iPhone unlocking firm Grayshift faces extortion demands after data breach

2

Comments

  • Reply 21 of 50
    radarthekatradarthekat Posts: 3,130moderator
    macseeker said:
    lukei said:
    Maybe it should be a federal crime to pay hostage and extortion demand via cryptocurrency.  It’s a real threat to society to have an untraceable medium of exchange.  Hmm, maybe gold too.  Lol
    It isn’t untraceable. That’s the big con. 
    Isn't there a master log book of all cryptocurrency transactions?  I think I've read that somewhere.
    That reveals who owns each coin/satoshi?  Nope.  That’s why you must safeguard the encrypted keys to your specific bitcoin cache. If you lose them you lost your bitcoin because there’s no way to prove ownership
    without them.  Because you’re ownership of a bitcoin isn’t recorded anywhere.  So ownership is anonymous.  
  • Reply 22 of 50
    crowleycrowley Posts: 6,017member
    Criminals are stuuuuupid.  Now the FBI is 2x motivated to shut them up. 
    (One because extortion is illegal.  Two because they don’t want the code leaked and the vulnerability patched)
    What has extortion being illegal got to do with the FBI “shutting up” Grayshift?  Grayshift aren’t the ones doing the extorting.
  • Reply 23 of 50
    sflocalsflocal Posts: 4,699member
    sflocal said:
    This article sounds more like click-bait dramatics than actually damage.  Sounds like the box has a built-in web server and all a user has to do is communicate via a browser instead of having to install some kind of software on their computers.  

    This is not even anything remotely close to having access to the actual code which makes this hardware work unless the actually code is a bunch of php, java, javascript, etc.. which to me would just not make sense.

    There is way more to this story that is not being discussed, and I'm beginning to think it's another one of the media's "Let's be the first to post, and retract later" antics.  I'm a software engineer and there's just too many holes in this story to come to any kind of conclusion just yet.  
    How do you know what code lives where and what they got? There is a web interface to interact with the box itself, but if you have the source code for the box itself you could just build your own box. 
    Source code and binary/compiled code are two different things entirely.  It makes zero sense that uncompiled, readable source code would exist in an end-product that can be removed and used elsewhere.  It's like Apple publishing source code in a folder inside an iPhone itself.  Zero sense.

    If the device has an embedded web server, then I can see someone hacking into the web server and lifting UI "source code" which has nothing to do with the actual (compiled) code that is installed on the device itself.  That compiled code is what interfaces to the iPhone.

    Even if the hackers were somehow able to lift the firmware binaries from the device, that is not the actual source code.

    This article is making assumptions, and it sounds like it was written by someone that has little knowledge about how systems work.
    racerhomie3SpamSandwichrandominternetpersonlostkiwi
  • Reply 24 of 50
    sflocal said:
    This article sounds more like click-bait dramatics than actually damage.  Sounds like the box has a built-in web server and all a user has to do is communicate via a browser instead of having to install some kind of software on their computers.  

    This is not even anything remotely close to having access to the actual code which makes this hardware work unless the actually code is a bunch of php, java, javascript, etc.. which to me would just not make sense.

    There is way more to this story that is not being discussed, and I'm beginning to think it's another one of the media's "Let's be the first to post, and retract later" antics.  I'm a software engineer and there's just too many holes in this story to come to any kind of conclusion just yet.  
    You're right. It's a bit like taking the HTML code from Apple's homepage and demanding a ransom. Seems like they have nothing that an average developer couldn't have thrown together in an afternoon.
    randominternetperson
  • Reply 25 of 50
    sflocal said:
    Source code and binary/compiled code are two different things entirely.  It makes zero sense that uncompiled, readable source code would exist in an end-product that can be removed and used elsewhere.  It's like Apple publishing source code in a folder inside an iPhone itself.  Zero sense.

    If the device has an embedded web server, then I can see someone hacking into the web server and lifting UI "source code" which has nothing to do with the actual (compiled) code that is installed on the device itself.  That compiled code is what interfaces to the iPhone.

    Even if the hackers were somehow able to lift the firmware binaries from the device, that is not the actual source code.

    This article is making assumptions, and it sounds like it was written by someone that has little knowledge about how systems work.

