. Companies have always searched for software bugs and patched holes to keep their code secure from hackers. But since the revelations of government surveillance made by Edward J. Snowden, companies have been retooling their products to protect against government intrusion. Apple built its recent operating systems to protect customer information. As its chief executive, Timothy D. Cook, wrote in a recent letter to customers, “We have even put that data out of our own reach, because we believe the contents of your iPhone are none of our business.” But there is a catch. Each iPhone has a built-in troubleshooting system that lets the company update the system software without the need for a user to enter a password. Apple designed that feature to make it easier to repair malfunctioning phones. http://www.nytimes.com/2016/02/25/technology/apple-is-said-to-be-working-on-...
On Wed, Feb 24, 2016 at 04:06:27PM -0800, Rayzer wrote:
FWIW I don't see how the feds can force Apple to assign an employee to do anything not in their job description without violating that employee's contract, or their civil rights, and writing code to crack phones isn't in any Apple job description, but tightening phone security is...
I am pretty sure this won't stop Apple if they want to unlock it. Are you familiar with their job descriptions (I am not)? According to links here from this month, few years ago Apple unlocked many phones per feds requests.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 02/25/2016 01:45 AM, Georgi Guninski wrote:
On Wed, Feb 24, 2016 at 04:06:27PM -0800, Rayzer wrote:
FWIW I don't see how the feds can force Apple to assign an employee to do anything not in their job description without violating that employee's contract, or their civil rights, and writing code to crack phones isn't in any Apple job description, but tightening phone security is...
I am pretty sure this won't stop Apple if they want to unlock it.
Are you familiar with their job descriptions (I am not)?
According to links here from this month, few years ago Apple unlocked many phones per feds requests.
That would be this article by Declan McCullagh: https://tinyurl.com/zve7maf iPhones are so user friendly that they include pre-installed forensic tools for their users in the LEA and DoD community: https://tinyurl.com/z6fll9r OSX is also very friendly to users who might want to know about every file ever downloaded by a Mac they have access to: https://tinyurl.com/ctkambp iTunes included a "defect" that LEAs used as a back door into user systems for three years, per the UK Telegraph: https://tinyurl.com/7zfubdz Apple owes it to their shareholders to market to the U.S. Department of Defense, including participation in bidding on the most powerful end user identification, tracking, surveillance, manipulation and targeting platform that has ever been publicly disclosed: http://wiki.project-pm.org/wiki/Romas/COIN Apple markets its products as fashion accessories for Liberal Arts majors; keeping the Apple brand's public image intact via a cost effective Big Lie propaganda program is the least it can do for its shareholders. https://www.apple.com/customer-letter/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iQIcBAEBAgAGBQJWzuIuAAoJEDZ0Gg87KR0LUboP/3ef2Q5SaPMakTMy6LYB7ogb T1XuKGeD/x5hf3/5TUQeNDeKlKLKKBCk7BKkdfisiCntbTv6pUC4Go473MHwKKza ZCX2kuPJW1Lk//a2a5cDSoBWnmwUjWAgaVgofZdjN8F8eMcHpe/OtUorqnIy+Bv9 bsOp1ziKvSjXJjZ0/Kjbj9urk0EJd6Ooq+u2E46ZQMXmXVEjmH4+shu3z8hM39EC GcUWlzYhJxP71iYJVmIZVDgnOn+GeWQM6kSOVMDmRvotyFXFInPKehb1QF2SzK8x kudFBY39eCNTGUU7ugtIQFCDcghuy+L4qskIzFCBfb+Uj0RnAwwm4jdYHyk+g+iU g07s5BkRPKnyIaQm4Rrm9YiZN0HfJEC5FOzyc+c3gansF+qqCBFx1kQcSaSTfKYH Mhy8VlUfw+7Ix0uUTdrWKBZnxP95CJ+H+R6a9tNIsETu+/Zg6x2s3XA3pDucaWaf AK8hx+t/FGH2wrffgRU4k4SkR7cc0xaYnaLpyJP0CP2Mwwu9iUIUFfgJUay9sThM E6aPaNBokjUuINX4WylWZ4sbV6a3007ea1sFX2uedEm4hl6pMP4cn2H5kACJbJWO UYiAoP1QwraQxDnjSQhTxczmt27EnkuQMSQKII2xkKnOHe+Wk5aECBlR1enhAdC+ fAi4SoW+evO+dOc4pkFj =dyEv -----END PGP SIGNATURE-----
Apple's fix of its devices to prevent access by outsiders surely is not like CryptoAG in which gov entry was secretly implanted. How to verify this has not been done? Political and technical challenge is that few users care about security and privacy, they just want convenience and latest style as Apple has become richer than Croseus exploiting. And Apple is hardly the only com-gov-org promising group identity and solidarity, with illusory security while primarily securing the benefits of the promiser. Apple and govs are more similar than different and bound by loyal opposition, the very stance most beneficial to security and privacy offerers. Insecurity is the product. At 06:14 AM 2/25/2016, you wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 02/25/2016 01:45 AM, Georgi Guninski wrote:
On Wed, Feb 24, 2016 at 04:06:27PM -0800, Rayzer wrote:
FWIW I don't see how the feds can force Apple to assign an employee to do anything not in their job description without violating that employee's contract, or their civil rights, and writing code to crack phones isn't in any Apple job description, but tightening phone security is...
