Hey governmental idiots: what's stopping these same organizations from distributing their own software with open-source end-to-end encryption on open platforms? Answer: nothing. You are only taking privacy away from good people (whom criminals will then target) while doing nothing to stop terrorism.
Let's face it, you can't do your job and you want to blame technology. Sounds like what every non-technological company and organization in the history of forever has attempted to do and ultimately failed.
I don't know too much about the French Cazeneuve but I do know a bit about Thomas de Maizière and I can say with full confidence: He is a real danger to Germany because most of his statements are ill considered and not thought through and they would fall under the category: Uneducated Moron.
Burdening the public with weakened security for the sake of preventing terrorists is like burdening all bank customers with financially crippling regulations only designed for lottery winners.
Germany was one of the countries which started an encryption race a decade or longer ago. German firms were using 4096-bit encryption even for firms' WAN traffic that goes across borders.
What a reversal change in direction now
You know the problem isn't that governments are calling for access to encryption right now, the problem is when a massive heatwranching terror event happens at some point in the future and in the descending panic,rage and unfathomed emotional distress people are manipulated into an irrational dessision that will not be very easy to reverse.
I think tech companies like Apple should actively be seeking a global legislative resolution that will finalize the issue now and forevermore and insure that no matter what happens in the future no matter what horrors await that declarations made now can never be reversed or abandoned.
Germany was one of the countries which started an encryption race a decade or longer ago. German firms were using 4096-bit encryption even for firms' WAN traffic that goes across borders.
What a reversal change in direction now
You know the problem isn't that governments are calling for access to encryption right now, the problem is when a massive heatwranching terror event happens at some point in the future and in the descending panic,rage and unfathomed emotional distress people are manipulated into an irrational dessision that will not be very easy to reverse.
I think tech companies like Apple should actively be seeking a global legislative resolution that will finalize the issue now and forevermore and insure that no matter what happens in the future no matter what horrors await that declarations made now can never be reversed or abandoned.
Most governments are elected. If that's the case and governments are able to get away with manipulating people into making irrational decisions, that's the people's fault for being uninformed. There is no way Apple can seek some kind of a global legislative solution that can never be reversed or abandoned. As long as enough people say, "I have nothing to hide," we run the risk of being manipulated into handing over our rights.
In the wake of the FBI's attempt to get Apple build what would have been tantamount to a backdoor, I saw comment after comment on news stories calling Apple a supporter of terrorism. I saw comment after comment calling for Tim Cook to be jailed for every crime ranging from contempt of court to obstruction of justice and even all they way up to treason. If American citizens don't know their own Constitution enough for it to be obvious that Tim Cook committed no crimes by having Apple appeal the court order, least of all treason, then it should come as no surprise that the government has time and time again gotten away with manipulating the populace into making irrational decisions in the wake of terror attacks.
The good news is that in the recent news stories coming out regarding the encryption fight, there are fewer comments in support of the government's position. This is an encouraging sign. It's a sign that the populace realizes the encryption has far more uses than keeping the government out of our information, which is an important function.
History is replete with examples of reactionary politicians all too happy to sacrifice civil liberties in thrall to the hegemonic altar on which they all swear fealty.
History is replete with examples of reactionary politicians all too happy to sacrifice civil liberties in thrall to the hegemonic altar on which they all swear fealty.
It's not just politicians, people are reactionary.. French police are forcing women to remove clothing if they look too Muslim at the beach. (I wish I was mistakenly posting an article from The Onion.)
The time is coming where comm. apps with end to end encryption will not be available through the app store. If apple/google ever had pressure to block these apps or make them less available they could. For instance they could force all apps to be purchased through the app store and force jail broken phones to be immediately bricked. It will take a massive terrorist attack and pressure from govts. before they will however. I feel China will be the first to make such demands on apple. They will force them to either comply, or stop selling there. It's a matter of time people.................
Concur- also being 'stupid' is almost a resume qualification for being a political. Look at the stupid open-entry that Merkel initiated for the mass migration into Europe damn the long term consequences.
