This weekly roundup thread is intended for all culture war posts. 'Culture war' is vaguely defined, but it basically means controversial issues that fall along set tribal lines. Arguments over culture war issues generate a lot of heat and little light, and few deeply entrenched people ever change their minds. This thread is for voicing opinions and analyzing the state of the discussion while trying to optimize for light over heat.
Optimistically, we think that engaging with people you disagree with is worth your time, and so is being nice! Pessimistically, there are many dynamics that can lead discussions on Culture War topics to become unproductive. There's a human tendency to divide along tribal lines, praising your ingroup and vilifying your outgroup - and if you think you find it easy to criticize your ingroup, then it may be that your outgroup is not who you think it is. Extremists with opposing positions can feed off each other, highlighting each other's worst points to justify their own angry rhetoric, which becomes in turn a new example of bad behavior for the other side to highlight.
We would like to avoid these negative dynamics. Accordingly, we ask that you do not use this thread for waging the Culture War. Examples of waging the Culture War:
-
Shaming.
-
Attempting to 'build consensus' or enforce ideological conformity.
-
Making sweeping generalizations to vilify a group you dislike.
-
Recruiting for a cause.
-
Posting links that could be summarized as 'Boo outgroup!' Basically, if your content is 'Can you believe what Those People did this week?' then you should either refrain from posting, or do some very patient work to contextualize and/or steel-man the relevant viewpoint.
In general, you should argue to understand, not to win. This thread is not territory to be claimed by one group or another; indeed, the aim is to have many different viewpoints represented here. Thus, we also ask that you follow some guidelines:
-
Speak plainly. Avoid sarcasm and mockery. When disagreeing with someone, state your objections explicitly.
-
Be as precise and charitable as you can. Don't paraphrase unflatteringly.
-
Don't imply that someone said something they did not say, even if you think it follows from what they said.
-
Write like everyone is reading and you want them to be included in the discussion.
On an ad hoc basis, the mods will try to compile a list of the best posts/comments from the previous week, posted in Quality Contribution threads and archived at /r/TheThread. You may nominate a comment for this list by clicking on 'report' at the bottom of the post and typing 'Actually a quality contribution' as the report reason.
Jump in the discussion.
No email address required.
Notes -
Apple has yet again betrayed the fact that "it's not technically feasible" is bullshit when it comes to government access
They said it concerning device access, and that was a lie. They said it concerning private cloud compute, and that was a lie. Hell, they said it concerning even the conceivability of secure backdoors, and that was probably a lie, too (not even getting into the fact that they definitely already have magic numbers that can overtly tell your phone to execute arbitrary code).
Apple has now introduced Enhanced Visual Search, technomagic which whizzes your photos (even the ones not in iCloud) off to Apple servers, using all sorts of mathematical goodies like homomorphic encryption to keep them private while allowing them to tag said photos with labels like, "What is this landmark in this photo?" It would be strictly easier to design a system that looks for stuff like child porn and alerts them.
Yes yes, you will rapidly object. False positives, false negatives. I grok filtering theory. Who will have the authority to do what with the information? Sure sure. Who will have to maintain the databases or filters that look for it? Yup, I hear ya. Those are not technical objections. Those are process objections.
I have never supported having the government involved in any of these things. I understand the significant nature of the tradeoffs at the societal level. But I have routinely said that the cry of, "This is just technologically/mathematically impossible," is total bullshit. It's just not true. Several other influential voices in the tech privacy world are coming around sort of slowly to this. They're seeing the deployment of these systems and saying how they're taken aback. How, well damn, if you can do that, then you probably can do this other stuff. But of course, doing the other stuff seems socially problematic, so they don't know how to feel.
It's actually easy to know how to feel. Just drop the lie that these sorts of things are technologically impossible. They are possible. But there are process tradeoffs and there are potentially huge liberty concerns that you can focus on. The more you continue to try to push the Noble Lie, the more likely you're just going to harm your own credibility in the long-term. Better to fight on the grounds of true facts with, "We don't want it," win or lose, than to prepare the grounds for a complete credibility crisis, such that when the time comes, no one is able to responsibly push back.
I am fairly sure that the heavy hitters in the US intelligence community have a way to compel apple to extract data from a device they physically possess. I doubt that they have officially sanctioned zero day backdoor though.
But this is the world consumer wanted. They wanted always online devices, they wanted walled gardens.
Sure, the allegation is that they had their own ‘emergency’ backdoor that even the NSA and GCHQ weren’t supposed to know about, but which they kept in their back pocket in case they had to - themselves - use it on behalf of intelligence for a justified reason.
But what is also obvious is that if you’re the NSA and believe this to be the case, you just wiretap the fuck out of Apple’s internal Slack, email system, surveil senior security engineers directly and so on until you either have the exploit, know where to look, or know exactly who to ‘persuade’ into telling you.
Then, you use it sparingly enough that nobody at Apple can deduce that you have it, and it lasts 4 iPhone generations before Kaspersky find it.
that is not how you do it. No backdoor is needed. You create a legitimate update for the phone and sign it with the boot loader key and also probably update the secure enclave to allow unlimited tries. Once you have that - the rest is just bruteforcing the pin to get the part of the composite key (if the master key really is composite, it may be just stored in the SE, no one really knows)
This is not possible. The encryption keys that are used to decrypt user data are mixed with the signature of the OS that's booted. That's why in the normal update flow, you have to enter your passcode to kick off the update -- your phone is forward-encrypting the parent keys to the new software before you boot off the old one.
It is really great that apple don't have the hashes of their own OS-es right. You can totally boot custom kernel, and then just fake whatever signature you need to blast with the pin to the secure enclave. Or unmix whatever mixing you do with the pin. Device ID, os hash, number of luxes hitting the phone in the factory - apple already have this.
Mixing here would be a one way irreversible operation, of which there are plenty in modern cryptography.
Whcih is absolutely irrelevant if you know a part that you have mixed with. The salt doesn't make brute forcing harder. It makes hash lookup harder. Completely different approaches.
It's not irrelevant -- if you take a standard one-way function F then even knowing all the identities for X and Y, you can't load software version Y and back out what the key would have been had the diversification been done with X.
More options
Context Copy link
More options
Context Copy link
More options
Context Copy link
More options
Context Copy link
More options
Context Copy link
More options
Context Copy link
More options
Context Copy link
More options
Context Copy link
More options
Context Copy link