I am pretty sure this won't stop Apple if they want to unlock it.
Are you familiar with their job descriptions (I am not)?
According to links here from this month, few years ago Apple unlocked many phones per feds requests.
That would be this article by Declan McCullagh:
iPhones are so user friendly that they include pre-installed forensic tools for their users in the LEA and DoD community:
OSX is also very friendly to users who might want to know about every file ever downloaded by a Mac they have access to:
iTunes included a "defect" that LEAs used as a back door into user systems for three years, per the UK Telegraph:
Apple owes it to their shareholders to market to the U.S. Department of Defense, including participation in bidding on the most powerful end user identification, tracking, surveillance, manipulation and targeting platform that has ever been publicly disclosed:
http://wiki.project-pm.org/wiki/Romas/COIN
Apple markets its products as fashion accessories for Liberal Arts majors; keeping the Apple brand's public image intact via a cost effective Big Lie propaganda program is the least it can do for its shareholders.
https://www.apple.com/customer-letter/
-----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux)
iQIcBAEBAgAGBQJWzuIuAAoJEDZ0Gg87KR0LUboP/3ef2Q5SaPMakTMy6LYB7ogb T1XuKGeD/x5hf3/5TUQeNDeKlKLKKBCk7BKkdfisiCntbTv6pUC4Go473MHwKKza ZCX2kuPJW1Lk//a2a5cDSoBWnmwUjWAgaVgofZdjN8F8eMcHpe/OtUorqnIy+Bv9 bsOp1ziKvSjXJjZ0/Kjbj9urk0EJd6Ooq+u2E46ZQMXmXVEjmH4+shu3z8hM39EC GcUWlzYhJxP71iYJVmIZVDgnOn+GeWQM6kSOVMDmRvotyFXFInPKehb1QF2SzK8x kudFBY39eCNTGUU7ugtIQFCDcghuy+L4qskIzFCBfb+Uj0RnAwwm4jdYHyk+g+iU g07s5BkRPKnyIaQm4Rrm9YiZN0HfJEC5FOzyc+c3gansF+qqCBFx1kQcSaSTfKYH Mhy8VlUfw+7Ix0uUTdrWKBZnxP95CJ+H+R6a9tNIsETu+/Zg6x2s3XA3pDucaWaf AK8hx+t/FGH2wrffgRU4k4SkR7cc0xaYnaLpyJP0CP2Mwwu9iUIUFfgJUay9sThM E6aPaNBokjUuINX4WylWZ4sbV6a3007ea1sFX2uedEm4hl6pMP4cn2H5kACJbJWO UYiAoP1QwraQxDnjSQhTxczmt27EnkuQMSQKII2xkKnOHe+Wk5aECBlR1enhAdC+ fAi4SoW+evO+dOc4pkFj =dyEv -----END PGP SIGNATURE-----
On 2/25/16, John Young <jya@pipeline.com> wrote:
Insecurity is the product.
Agree. The market for secure is limited by don't care. However the cost for pretty good security is nearly zero added in grand scheme, and as such is marketable win. Therefore, lacking same is shameful, or alterior, or ignorant. Any of which are fucking lame, and need calling out.
Georgi Guninski wrote:
On Wed, Feb 24, 2016 at 04:06:27PM -0800, Rayzer wrote:
FWIW I don't see how the feds can force Apple to assign an employee to do anything not in their job description without violating that employee's contract, or their civil rights, and writing code to crack phones isn't in any Apple job description, but tightening phone security is...