    True, but...

    Looking at the UI code can sometimes provide clues to the binary code that is doing all the work.  This is one of the places attackers look when trying to infiltrate a system that has a web interface.  Looking at the UI code isn't usually sufficient by itself, unless the coders are incredibly stupid, but it can still provide clues as to what information is needed by the underlying binaries, and what those binaries return to the UI for display.  Clues that are then used to probe for further weaknesses.

    dysamoria
  • Reply 26 of 50
    With the addition of Qi it’s all a bit of a moot point. The last port on an iPhone will most likely go the way of the mini headphone jack in the near future. Hence no port to tap into.
    robin huberlostkiwi
  • Reply 27 of 50
    crowleycrowley Posts: 6,017member
    berndog said:
    With the addition of Qi it’s all a bit of a moot point. The last port on an iPhone will most likely go the way of the mini headphone jack in the near future. Hence no port to tap into.
    Hard to belive that there'll be no way to make a direct connection completely, surely Apple will need something to connect to for fault diagnostics.  Can't imagine they'll be happy offloading that all onto a wireless connection.
  • Reply 28 of 50
    Cesar Battistini MazieroCesar Battistini Maziero Posts: 167unconfirmed, member
    "We want a backdoor just for law enforcement to use, we promise you it will not leak! Every one will be safe!"

    Fuck the government for wanting this tools!
    SpamSandwich
  • Reply 29 of 50
    MacProMacPro Posts: 18,367member
    MplsP said:
    Today's news is troubling not only for Grayshift, but for iPhone owners as well...the specter of a fully developed iPhone unlocking tool floating in the wild remains.

    This is my concern. Of course, if the code is released, Apple will also be able to analyze it and potentially patch the hole. Who knows, maybe they've already ponied up the 2 bit coin to get the code.

    On a side note, I'm starting to think the US should do like other countries and ban bitcoin. One of the primary uses is for ransom, extortion and terror funding to countries like North Korea, and aside from the curiosity, I can't think of many true reasons to use bitcoin.

    Then maybe GPUs might come down in price too!  lol. I keep wondering if AMD and Nvidia might be secretly behind cryptocurrencies.
    edited April 2018
  • Reply 30 of 50
    zimmiezimmie Posts: 277member
    macseeker said:
    lukei said:
    Maybe it should be a federal crime to pay hostage and extortion demand via cryptocurrency.  It’s a real threat to society to have an untraceable medium of exchange.  Hmm, maybe gold too.  Lol
    It isn’t untraceable. That’s the big con. 
    Isn't there a master log book of all cryptocurrency transactions?  I think I've read that somewhere.
    That reveals who owns each coin/satoshi?  Nope.  That’s why you must safeguard the encrypted keys to your specific bitcoin cache. If you lose them you lost your bitcoin because there’s no way to prove ownership
    without them.  Because you’re ownership of a bitcoin isn’t recorded anywhere.  So ownership is anonymous.  
    Ownership is anonymous, but perfectly traceable. Placement of real money into Math Beanie Babies and extraction of real money from them is only as anonymous as the exchange lets it be. Most keep surprisingly detailed logs of real identities and bank accounts used in transactions converting between real money and Math Beanie Babies. Only mined tokens are actually anonymous, and only until you use them for something.

    Also, Bitcoin in particular is extremely likely to currently be illegal in most countries. The Bitcoin ledger has been manipulated to link to child porn, and possibly contain some (German research, but the paper is in English). In the current implementation, miners need a full copy of the ledger on their systems to mine new tokens (the "mining" process is actually validating existing contents of the ledger). While transacting in Bitcoin does not require possessing a copy of the ledger, you need a large number of people who do possess a copy to confirm the transaction. The legal implications of causing other people to possess child pornography to do work on your behalf, when you do not possess it yourself, are not really explored yet.
  • Reply 31 of 50
    zimmiezimmie Posts: 277member