Maybe this migration was done in order to get Europe more de-stabelized. And when the Europe is less stable, it's easier to push such laws as this, to monitor and control the population. Government wants more control.
There is no such thing as demand access to encrypted communications under some circumstances.
Once there is demand access than nothing is encrypted.
This politicians are so stupid. If this law passes the terrorist and criminals will just use 3rd party encryption which is widely avaliable. And only the innocent will suffer then.
In fact making the common person unencrypted will lead to MASSIVE cyber terror. Its exactly what the terrorist want. They want the common population to have no encryption.
That is not really true. You can have encrypted communications with third party access, that is how Apple’s iMessage and others used to work. What you wouldn’t have was a guaranty of privacy because Apple would have a key for the encrypted communication that could be use for a "wiretap". With that said I really doubt this would be effective against terrorism.
I don't think he meant it literally that "nothing is encrypted". Just that If a method is built in for a third party to access, what happens when that third party is hacked. I think even Apple is concerned about exactly that (someone, even at Apple, walking out with keys, or NSA (or some other agency) hacking Apple). e.g the NSA TAO messing with hardware en-route, etc.
And now, with even speculation of someone walking out with some of the "keys" (not literally) to some of the NSA (or other) kingdom(s), it's just clearly a bad idea. Say Apple had or does build a (vulnerable) version of iOS that the US govt puts on an air-gapped system with even just 1 person having access. You'd have to trust (guarantee 100%) that one person couldn't be manipulated in anyway (to run away with said material).
If Apple was hacked by NSA not even the current iMessage implementation would make your communications safe because it still requires key exchange through Apple servers. Just saying. The only real questions here is about privacy and how effective something like this can be.
IIRC, only the public keys are exchanged via apple servers. I thought the private keys never left an iOS device; so if Apple were hacked, it wouldn't matter? I'm no encryption expert, so someone please step in (and correct me if I'm wrong).
There is no such thing as demand access to encrypted communications under some circumstances.
Once there is demand access than nothing is encrypted.
This politicians are so stupid. If this law passes the terrorist and criminals will just use 3rd party encryption which is widely avaliable. And only the innocent will suffer then.
In fact making the common person unencrypted will lead to MASSIVE cyber terror. Its exactly what the terrorist want. They want the common population to have no encryption.
That is not really true. You can have encrypted communications with third party access, that is how Apple’s iMessage and others used to work. What you wouldn’t have was a guaranty of privacy because Apple would have a key for the encrypted communication that could be use for a "wiretap". With that said I really doubt this would be effective against terrorism.
Except that if you use a bank within said idiotic country then your banking information, as one example of many, would not be protected via encryption. Sure you could use a 3rd party messaging app to communicate, but all your other shit is open to whatever any good hacker could get to as well as the Euro terrorist governments
There is no such thing as demand access to encrypted communications under some circumstances.
Once there is demand access than nothing is encrypted.
This politicians are so stupid. If this law passes the terrorist and criminals will just use 3rd party encryption which is widely avaliable. And only the innocent will suffer then.
In fact making the common person unencrypted will lead to MASSIVE cyber terror. Its exactly what the terrorist want. They want the common population to have no encryption.
That is not really true. You can have encrypted communications with third party access, that is how Apple’s iMessage and others used to work. What you wouldn’t have was a guaranty of privacy because Apple would have a key for the encrypted communication that could be use for a "wiretap". With that said I really doubt this would be effective against terrorism.
I don't think he meant it literally that "nothing is encrypted". Just that If a method is built in for a third party to access, what happens when that third party is hacked. I think even Apple is concerned about exactly that (someone, even at Apple, walking out with keys, or NSA (or some other agency) hacking Apple). e.g the NSA TAO messing with hardware en-route, etc.
And now, with even speculation of someone walking out with some of the "keys" (not literally) to some of the NSA (or other) kingdom(s), it's just clearly a bad idea. Say Apple had or does build a (vulnerable) version of iOS that the US govt puts on an air-gapped system with even just 1 person having access. You'd have to trust (guarantee 100%) that one person couldn't be manipulated in anyway (to run away with said material).