I am pretty sure this won't stop Apple if they want to unlock it.
Are you familiar with their job descriptions (I am not)?
It might fit in the QA end of the biz. Someone has to test security. Whether your agreement with the company allows them to 'contract' you to a 3rd party's task... I REALLY doubt it judging from my industrial end (drive manufacturing) experience. They're really REALLY concerned about letting any information about the creation of the product out of their grasp. It probably violates you confidentiality and intellectual property agreement with the company. Can the government make you violate that agreement? Can they make Apple change it's agreement with you? Can the government force you to change a worker's job description or hire/accept a government contract worker or employee? Iow, tell you how to run your business... Dunno. But IF an employee claimed confidentiality and intellectual property agreement as rationale for non-cooperation... Would the government also go after that employee? Force Apple to discipline or fire them? It's gonna be interesting to see how this goes, but I suspect Apple will cooperate, in secret b/c FISC/A, and do the government's bidding. If they really can. We may never find out.
According to links here from this month, few years ago Apple unlocked many phones per feds requests.
Yes, but those phones didn't have the self-destruct code if I remember correctly. Apple claims it can't work around it. -- RR "Through counter-intelligence it should be possible to pinpoint potential trouble-makers ... And neutralize them, neutralize them, neutralize them"
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 02/25/2016 10:51 AM, Rayzer wrote:
Georgi Guninski wrote:
On Wed, Feb 24, 2016 at 04:06:27PM -0800, Rayzer wrote:
FWIW I don't see how the feds can force Apple to assign an employee to do anything not in their job description without violating that employee's contract, or their civil rights, and writing code to crack phones isn't in any Apple job description, but tightening phone security is...
I am pretty sure this won't stop Apple if they want to unlock it.
Are you familiar with their job descriptions (I am not)?
It might fit in the QA end of the biz. Someone has to test security. Whether your agreement with the company allows them to 'contract' you to a 3rd party's task... I REALLY doubt it judging from my industrial end (drive manufacturing) experience. They're really REALLY concerned about letting any information about the creation of the product out of their grasp. It probably violates you confidentiality and intellectual property agreement with the company.
Can the government make you violate that agreement? Can they make Apple change it's agreement with you? Can the government force you to change a worker's job description or hire/accept a government contract worker or employee?
Iow, tell you how to run your business...
Dunno. But IF an employee claimed confidentiality and intellectual property agreement as rationale for non-cooperation... Would the government also go after that employee? Force Apple to discipline or fire them?
Insubordination is always grounds for dismissal, unless an employee is ordered to break the law or expose him or herself to legally banned workplace hazards. So Apple could handle non-cooperation problems without involving the Feds: If we was Apple, would we want to piss off a client so big that it is a lucrative market all its own, just to indulge some ungrateful non-team-player's personal snit fit? What would Apple board member Ronald D. Sugar, former chairman and CEO of Northrop Grumman, say about that? If Apple receives a Court order or lands a contract that requires re-purposing staff, they can just hire any skill sets they don't already have on hand. If special NDAs or even Federal security clearances are required, no problem: If it's a contract matter, the additional costs are included in the bid; if it's a Court order, Apple can ask for and most likely receive "reasonable" compensation for following lawful orders.
According to links here from this month, few years ago Apple unlocked many phones per feds requests.
Yes, but those phones didn't have the self-destruct code if I remember correctly. Apple claims it can't work around it.
