Here's How Law Enforcement Cracks Your iPhone's Security Code (Video)

http://www.forbes.com/sites/andygre...ment-cracks-your-iphones-security-code-video/

http://www.thestandard.com.hk/news_...pe=3&d_str=20120326&isSearch=1&sear_year=2012

Company blog: http://www.msab.com/posts/blog

 

Re: Here's How Law Enforcement Cracks Tour iPhone's Security Code (Video)

I thought this was common knowledge? Smartphones are the windows 98 of 2012 without user intervention

 

Looks like I got my Capital Ts & Ys mixed-up again earlier in thread's title. Either the old "mince-pies" (eyes) are fading fast, or I'm drinking the wrong coffee.
Would be grateful if any mod feels to fix the typo, if best, thanks.

 

Re: Here's How Law Enforcement Cracks Tour iPhone's Security Code (Video)

Did I miss something, or did that article basically state that they were able to brute force a 4 digit pin? not meaning to be cute or anything, I'm just not sure I understood what is special about this specific situation.

 

Re: Here's How Law Enforcement Cracks Tour iPhone's Security Code (Video)

If you are using Icloud then most data (contacts,bookmarks, gps location, mail, installed apps, installed itunes items, home and office wifi details, creditcard details, home address etc), are stored in a US CLOUD. And pictures of your house on Google streetview
And perhaps even your documents are in the cloud (Lion)
So they don't even have to access the iphone

 

Re: Here's How Law Enforcement Cracks Tour iPhone's Security Code (Video)

You decide what gets backed up to iCloud from an iOS device. Mail, for example, is off by default. Photos are on by default, but you can turn it off. The USER selects what gets backed up in the iCloud user settings.

 

Re: Here's How Law Enforcement Cracks Tour iPhone's Security Code (Video)

Nothing at all. The article makes clear that when iOS users opt for the strong passwords as opposed to the default 4 digits, it can be impossible to crack. In other words, no story here.

 

That's why i don't store any important information in my phone.

 

That's exactly it. You can protect devices/computers that use 256 bit encryption with a strong passphrase. If you trust your phone/iPad with a four digit code -your on your own.

 

I guess that's the risk/danger that many would/do(?) only use a silly 4 character pw to "protect" a device on which they may be doing online banking/shopping etc.
I believe many are still un-informed about potential risk, and how to counter it, so getting the message over repeatedly can only help.
In the end, if someone's too lazy/incapable of having good passwords and security, it's their own choice.

 

Re: Here's How Law Enforcement Cracks Tour iPhone's Security Code (Video)

Ha! If the Gov wants to peer at them, you can bet your bottom dollar they have plenty of ways to do just that unbeknowns to anyone. They don't pay world class hackers to work for them for nothing.

 

Re: Here's How Law Enforcement Cracks Tour iPhone's Security Code (Video)

True. Although for every world class hacker the government employs, there are probably dozens if not hundreds of similarly-skilled hackers, who are not employed by any government and who are on "our side", so to say. I wouldn't be so quick to assume that the government can do anything without our knowledge, they have their limits too.

 

Re: Here's How Law Enforcement Cracks Tour iPhone's Security Code (Video)

I didn't say that government, under a lawful warrant, couldn't look at them. I was saying that iBackup only backs up what the user tells it to.

Also, all iPad/iPhone users here should be smart enough to enable the strong encryption...it takes an extra couple of seconds than the default 4 digits. Here they've sold you a fully encrypted device, (probably the only fully encrypted OS out-of-the-box), and many make it easy to crack using the default 4 digits in the name of simplicity. Turn on the strong encryption option and create a long password/key/passphrase/whatever.

 

If you encrypt please use AES256 (RijnDael) to help the government.
Please don't use new or unknown, or much stronger encryption


As Microsoft has responded to the Europeans their cloud must contain a US govern. backdoor, just as proven to be the case with dropbox.
-http://www.zdnet.com/blog/igeneration/microsoft-we-can-hand-over-office-365-data-without-your-permission/11041-

And:
-http://www.wired.com/threatlevel/2011/05/dropbox-ftc-

Fact: encryption import/export was illegal before AES256 became the stndard
Fact: non-AES 256 commercial encryption software is very difficult to find
(except for even older ciphers)
Fact: Europe has a problem with the fact that US cloud provider must have a backdoor to provide data in case of a subpoena etc. and for confidential data it will not store its data there unless some new encryption can be used.
Fact: such a backdoor might be exploited by hackers (as well)

Did you ever looked for encryption software that has a more recent encryption version, that needs the cpu power a modern pc has, and not the old pc's that were available in the time that AES256 became the standard?

 

tuatara in italics
I'm (Lockbox) in bold)

------------------------------

If you encrypt please use AES256 (RijnDael) to help the government.
Please don't use new or unknown, or much stronger encryption


As Microsoft has responded to the Europeans their cloud must contain a US govern. backdoor, just as proven to be the case with dropbox.
-http://www.zdnet.com/blog/igeneration/microsoft-we-can-hand-over-office-365-data-without-your-permission/11041-

And:
-http://www.wired.com/threatlevel/2011/05/dropbox-ftc-

They tell you upfront that they can and will hand it over under legal requests. Dropbox's problem had NOTHING to do with AES backdoors, it had to do with not encrypting with AES-256 when they said they were.

Fact: encryption import/export was illegal before AES256 became the stndard

Not true. There have been export controls on encryption long before Rijndael (the current AES).

Fact: non-AES 256 commercial encryption software is very difficult to find
(except for even older ciphers)

Again, this just isn't true. Truecrypt, for example, offers Serpent, Twofish, etc. You wouldn't want to use brand new and untested ciphers. There's non-AES encryption products all over the marketplace.