    crowley said:
    Criminals are stuuuuupid.  Now the FBI is 2x motivated to shut them up. 
    (One because extortion is illegal.  Two because they don’t want the code leaked and the vulnerability patched)
    What has extortion being illegal got to do with the FBI “shutting up” Grayshift?  Grayshift aren’t the ones doing the extorting.
    The "them" in the OP isn't Grayshift. It's the criminals doing the extorting. The FBI is motivated to find the people doing the extorting both because extortion is illegal and because the FBI has a vested interest in Grayshift code remaining secret.
  • Reply 32 of 50
    SpamSandwichSpamSandwich Posts: 31,396member
    Maybe it should be a federal crime to pay hostage and extortion demand via cryptocurrency.  It’s a real threat to society to have an untraceable medium of exchange.  Hmm, maybe gold too.  Lol
    Next thing you know, they’ll ban any and all cash transactions because they are untraceable.
  • Reply 33 of 50
    SpamSandwichSpamSandwich Posts: 31,396member
    According to the letter of the law, doesn’t this GrayKey box violate the DMCA and likely all US anti-hacking laws?
    randominternetperson
  • Reply 34 of 50
    robin huberrobin huber Posts: 3,288member
    It’s a brute force solution, no magic code. Answer is simply to use stronger password. With Face ID it doesn’t matter if your password is 17 characters long. It’d take Grayshift’s dumbbox years to break it. Long before then it would have been obsolete. 
    argonaut
  • Reply 35 of 50
    robin huberrobin huber Posts: 3,288member
    Maybe it should be a federal crime to pay hostage and extortion demand via cryptocurrency.  It’s a real threat to society to have an untraceable medium of exchange.  Hmm, maybe gold too.  Lol
    Next thing you know, they’ll ban any and all cash transactions because they are untraceable.
    Cash is only “sort of” untraceable vis-à-vis bitcoin. Some guy in Russia demands payment to de-encrypt your data. Bitcoin allows payment with one click. No fingerprints, DNA, postage records, travel records, etc.  There is no perfect solution, but why make it so damn easy for criminals. Make them work much harder and have the possibility of a trail of breadcrumbs. Long live cash. Death to crypto currency! 😄
    radarthekat
  • Reply 36 of 50
    SoliSoli Posts: 9,261member
    berndog said:
    With the addition of Qi it’s all a bit of a moot point. The last port on an iPhone will most likely go the way of the mini headphone jack in the near future. Hence no port to tap into.
    I don't see the Lighting port going away anytime soon. It's the easiest way to access the device, it's the fastest way to charge and sync the device, there are a lot of accessories that depend on that connection (often for power from the iDevice), and even if it were removed there would still be a diagnostics port that would be still be exploitable, just as we've seen with the Apple Watch.


    It’s a brute force solution, no magic code. Answer is simply to use stronger password. With Face ID it doesn’t matter if your password is 17 characters long. It’d take Grayshift’s dumbbox years to break it. Long before then it would have been obsolete. 
    Just make sure you use at least one very special character (i.e.: long press on certain iOS keyboard keys to get more options) and you can have a much shorter complex passcode with a much longer time to crack.

    By ny count there are around 210 character for iOS 11.3.x for the American English keyboard. For an 8 character passcode it would result in 3,782,285,936,000,000,000 (3.7 quintillion?) possible combinations. Excluding the the very special characters you still get 7,837,433,594,376,960 (7.8 quadrillion?) combinations if just one character that is only available from a long press.
    edited April 2018
  • Reply 37 of 50
    MplsPMplsP Posts: 1,651member
    MplsP said:
    Today's news is troubling not only for Grayshift, but for iPhone owners as well...the specter of a fully developed iPhone unlocking tool floating in the wild remains.

    This is my concern. Of course, if the code is released, Apple will also be able to analyze it and potentially patch the hole. Who knows, maybe they've already ponied up the 2 bit coin to get the code.

    On a side note, I'm starting to think the US should do like other countries and ban bitcoin. One of the primary uses is for ransom, extortion and terror funding to countries like North Korea, and aside from the curiosity, I can't think of many true reasons to use bitcoin.

    Yes, and let’s ban money — should put an end to greed and exploitation if there’s no money, right?
    *sigh* Yes, that's exactly what I meant. (although a utopian world without money would be nice) Are you really that obtuse?