"Self destruct?" It is to laugh. "Can't work around it?" Hilarious. These propositions only work if we assume Apple does not have an in-house capability to analyze, troubleshoot and re-program its own hardware, does not have the technical capability to read from the storage media in its own devices, and lacks the engineering staff and/or data necessary to alter Apple brand software. In the case of any such deficiencies, Apple (or the FBI) can hire any required reverse-engineering done, under NDA (or gag order). If Apple did not already do whatever was asked of them with regard to one iPhone formerly owned by one criminal suspect, the FBI can bring in the NSA on the basis of mere "suspicion" that the case may have a link to non-U.S. persons. Instead we get a legal dispute and minor media sideshow based on a pile of false assertions by /both/ parties, apparently in collusion, with the apparent intent of creating a legal precedent for mandatory back doors in U.S. personal electronics - and/or public demand for legislation to that effect. The words "Security Theater" come to mind, but with a stronger than usual connotation of "Security Propaganda and Disinformation." -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iQIcBAEBAgAGBQJWz0YEAAoJEDZ0Gg87KR0LIQQP/2Isdoa2qFwNVOct0oKGTt1i I1h3KU9oX6FzhCkiyn25ufeyNxllTAxpkCTDZChVEwyfQiDo7plgRhrJAjuWlyQY UUNMnn2qKIOudH+/O2LMYabYLKJCxo43zGmj+a5PBvlm4LftBelR4GxFB6f66yMo AxFUGCFlEiCw01yMkEfyKcfb+8a0fkwrZ3NIFHrhBE+zTTONsuUWVvskKGQsniVk A0ChGq7nDOqbbBZm0jmgEqy9wxofq0wZA4qG/iP7IQj+t9aJ1N0bncIC0T66gagg lnt3bvGSnYas00K98Us6cs2b01Yd7WGuVsAkyMeT2PcBZkETgx3v4q2DJEleQXRQ 1LSgOvrPDg78ABM144SrA+nXKXus2y2rxA15nxox+lIfW0IG1ZY92j+EBdDO+m+p NMnQXN3pITRq2QliWSO8+92yRGzhx+YXJe8JLq/4F1yTalqBXU74bowFu0/SsiG7 KqLyXLEkQc1YT8Lv0wgGfvIexLddUSYwPdp19knQtWC5pQEFcgu+x6RaDYWFMUtQ Wfy6eWDhuvho0TbLl7ra6LNYysuHbeTwGD1nYhjKRm3hjGODeKCPNOPfySiQtd6X tmBAyYJWoR8WODx6EACX/4oh5/Uds42oUhXDpx78/Bj473DFBLQZLJ63zxU67ryk 5oE8lCFxomslz8fgxThw =K765 -----END PGP SIGNATURE-----
Steve Kinney wrote:
Insubordination is always grounds for dismissal
It's NOT insubordination if it's NOT your job description. Telling a coder whose never done anything besides sit at a desk and code they need to do janitorial tasks for instance. Telling someone who writes crypto that it's also their job to torture test it is going to step on the QA director's toes, ya think? If anyone can be legitimately tasked, it would be the QA department. It's also dysfunctional to let someone who created the code test it. That's like letting a machinist who created the part certify it's Mil-spec 415-D compliance. Otoh Apple COULD change the job description... IF they want to re-negotiate the person's salary. If that person walked I'd speculate there'd be dozens of companies willing to hire them just because they walked instead of cooperating with the feds.
they can just hire any skill sets they don't already have on hand
The government can't require them to hire anyone. Further, If the government forces them to add a government paid contractor or govt employee they could sue for damages caused by reputation loss with their commercial vendors who buy and sell their products and material. I'll bet they can easily prove it too! By charting the DIVE iPhone sales take if they publicly cooperate. All in all the government demanding a private entity do ANYTHING without the full force of the law, not JUST some interpretation by the DOJ backed by some district court hack is a dysfunctional mess that would tie the government up in court until ios is so fucking obsolete no one even remembers what it was. But as I said, as soon as this is out of the news, and Apple has made enough noise to calm their customers, they'll just do it in secret, as FISC/A requires. If they can. -- RR "Through counter-intelligence it should be possible to pinpoint potential trouble-makers ... And neutralize them, neutralize them, neutralize them"
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 02/25/2016 04:16 PM, Rayzer wrote:
Steve Kinney wrote:
Insubordination is always grounds for dismissal
It's NOT insubordination if it's NOT your job description. Telling a coder whose never done anything besides sit at a desk and code they need to do janitorial tasks for instance.
Telling someone who writes crypto that it's also their job to torture test it is going to step on the QA director's toes, ya think? If anyone can be legitimately tasked, it would be the QA department.
The QA department is not responsible to understand how the code (or gadget) works, they are responsible to verify that it does work, and that the "thing that worked" is the thing that ships in the product it goes with. Conversely, whoever designed and implemented the cryptographic system baked into the Apple hardware in question had /better/ be aware of how to attack it: Otherwise, a 3rd party's job when attempting to break the system is likely to be way too easy. The same people who made it /do/ need to be able to inspect their own work, especially during the initial development and implementation process, and the tools to do so will be familiar to them. That makes them just the right folks to ask for advice and assistance when it's time to develop a process for unwrapping the package they made.