If Apple was hacked by NSA not even the current iMessage implementation would make your communications safe because it still requires key exchange through Apple servers. Just saying. The only real questions here is about privacy and how effective something like this can be.
IIRC, only the public keys are exchanged via apple servers. I thought the private keys never left an iOS device; so if Apple were hacked, it wouldn't matter? I'm no encryption expert, so someone please step in (and correct me if I'm wrong).
The public keys are indeed the only keys exchanged through Apple servers but you are trusting that the keys you get back are from the recipient and not from someone else sitting in the middle. If someone could hack Apple Servers it would be theoretically possible to do give wrong keys to each person enabling access to the communication between them.
There is no such thing as demand access to encrypted communications under some circumstances.
Once there is demand access than nothing is encrypted.
This politicians are so stupid. If this law passes the terrorist and criminals will just use 3rd party encryption which is widely avaliable. And only the innocent will suffer then.
In fact making the common person unencrypted will lead to MASSIVE cyber terror. Its exactly what the terrorist want. They want the common population to have no encryption.
That is not really true. You can have encrypted communications with third party access, that is how Apple’s iMessage and others used to work. What you wouldn’t have was a guaranty of privacy because Apple would have a key for the encrypted communication that could be use for a "wiretap". With that said I really doubt this would be effective against terrorism.
I don't think he meant it literally that "nothing is encrypted". Just that If a method is built in for a third party to access, what happens when that third party is hacked. I think even Apple is concerned about exactly that (someone, even at Apple, walking out with keys, or NSA (or some other agency) hacking Apple). e.g the NSA TAO messing with hardware en-route, etc.
And now, with even speculation of someone walking out with some of the "keys" (not literally) to some of the NSA (or other) kingdom(s), it's just clearly a bad idea. Say Apple had or does build a (vulnerable) version of iOS that the US govt puts on an air-gapped system with even just 1 person having access. You'd have to trust (guarantee 100%) that one person couldn't be manipulated in anyway (to run away with said material).
If Apple was hacked by NSA not even the current iMessage implementation would make your communications safe because it still requires key exchange through Apple servers. Just saying. The only real questions here is about privacy and how effective something like this can be.
IIRC, only the public keys are exchanged via apple servers. I thought the private keys never left an iOS device; so if Apple were hacked, it wouldn't matter? I'm no encryption expert, so someone please step in (and correct me if I'm wrong).
The public keys are indeed the only keys exchanged through Apple servers but you are trusting that the keys you get back are from the recipient and not from someone else sitting in the middle. If someone could hack Apple Servers it would be theoretically possible to do give wrong keys to each person enabling access to the communication between them.
Hmm, again, someone or you (@ppietra) please correct me if I'm wrong, but that is not how it works; serious exchange here.
In laymen terms (the best I remember and understand it from academia), the Public key that your device generates (is generated by your device) is passed to Apples servers, so others can use it to encrypt information that only your device can decrypt with its private key.
If your public key is manipulated (because of how it works), anything encrypted with your modified public key, your device will not be able to decrypt. My public key isn't generated by anything but my own device. It's just being shared/given to someone else by apples servers. It's how some friends, who prefer it, encrypt even email (https://en.wikipedia.org/wiki/Pretty_Good_Privacy).
Honestly, this is (or seems like) encryption 101, and I know very little to nothing about encryption (I would say).
You can trust that the keys you're getting back are valid, because if they're not, via MITM, your private key (on your device) wont work to decrypt the content. https://en.wikipedia.org/wiki/Public-key_cryptography
They short version is, it doesnt matter who has your public key. It's how it's supposed to work; apple could publish the public keys for all iOS devices and the worst that could happen is someone could generate an encrypted message with your public key which only your device could then decrypt. They couldn't (easily, currently anyway) peak at content; it's all encrypted. And can only be decrypted by the device which generated the public key, because the private key, which never leaves that device, is only on that device.