    Cryptocurrencies have become the medium of choice for illicit financial dealings. Unlike traditional currencies, they can be electronically transmitted in a virtually untraceable fashion. Gold, bearer bonds an other physical items may be untraceable, but have to be physically transferred, making them much less useful for things like extortion.
    radarthekatdysamoria
  • Reply 38 of 50
    SoliSoli Posts: 9,261member
    MplsP said:
    MplsP said:
    Today's news is troubling not only for Grayshift, but for iPhone owners as well...the specter of a fully developed iPhone unlocking tool floating in the wild remains.

    This is my concern. Of course, if the code is released, Apple will also be able to analyze it and potentially patch the hole. Who knows, maybe they've already ponied up the 2 bit coin to get the code.

    On a side note, I'm starting to think the US should do like other countries and ban bitcoin. One of the primary uses is for ransom, extortion and terror funding to countries like North Korea, and aside from the curiosity, I can't think of many true reasons to use bitcoin.

    Yes, and let’s ban money — should put an end to greed and exploitation if there’s no money, right?
    *sigh* Yes, that's exactly what I meant. (although a utopian world without money would be nice) Are you really that obtuse?

    Cryptocurrencies have become the medium of choice for illicit financial dealings. Unlike traditional currencies, they can be electronically transmitted in a virtually untraceable fashion. Gold, bearer bonds an other physical items may be untraceable, but have to be physically transferred, making them much less useful for things like extortion.
    Most illicit financial dealing are still happening through wire transfers, checks, shell companies. Do you really think this guy knows a damn thing about Bitcoin?


    edited April 2018 fastasleep
  • Reply 39 of 50
    zimmiezimmie Posts: 277member
    According to the letter of the law, doesn’t this GrayKey box violate the DMCA and likely all US anti-hacking laws?
    Letter and spirit, yes. The thing is law enforcement, by its very nature, has the ability to break the law. In the U.S., warrants are explicit grants of permission to break the law. One branch of government requests a warrant from another branch, which reviews it, and either grants or rejects it. The warrant application is meant to explain what law they want to break, why, and list the expected results.

    Without that understanding, the police would never be able to arrest anybody (kidnapping), search a residence without the owner's permission (breaking and entering), or any number of other things.

    So it is probably illegal for Grayshift to have developed it (DMCA), and it is illegal for it to be used to access a person's cell phone without that person's permission (CFAA). The latter violation of the law is ostensibly covered by the police/FBI having a warrant.

    The former is more complicated. Bypassing encryption safeguards (or telling other people how to do so) is explicitly called out in the DMCA as illegal. I suspect it would fall into the same legal area as HDCP strippers.
    radarthekatrandominternetpersondysamoria
  • Reply 40 of 50
    davidwdavidw Posts: 975member
    Maybe it should be a federal crime to pay hostage and extortion demand via cryptocurrency.  It’s a real threat to society to have an untraceable medium of exchange.  Hmm, maybe gold too.  Lol
    Next thing you know, they’ll ban any and all cash transactions because they are untraceable.
    Not from an extortionist stand point, unless by cash, you mean coins. Paper money are traceable as there's a serial number that is unique on every single bill. If one were to pay an extortionist a million dollars in paper money, where all the serial numbers of the bills were recorded, that money is traceable. It can be traced back to whomever recorded the serials numbers, before handing it over to the extortionist.

    Banks sometimes record the serial numbers of an unusually large cash deposit to check for bills the FBI are on the look out for. And places like casinos are known to use computer imaging to record the serial numbers of the bills gambled, though they are mainly looking for counterfeits. But law enforcement knows that casinos are places where criminals try to launder ransom and drug money and the casinos can be informed to look for certain bills. It is very hard to spend or get rid of a large amount of cash, in a short time, without being notice. Plus if the extortionists are caught, any money they still have from the ransom will be evidence against them.

    One of the reason why the FBI don't think DB Cooper survived his jump is because to this date, not a single bill that was handed to him in the ransom, ever turned up in circulation or at any bank, anywhere in the US. Banks record the serial numbers of the bills when the bills are eventually taken out of circulation. Those bills would be over 40 years old now, if they are still in circulation and the average lifespan of paper US money is less than 10 years.

    The only bills found were the ones found in the river bed near where he's thought to have landed.

    Here's an interesting story about that money.

    https://www.pcgscurrency.com/dbcooper.html



Sign In or Register to comment.