It's also dysfunctional to let someone who created the code test it.
That's like letting a machinist who created the part certify it's Mil-spec 415-D compliance.
The ability to monitor the supply chain inbound to the machinist, measure the parts the machinist makes and track them to their final destination in a larger assembly external customer, does not imply the ability to prescribe a specific manufacturing process, make the part in question, or to evaluate its fitness for use for a particular purpose. Those latter functions, and creation of specifications as acceptance criteria, are jobs for design and production engineers.
Otoh Apple COULD change the job description... IF they want to re-negotiate the person's salary.
If that person walked I'd speculate there'd be dozens of companies willing to hire them just because they walked instead of cooperating with the feds.
Dozens who want to hire them, worldwide; hundreds who will never hire them, in their local job market. Generally speaking, business owners, executives and managers regard "whistleblowers" and "refusniks" as proven troublemakers.
they can just hire any skill sets they don't already have on hand
The government can't require them to hire anyone.
A Judge can order just about anyone to do just about anything, subject only to the approval of other Judges up the chain of command /if/ their legal authority to issue the order is challenged.
Further, If the government forces them to add a government paid contractor or govt employee they could sue for damages caused by reputation loss with their commercial vendors who buy and sell their products and material. I'll bet they can easily prove it too! By charting the DIVE iPhone sales take if they publicly cooperate.
All in all the government demanding a private entity do ANYTHING without the full force of the law, not JUST some interpretation by the DOJ backed by some district court hack is a dysfunctional mess that would tie the government up in court until ios is so fucking obsolete no one even remembers what it was.
Advantage: The State.
But as I said, as soon as this is out of the news, and Apple has made enough noise to calm their customers, they'll just do it in secret, as FISC/A requires. If they can.
Yup. :o) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iQIcBAEBAgAGBQJWz35WAAoJEDZ0Gg87KR0LidkQAO0mVrXbChOWMWZfU5zMlrCJ naf7Qw8ZxIKSBzvVI+wN7vrsUML8hInmhErVX6fWMXtuXQS3mB6KrZAztK58yi7x X5vUNiwEbQzHz30cesXo3NnKfYHZFdUCfSL8Dz3KpX70JeR9PPVlW5/bHq8p7ZWo bmjuHr89amldsbRCtDY7bxDghvyshdhy44gzV7tfFe9aZEOvcjC0ZE6I1WiezYJN soro+hg6tn+8G+dFNGUzFeuujsTIBwKqJkO8PAIO13zqwDyu94zRTcTSVgIa6pxX s7TB647YjINPIzoL95ydaLIu2p8Ku7vwFHn9GvC+RBpyCF3tcZfaBjIRAP7KUCe/ yIcUwXOVtLXC4GlAtrijOxFok61FmUkvau9ZSew5wL1wSnVOfpyLWxpxmgvqG/Xu r6fGE/BQg2nn0V+vGRboRGy0BzlnrGcWLq7WuZPfgZB4Tqf769KlkurjSqH3QIx7 ouL4DrQxIK0h0rn7jeWG4W406r1rLDDEYMZ/D6sF15ti18oRdFdMH4DhQpbBvfeN nwGXwB7+mDFLfmeG0PPqFZY+ehpT+Jy1z1xhGwWotSpt5L0A89A5W9d3PK+2YHtJ 25roeQYLc4WBAbXrPWIjXzyVql0eUPYEsxNHX6z2HOIzDY5jhE6hjcIT/bGPGP3a pCGjKuXwduY/tzmFO6pz =toa8 -----END PGP SIGNATURE-----
Steve Kinney wrote:
The QA department is not responsible to understand how the code (or gadget) works,
That's about the stupidest thing I've read all week. -- RR "Through counter-intelligence it should be possible to pinpoint potential trouble-makers ... And neutralize them, neutralize them, neutralize them"
Steve Kinney wrote:
The ability to monitor the supply chain inbound to the machinist, measure the parts the machinist makes and track them to their final destination in a larger assembly external customer, does not imply the ability to prescribe a specific manufacturing process, make the part in question, or to evaluate its fitness for use for a particular purpose. Those latter functions, and creation of specifications as acceptance criteria, are jobs for design and production engineers.