Push for quantum computing - something else I know very little about.
There is no such thing as demand access to encrypted communications under some circumstances.
Once there is demand access than nothing is encrypted.
This politicians are so stupid. If this law passes the terrorist and criminals will just use 3rd party encryption which is widely avaliable. And only the innocent will suffer then.
In fact making the common person unencrypted will lead to MASSIVE cyber terror. Its exactly what the terrorist want. They want the common population to have no encryption.
That is not really true. You can have encrypted communications with third party access, that is how Apple’s iMessage and others used to work. What you wouldn’t have was a guaranty of privacy because Apple would have a key for the encrypted communication that could be use for a "wiretap". With that said I really doubt this would be effective against terrorism.
I don't think he meant it literally that "nothing is encrypted". Just that If a method is built in for a third party to access, what happens when that third party is hacked. I think even Apple is concerned about exactly that (someone, even at Apple, walking out with keys, or NSA (or some other agency) hacking Apple). e.g the NSA TAO messing with hardware en-route, etc.
And now, with even speculation of someone walking out with some of the "keys" (not literally) to some of the NSA (or other) kingdom(s), it's just clearly a bad idea. Say Apple had or does build a (vulnerable) version of iOS that the US govt puts on an air-gapped system with even just 1 person having access. You'd have to trust (guarantee 100%) that one person couldn't be manipulated in anyway (to run away with said material).
If Apple was hacked by NSA not even the current iMessage implementation would make your communications safe because it still requires key exchange through Apple servers. Just saying. The only real questions here is about privacy and how effective something like this can be.
IIRC, only the public keys are exchanged via apple servers. I thought the private keys never left an iOS device; so if Apple were hacked, it wouldn't matter? I'm no encryption expert, so someone please step in (and correct me if I'm wrong).
The public keys are indeed the only keys exchanged through Apple servers but you are trusting that the keys you get back are from the recipient and not from someone else sitting in the middle. If someone could hack Apple Servers it would be theoretically possible to do give wrong keys to each person enabling access to the communication between them.
Hmm, again, someone or you (@ppietra) please correct me if I'm wrong, but that is not how it works; serious exchange here.
In laymen terms (the best I remember and understand it from academia), the Public key that your device generates (is generated by your device) is passed to Apples servers, so others can use it to encrypt information that only your device can decrypt with its private key.
If your public key is manipulated (because of how it works), anything encrypted with your modified public key, your device will not be able to decrypt. My public key isn't generated by anything but my own device. It's just being shared/given to someone else by apples servers. It's how some friends, who prefer it, encrypt even email (https://en.wikipedia.org/wiki/Pretty_Good_Privacy).
Honestly, this is (or seems like) encryption 101, and I know very little to nothing about encryption (I would say).
You can trust that the keys you're getting back are valid, because if they're not, via MITM, your private key (on your device) wont work to decrypt the content. https://en.wikipedia.org/wiki/Public-key_cryptography
They short version is, it doesnt matter who has your public key. It's how it's supposed to work; apple could publish the public keys for all iOS devices and the worst that could happen is someone could generate an encrypted message with your public key which only your device could then decrypt. They couldn't (easily, currently anyway) peak at content; it's all encrypted. And can only be decrypted by the device which generated the public key, because the private key, which never leaves that device, is only on that device.
Push for quantum computing - something else I know very little about.
What I said wasn’t about modifying a public key but giving wrong public keys to both recipients. In iMessage they always have to contact Apple servers to exchange keys to start a conversation, and messages can be sent to more than one device per person, each with its own public key and address. If an hacker could attach another device to both recipients lists on Apple servers they would see everything, because the recipients would always send messages with someone else’s key without knowing. Of course an hack like this might not be easy to do on Apple servers, but it is not impossible.