Fact: Europe has a problem with the fact that US cloud provider must have a backdoor to provide data in case of a subpoena etc. and for confidential data it will not store its data there unless some new encryption can be used.

Where did you hear this? I read the year-old Znet story you linked to above and if you got what you wrote from that - the article didn't say that at all. Also, Microsoft Office 365 documents are NOT encrypted once they're at Microsoft servers. The only encryption is your documents en route via SSL/TSL - it has nothing to do with the actual documents being encrypted.

Fact: such a backdoor might be exploited by hackers (as well)

?

No backdoor to discuss.

Exactly. ?!?

Did you ever looked for encryption software that has a more recent encryption version, that needs the cpu power a modern pc has, and not the old pc's that were available in the time that AES256 became the standard?

I don't understand your question.

Somebody's led you astray with a lot of false information.

 

Correct, but I did not say that they decrypted aes, sorry for the misunderstanding,
only what has published and made public about this case. That this cloud was less safe then their customers were told, the same about Microsoft and cloud
- http://www.itworld.com/government/179977/eu-upset-microsoft-warning-about-us-access-eu-cloud -
Again this is not about decrypting AES only about backdoors.

You are correct, all just as old and from the 90's. and indeed ,you shouldn't use untested ones.

i was thinking about these: -https://en.wikipedia.org/wiki/ESTREAM-

And this:
- http://www.pmc-ciphers.com/eng/content/Backround-Info/Giant-Block-Size-Polymorphic-Cipher.html -

And of course i understand, that if i say that i lost trust in AES 256,
some may think different , but i respect that.

 

Thanks for this Tuatara, a lot of useful info.

Have you bought and used http://www.pmc-ciphers.com/eng/content/TurboCrypt/File-Encryption.html ?

What's your impression of the tool?

 

Regarding:

Lockbox,
You misread his statement. Encryption export laws were relaxed after AES256. I find that very questionable as well.

I share your distrust Tuatara. This consistent push towards AES at the exclusions of all others sets off alarms for me. It makes me think that they have broken it. Too much emphasis is placed on the age of a cipher. Blowfish has been around since 1993, yet (quoted from Wikipedia) "no effective cryptanalysis of it has been found to date." It's stood up for nearly 20 years. How much better does it have to be? Yet when one tries to discuss encryption ciphers, "experts" come out of the woodwork, all pointing to AES as the way to go. Over the years, I've seen many instances where people are pushed, encouraged, coerced, etc into using something, changing to something, etc, only to find that the common people don't benefit from that change. Someone richer or more powerful does. Everything I see regarding the internet, computing equipment, encryption, etc is on that path. All of it is becoming more hostile to the individuals privacy/security. We're trading core values for eye candy and the chance to be "with the times". No thanks. I'll stay with Blowfish on an older OS that's under my control, just because I can.

As for the "smart" phones and storing data on "the cloud", there's no way I'll store anything of value on the cloud. I won't use any device that's designed to do so. AFAIC, smart phones are little more than personal tracking and data mining devices, 24/7 spies on their users. Call it paranoid if you like. It doesn't bother me, especially when much of what I've been called paranoid for has happened and is happening.

 

Wild speculation aside, I suggest you at least use the twofish cipher if you really want to go that route.

 

Basically what I said but I deleted the post because it almost felt pointless.

There are differences between Blowfish and AES. AES is just the name given to the ciper that "won" and became the standard - that is why it's pushed. If Blowfish had one it would be called AES and it would be pushed.

AES is better for full disk encryption because of blocking. Blowfish is better for smaller files for the same reason. They're both great, so are the other competitors in the competition. Why don't you hear about them? Because they didn't win... that's just how it works.

That said, mix and match. TrueCrypt is great because it lets you mix Blowfish (or a cipher that is based on and improves blowfish) with AES.

 

Also worth noting tha tin the competition the people who created twofish (improved blowfish) and every other entrant marked AES as the best encryption after their own, of course. Each put theirs first, everyone put AES second. It's not just disinformation agents or whoever you think it is pushing AES - the people who entered this competition all recognized it as being the best.

 

While I choose a non-AES option whenever possible, I don't believe it has been broken, or been designed with a back door. All the NIST finalists have been scrutinized by the other NIST competitors (Schneier for example), and the academic world is too vast to be under the control of a massive conspiracy. Twofish came in second, IIRC...would we be saying this about Bruce if he won? The criminals would find this pretty quick, I imagine, as all financial data transmission is AES for the most part.

PD

 

Thanks

I think it is a VERY BAD idea that everybody wants to use AES 256.
It is better to use different versions, not those that were developed in the 90's and were designed to run on the 8 bits hardware that was common then.

Just imagine that it can be decrypted

And strange that there are still export restrictions on 'certain' algorithms:
- http://www.bis.doc.gov/policiesandregulations/ear/index.htm -

See category 5 part 2

 

Indeed, I am all for people to be skeptical, though there is a difference being skeptical of what an organization or entity is saying than being skeptical of proven research. Throwing that out the window just because an organization or entity has adopted it seems foolish. I shudder to think what would happen if I mentioned the basic protocols behind the internet and TOR were all U.S military projects at one point as well. As it seems the call to not use AES is simply due to the U.S government using it, therefore it is automatically crackable.

 

Completely agree. Encryption and computing in general are no different from life itself in this regard. Strength comes from diversity.

Hungry,
AFAIC, who won some competition or which "expert" thinks which one is best is irrelevant. Unbroken is unbroken, aka secure. Until someone can show me otherwise, I see no reason to switch. I don't subscribe to "newer is better". BTW, Blowfish also works quite well on partitions. I used to run a P2P app from a Blowfish encrypted partition on an external drive. It ran fine, day after day.