DUDE! You're on a tangent. The QA department writes the code to test the crypto or else your back to a machinist (the code writer) certifying his own parts (the code). In order to write the code they HAVE to understand how the fuck the code they're testing works -- RR "Through counter-intelligence it should be possible to pinpoint potential trouble-makers ... And neutralize them, neutralize them, neutralize them"
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 02/26/2016 12:01 AM, Rayzer wrote:
Steve Kinney wrote:
The ability to monitor the supply chain inbound to the machinist, measure the parts the machinist makes and track them to their final destination in a larger assembly external customer, does not imply the ability to prescribe a specific manufacturing process, make the part in question, or to evaluate its fitness for use for a particular purpose. Those latter functions, and creation of specifications as acceptance criteria, are jobs for design and production engineers.
DUDE! You're on a tangent. The QA department writes the code to test the crypto or else your back to a machinist (the code writer) certifying his own parts (the code). In order to write the code they HAVE to understand how the fuck the code they're testing works
The division of labor relevant to QA breaks down like this: Design work is a collaboration between sales/marketing, engineering staff and (where applicable) customer representatives. QA participates by documenting the process and assuring that relevant facts are clearly communicated between these parties. QA does not need to understand the technical details, rather it needs to assure that people who do understand these details agree that they are correct per an evidence based process. Validation work is a collaboration between engineering staff, QA and customer representatives where applicable, with the sole objective of assuring that prototypes and first articles of a product performs as intended. Again, QA does not need to understand how the product works, only what it is supposed to do and whether or not it does that, per the report of other participants in the process. Inspection/verification work is a collaboration between engineering, production and QA staff, with the sole purpose of assuring that components and systems do not deviate from those that passed the validation process and were approved for production. QA is about process: Communication, documentation, and facilitating timely and effective remedial action when problems arise. QA personnel do not "do" any part of the engineering process; their whole mission is to facilitate reliable and effective work by others. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iQIcBAEBAgAGBQJW0FblAAoJEDZ0Gg87KR0Lfj8P/j7lrsJ95L7+kRZ5CpV6lSs0 fuc6h8LCh5KBRGR500UNZmgRsII6TWb+C37RbOGy4+8prdGw0Qjco9dRYQcXbf6n A6Wgvj/TZNXC/TO+FI9TB9h8/QyCxzkyIL44cfDIS1Srtz/F/TK3Uds4p+qXoF7k D4/mx60nMpomsrZDvW6nScJ2pkpDUIQ63IsUi91PoFTuZP3OCN/81f6Gd7foSlcx Xx9rBgo92coWMi7pMsgN1caHKoCCo7/6o2QqRhs3y86SpiIBEzAM5fRgKPZ9mRZc Na1HFw45Xz60CmuGPGdnm/pWRM9vH95G5fbICSd+jK3RhPE9I7TxyBdG67FgrkH8 QqKS7DU3j2zxdWFCDQktIzhh3J3xXseT/5mn+oBgIupcSr3g4hXS+SS+OwM2yOUi IFB5RfIVQluoW153Z6456oTIh1Ev/LerhDaQJEuOgNnlOeBbQJ9o6JKX98o2RFHZ cVK68iYg+x8g19G1ra++CPLGPppRO4qKi4K7BJn5mGFjZ/I0rWAPhykHbtPTUOQZ S7Nrfb7f2eLfV7In5j6bxRI2aHpaOrqmCouBiz/WD8823pmnjRZFlMd6TNRYRvad jKdffDO76VykccH+HiWnbupGYZFWGGWYligJZPFTk4wbrutnRXdiBqmXLq2putor yMpY6hwCIgFdnxddkgxp =27dz -----END PGP SIGNATURE-----
On Fri, Feb 26, 2016 at 08:45:11AM -0500, Steve Kinney wrote:
The division of labor relevant to QA breaks down like this:
/me thinks you are operating in purely theoretic model or perfect world, that has nothing to do with the real world. in the real world QA just wants the stuff to not crash (often) on well formed input. e.g. apple's QA from today: http://www.theregister.co.uk/2016/02/26/remote_god_mode_code_exec_star_in_ap... Apple TV can p0wn you in more ways than it entertains you Thirty-three fixes flung at Cupertino's telly-enhancer
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 02/26/2016 10:46 AM, Georgi Guninski wrote:
On Fri, Feb 26, 2016 at 08:45:11AM -0500, Steve Kinney wrote:
The division of labor relevant to QA breaks down like this:
/me thinks you are operating in purely theoretic model or perfect world, that has nothing to do with the real world.