What I said wasn’t about modifying a public key but giving wrong public keys to both recipients. In iMessage they always have to contact Apple servers to exchange keys to start a conversation, and messages can be sent to more than one device per person, each with its own public key and address. If an hacker could attach another device to both recipients lists on Apple servers they would see everything, because the recipients would always send messages with someone else’s key without knowing. Of course an hack like this might not be easy to do on Apple servers, but it is not impossible.
K, I think I gotcha (I have several devices using iMessages myself).
But to what you just stated. You would have to: - register a device with a sending user and the user would be notified on atleast their one (existing) iOS device. - register a device with a receiving user and the user would be notified on atleast their one (existing) iOS device. - The users would know; messages would be delivered to all devices. Unless you were sending with a users iMessage e-mail address and they had that turn off on their other devices (like I do; I just have phone number on all devices). But they would have still been notified of the initial device registration (which, to your point could somehow be bypassed).
You're right, it would be possible; I didn't say that would be impossible. It's just that, that wasn't what you described initially. Separately, what you're describing wouldnt really be a hack of imessages it self. You've essentially registered valid devices with valid/stolen credentials of a user. Just devices the user doesnt know about. That's why apple started notifying users of sign-ons using an apple id. But nothing is full proof. Plenty of users don't have 2-step/2-factor auth turned on, plenty of users don't check all their mail.
Short version is, if a user is knowledgeable enough, it's near impossible, but I wont say impossible. As proven by the 9.3.5 patch, had that user clicked on that link, no amount of security would have made a difference; no 2-factor this, no e-mail notification that.
What you're describing (I think, but could be wrong) is something like obtaining someones debit card number and PIN and you using a cloned debit card with that valid PIN to withdraw funds at an ATM. That's not exactly hacking the bank.
What I said wasn’t about modifying a public key but giving wrong public keys to both recipients. In iMessage they always have to contact Apple servers to exchange keys to start a conversation, and messages can be sent to more than one device per person, each with its own public key and address. If an hacker could attach another device to both recipients lists on Apple servers they would see everything, because the recipients would always send messages with someone else’s key without knowing. Of course an hack like this might not be easy to do on Apple servers, but it is not impossible.
K, I think I gotcha (I have several devices using iMessages myself).
But to what you just stated. You would have to: - register a device with a sending user and the user would be notified on atleast their one (existing) iOS device. - register a device with a receiving user and the user would be notified on atleast their one (existing) iOS device. - The users would know; messages would be delivered to all devices. Unless you were sending with a users iMessage e-mail address and they had that turn off on their other devices (like I do; I just have phone number on all devices). But they would have still been notified of the initial device registration (which, to your point could somehow be bypassed).
You're right, it would be possible; I didn't say that would be impossible. It's just that, that wasn't what you described initially. Separately, what you're describing wouldnt really be a hack of imessages it self. You've essentially registered valid devices with valid/stolen credentials of a user. Just devices the user doesnt know about. That's why apple started notifying users of sign-ons using an apple id. But nothing is full proof. Plenty of users don't have 2-step/2-factor auth turned on, plenty of users don't check all their mail.
Short version is, if a user is knowledgeable enough, it's near impossible, but I wont say impossible. As proven by the 9.3.5 patch, had that user clicked on that link, no amount of security would have made a difference; no 2-factor this, no e-mail notification that.
What you're describing (I think, but could be wrong) is something like obtaining someones debit card number and PIN and you using a cloned debit card with that valid PIN to withdraw funds at an ATM. That's not exactly hacking the bank.
Not necessarily. That is the normal behaviour when you go through your normal AppleID account interface but there is no guaranty that directly editing a list inside Apple server software would have that behaviour. What I am describing is an hack on Apple iMessage servers, not someone else accessing your account credentials and adding devices. This is an hypothetical to counter arguments that it would be too dangerous if Apple altered iMessage for court mandated wiretapping because its servers could be hacked. It is already dangerous if its servers were hacked.
Comments
Let's face it, you can't do your job and you want to blame technology. Sounds like what every non-technological company and organization in the history of forever has attempted to do and ultimately failed.
