Re: [Cryptography] EFF amicus brief in support of Apple
Bottom line: if FBI/DoJ can strongarm Apple into electronically signing malware, then we have entered into a truly new imperial era, where trillion-dollar companies can be rubber-hosed into misusing their private crypto keys.
No amount of technology, per se, can prevent this particular MITM attack. We're now going to have to have multiple keys from multiple "trusted" sources prior to accepting a firmware update. Forget visiting Switzerland or the Cayman Islands for access to $$$; you may now have to physically go there to get your iPhone securely updated.
See this is a problem. All this trust in single entities, singular and closed systems you keep needing to place. Why in the fuck do you keep doing this? You compute hardware should be completely open. You compute software should be completely open. You should fuse your own keys into your own hardware for software builds you reproducibly build sign and install yourself from distributed opensource software. Open designs, open fabs, open products, open source. You are NOT going to solve these problems without it. And quit crying profit... the work of your plumber is all in the open and profitable. Or quality... all quality is currently shit, but at least you stand a chance of seeing the flies on it if it's open.
I'm sure that Microsoft/HP/Dell are looking upon these proceedings with mixed feelings, as I suspect that they've *already* provided their code-signing keys to the govt
Like all those call and other data... just for the asking, thus retroactive immunity for them, thus rolled up for absorption and enacted by an unaccountable government.
-- perhaps under FISA NSL -- or perhaps out of a misplaced sense of patriotism.
These two are one and the same.
Apple's digital signature is tied to their credible responsibility that software they sign is theirs
Yes it's theirs, which they can fuck you with at any time... because you trusted them, oops.
and in the best interest of their customers and Apple's business.
These are in tenacious conflict.
As a minimum the existence of compelled software lays waste to the EULA.
Shrinkwrap hardware / software EULAs offer you nothing concrete, trustworthy, or compensatable. All to them, none to you. Negotiated contracts are different but just as tricky.
On Sat, Mar 05, 2016 at 03:23:18PM -0500, grarpamp wrote:
Bottom line: if FBI/DoJ can strongarm Apple into electronically signing malware, then we have entered into a truly new imperial era, where trillion-dollar companies can be rubber-hosed into misusing their private crypto keys.
No amount of technology, per se, can prevent this particular MITM attack. We're now going to have to have multiple keys from multiple "trusted" sources prior to accepting a firmware update. Forget visiting Switzerland or the Cayman Islands for access to $$$; you may now have to physically go there to get your iPhone securely updated.
See this is a problem. All this trust in single entities, singular and closed systems you keep needing to place. Why in the fuck do you keep doing this?
You compute hardware should be completely open. You compute software should be completely open. You should fuse your own keys into your own hardware for software builds you reproducibly build sign and install yourself from distributed opensource software.
Open designs, open fabs, open products, open source. You are NOT going to solve these problems without it.
And quit crying profit... the work of your plumber is all in the open and profitable.
Or quality... all quality is currently shit, but at least you stand a chance of seeing the flies on it if it's open.
The http://q3ube.be , https://puri.sm/ and http://efabless.com are open for business. If you happen to own a chain of gas stations you might decide an open hardware and multi-signature payment system that lets the customers authenticate the gas pump before payment might be a good long-term investment if you want to keep your customers. http://www.wthr.com/story/31039979/credit-card-skimmers-hit-again-in-central... Place your orders now, or learn how to eat the cost of systems re-compromised with legislative trojans and court-order malware. And if you want to make any money in this space, think like a plumber and get used to dealing with everyone else's shit. -- ---------------------------------------------------------------------------- Troy Benjegerdes 'da hozer' hozer@hozed.org 7 elements earth::water::air::fire::mind::spirit::soul grid.coop Never pick a fight with someone who buys ink by the barrel, nor try buy a hacker who makes money by the megahash
participants (2)
-
grarpamp -
Troy Benjegerdes