I have designed and implemented ISO 9001 quality programs for engineering firms. The paychecks were real, the external audits were real, the reliability of deliverables was real.
in the real world QA just wants the stuff to not crash (often) on well formed input.
In the real world, the QA game is about compromises: No company is ever fully compliant; success is measured in "failure to fail" in the real world, despite documented and undocumented variances in QA compliance. And of course, the ability to pass external audit s. So, since when does the ability of the QA department to verify that stuff does not crash (often) on well formed input, mean that the QA department is qualified to reverse engineer and "break" cryptographic protocols on demand? That was the origin of this whole discussion, with me on the "not QA's job" side. :)
e.g. apple's QA from today:
http://www.theregister.co.uk/2016/02/26/remote_god_mode_code_exec_ star_in_apple_tv_3_patch_party_premiere/
Apple TV can p0wn you in more ways than it entertains you Thirty-three fixes flung at Cupertino's telly-enhancer
-----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iQIcBAEBAgAGBQJW0HwzAAoJEDZ0Gg87KR0LjJQP/iY+EBL74T36AbXmHldzMJh6 Ox5PDPV1gBK1C4OwJAQCcB2tvhrStN+2QejPnV2rbRiipHUvF7NttSRvbzARVVZ8 Xn+oJDDvfZF1X2GF2iNcJ+SbkjK7FMFo/GYUbt6X0r0oia67tGU/wBcYQD1C2tuL fK5Of66rMox06TdzBbb3FAc6y+9mbo34Rt6/+whRiE9Jd/hdlEvuBBtjoMbbGldu 637zmPQggt63nda8H1VzNP/NQa1WAvHagi0B6D7sPRi/ua+SkwcG9e1SSAQX3MjH rZR+a4mN+/0InlTQsaixlBlijm6hw7VXL+BRaErjIh8rsSn+DStAg22KqoSveLgj lL47rdiuuNFQfOm+N+NpycNmBQm27FvwRxn1UTcNwTeUsvWWLA9s0WT2qkDxdcUq 3XmGxgirGrQjYs66BtVT8kQPLXJkqC+0ob+t2XxLFsMClLO3olgykfnV8NyoeMoY ekaz33oEAcEWUqLv9+NhgDH5y6A3/t+pzTseVOrZfvJoY/LI4zWk1wvf97eUCEhG 8jXD3+E6FNI6gfHKNjzlGyc5iVGN5TWMP5A1HyujiMTCus26Xvl7dVepJNxWuXlP CH4hKUi8jt8tQ4PHtYPuf8h29Znjxue/7Z/ryGPAaBivKm3dCQoZsB0tkTSfTdSg GeTl6CicHNARf//I8voL =kfyT -----END PGP SIGNATURE-----
Steve Kinney wrote:
ISO 9001
ISO 9001 pretty much just certifies that you HAVE a QA plan. Not that it works, or assures quality. -- RR "Through counter-intelligence it should be possible to pinpoint potential trouble-makers ... And neutralize them, neutralize them, neutralize them"
You get to design the plan, so long as you stick to what you designed then you're good - don't assume anyone in their right mind would design a plan that genuinely holds them to account or is hard to achieve but they're still ISO9001 certified :D On 26/02/16 18:25, Rayzer wrote:
Steve Kinney wrote:
ISO 9001
ISO 9001 pretty much just certifies that you HAVE a QA plan.
Not that it works, or assures quality.
Design work is a collaboration between sales/marketing, engineering staff and (where applicable) customer representatives. QA participates by documenting the process and assuring that relevant facts are clearly communicated between these parties. Yeah, and where I worked they'd be in double-letter blueprints and the
Steve Kinney wrote: thing STILL wasn't working. That 'clear communication' turned into vendors screaming at sales engineers for not delivering, QA got circumvented or de-fanged/balled/subverted, and, after throwing QA out the window, they shipped 'whatever worked'. That didn't work really well for disk drives, and it's a hell of a way to create secure crypto. I KNOW the way it works. It doesn't. It's NOT like W. Edward Deming ever intended, and I'm fucking well sure the people who debug Apple's crypto know how it works or else Apple would be a remarketer of other company's designs by now as surely as the hardware company I worked for became a net consumer of other company's hardware re-packaged under their own name, or companies purchased and left, as subdivisions, to do it the right way, under the aegis of their parent. -- RR "Through counter-intelligence it should be possible to pinpoint potential trouble-makers ... And neutralize them, neutralize them, neutralize them"
On Thu, Feb 25, 2016 at 01:20:55PM -0500, Steve Kinney wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 02/25/2016 10:51 AM, Rayzer wrote:
Georgi Guninski wrote:
On Wed, Feb 24, 2016 at 04:06:27PM -0800, Rayzer wrote:
FWIW I don't see how the feds can force Apple to assign an employee to do anything not in their job description without violating that employee's contract, or their civil rights, and writing code to crack phones isn't in any Apple job description, but tightening phone security is...
