Re: [Cryptography] Apple 3rd Party dilemma
On 2/20/16, Henry Baker <hbaker1@pipeline.com> wrote:
At 11:48 AM 2/20/2016, Viktor Dukhovni wrote:
On Sat, Feb 20, 2016 at 02:01:10PM -0500, Phillip Hallam-Baker wrote:
Apple got themselves into this mess, because Apple wants to control the customer's phone. +1 Yes, that is my belief as well. Apple set itself up not just as a 3rd party but as an essential, non-replaceable third party. There is no choice but to trust Apple for
On Fri, Feb 19, 2016 at 5:19 PM, Henry Baker <hbaker1@pipeline.com> wrote: the iPhone security.
It didn't have to be that way. There could be the option of installing your own root of trust into the hardware.
Except that, in that case, most of the "your own root" installations would be some attacker's "own root" installations.
In practice, curated security works better for the vast majority of users.
The vast botnets of Legacy Windows installations are compelling evidence that expecting the average user to secure a general-purpose computing platform is unreasonable.
You pay a premium price for Apple to take care of the details.
The *money* price isn't the major problem; the problem is the *3rd party doctrine,* which gives the NSA/FBI/DHS/DOJ easy/trivial access to your "cloud" data. Look at how easy FBI/DOJ obtained the cloud backups of Farook's iPhone.
The only solution is to store only fully encrypted data in the cloud; but if you lose your iPhone or the key, it's gone.
It's also gone if you (or the govt) goes beyond 10 guesses; so the govt has an easy DoS attack on your data: have the TSA screw with your phone every time you cross the border.
Hey, hey, you (govt), you (govt), get off of My Cloud!
Even the laborer these days knows some concept of backups and security, regardless if they have any clue or motivation to do it. There's zero reason now why hardware makers cannot include a binary option: a) i'm stupid, for now just show me knowledge about secure mode b) ok, instantiate non-nanny-state secure mode or a) your device ships in secure mode b) do you want to be nannied Any maker that gratuitously retains control for whatever purpose and does not provide this does not believe in empowerment, and is thus shameful.
participants (1)
-
grarpamp