I think tech companies like Apple should actively be seeking a global legislative resolution that will finalize the issue now and forevermore and insure that no matter what happens in the future no matter what horrors await that declarations made now can never be reversed or abandoned.
Bad decisions are easy to make when under duress
https://en.m.wikipedia.org/wiki/Patriot_Act
In the wake of the FBI's attempt to get Apple build what would have been tantamount to a backdoor, I saw comment after comment on news stories calling Apple a supporter of terrorism. I saw comment after comment calling for Tim Cook to be jailed for every crime ranging from contempt of court to obstruction of justice and even all they way up to treason. If American citizens don't know their own Constitution enough for it to be obvious that Tim Cook committed no crimes by having Apple appeal the court order, least of all treason, then it should come as no surprise that the government has time and time again gotten away with manipulating the populace into making irrational decisions in the wake of terror attacks.
The good news is that in the recent news stories coming out regarding the encryption fight, there are fewer comments in support of the government's position. This is an encouraging sign. It's a sign that the populace realizes the encryption has far more uses than keeping the government out of our information, which is an important function.
"thursday the pizza will be ready for your uncle. "
Decrypt that you secret police types.
https://www.apple.com/business/docs/iOS_Security_Guide.pdf - Page 41; I mean, apple could always be lying... ¯\_(ツ)_/¯
In laymen terms (the best I remember and understand it from academia), the Public key that your device generates (is generated by your device) is passed to Apples servers, so others can use it to encrypt information that only your device can decrypt with its private key.
If your public key is manipulated (because of how it works), anything encrypted with your modified public key, your device will not be able to decrypt. My public key isn't generated by anything but my own device. It's just being shared/given to someone else by apples servers. It's how some friends, who prefer it, encrypt even email (https://en.wikipedia.org/wiki/Pretty_Good_Privacy).
Honestly, this is (or seems like) encryption 101, and I know very little to nothing about encryption (I would say).
You can trust that the keys you're getting back are valid, because if they're not, via MITM, your private key (on your device) wont work to decrypt the content. https://en.wikipedia.org/wiki/Public-key_cryptography
They short version is, it doesnt matter who has your public key. It's how it's supposed to work; apple could publish the public keys for all iOS devices and the worst that could happen is someone could generate an encrypted message with your public key which only your device could then decrypt. They couldn't (easily, currently anyway) peak at content; it's all encrypted. And can only be decrypted by the device which generated the public key, because the private key, which never leaves that device, is only on that device.
Push for quantum computing - something else I know very little about.
But to what you just stated. You would have to:
- register a device with a sending user and the user would be notified on atleast their one (existing) iOS device.
- register a device with a receiving user and the user would be notified on atleast their one (existing) iOS device.
- The users would know; messages would be delivered to all devices. Unless you were sending with a users iMessage e-mail address and they had that turn off on their other devices (like I do; I just have phone number on all devices). But they would have still been notified of the initial device registration (which, to your point could somehow be bypassed).
You're right, it would be possible; I didn't say that would be impossible. It's just that, that wasn't what you described initially. Separately, what you're describing wouldnt really be a hack of imessages it self. You've essentially registered valid devices with valid/stolen credentials of a user. Just devices the user doesnt know about. That's why apple started notifying users of sign-ons using an apple id. But nothing is full proof. Plenty of users don't have 2-step/2-factor auth turned on, plenty of users don't check all their mail.
Short version is, if a user is knowledgeable enough, it's near impossible, but I wont say impossible. As proven by the 9.3.5 patch, had that user clicked on that link, no amount of security would have made a difference; no 2-factor this, no e-mail notification that.
What you're describing (I think, but could be wrong) is something like obtaining someones debit card number and PIN and you using a cloned debit card with that valid PIN to withdraw funds at an ATM. That's not exactly hacking the bank.
What I am describing is an hack on Apple iMessage servers, not someone else accessing your account credentials and adding devices. This is an hypothetical to counter arguments that it would be too dangerous if Apple altered iMessage for court mandated wiretapping because its servers could be hacked. It is already dangerous if its servers were hacked.