I am pretty sure this won't stop Apple if they want to unlock it.
Are you familiar with their job descriptions (I am not)?
It might fit in the QA end of the biz. Someone has to test security. Whether your agreement with the company allows them to 'contract' you to a 3rd party's task... I REALLY doubt it judging from my industrial end (drive manufacturing) experience. They're really REALLY concerned about letting any information about the creation of the product out of their grasp. It probably violates you confidentiality and intellectual property agreement with the company.
Can the government make you violate that agreement? Can they make Apple change it's agreement with you? Can the government force you to change a worker's job description or hire/accept a government contract worker or employee?
Iow, tell you how to run your business...
Dunno. But IF an employee claimed confidentiality and intellectual property agreement as rationale for non-cooperation... Would the government also go after that employee? Force Apple to discipline or fire them?
Insubordination is always grounds for dismissal, unless an employee is ordered to break the law or expose him or herself to legally banned workplace hazards. So Apple could handle non-cooperation problems without involving the Feds: If we was Apple, would we want to piss off a client so big that it is a lucrative market all its own, just to indulge some ungrateful non-team-player's personal snit fit? What would Apple board member Ronald D. Sugar, former chairman and CEO of Northrop Grumman, say about that?
If Apple receives a Court order or lands a contract that requires re-purposing staff, they can just hire any skill sets they don't already have on hand. If special NDAs or even Federal security clearances are required, no problem: If it's a contract matter, the additional costs are included in the bid; if it's a Court order, Apple can ask for and most likely receive "reasonable" compensation for following lawful orders.
According to links here from this month, few years ago Apple unlocked many phones per feds requests.
Yes, but those phones didn't have the self-destruct code if I remember correctly. Apple claims it can't work around it.
"Self destruct?" It is to laugh. "Can't work around it?" Hilarious.
These propositions only work if we assume Apple does not have an in-house capability to analyze, troubleshoot and re-program its own hardware, does not have the technical capability to read from the storage media in its own devices, and lacks the engineering staff and/or data necessary to alter Apple brand software. In the case of any such deficiencies, Apple (or the FBI) can hire any required reverse-engineering done, under NDA (or gag order).
If Apple did not already do whatever was asked of them with regard to one iPhone formerly owned by one criminal suspect, the FBI can bring in the NSA on the basis of mere "suspicion" that the case may have a link to non-U.S. persons.
Instead we get a legal dispute and minor media sideshow based on a pile of false assertions by /both/ parties, apparently in collusion, with the apparent intent of creating a legal precedent for mandatory back doors in U.S. personal electronics - and/or public demand for legislation to that effect.
The words "Security Theater" come to mind, but with a stronger than usual connotation of "Security Propaganda and Disinformation."
Quite. This doesn't seem like some 'minor' legal dispute, however. We have the makings for a nice constitutional crisis with the supreme court justice most known for siding with defendants out of the picture. This really seems like Clipper Chip 2.0, but instead of the NSA, which seems to at least understand the fundamentals of crypto and spycraft, we have the FBI engaged in a *public* battle for legal precedent, vs what appears to be an ever-expanding number of companies who are starting to recognize the potential negative impact and risk to their business if a little forum-shopping can find your competitor a judge that will make you hand over the keys. As for public demand... Well, we used to think the public demanded the defense of marriage. When I see that only 51% support the FBI in the demand for unlocking, that's a number well worth investing in a marketing campaign for extending the 4th amendment devices and their cryptosystems, if for no other reason than to lower long term 'compliance' costs of having to hand over keys to every lokel yokel sheriff who wants to see what their ex-wife's been up to.
participants (7)
-
Georgi Guninski -
grarpamp -
John Young -
oshwm -
Rayzer -
Steve Kinney -
Troy Benjegerdes