W3C home > Mailing lists > Public > public-credentials@w3.org > February 2016

Re: Apple IOS security hole? [was Re: The Apple-FBI Fight Isn't About Privacy vs. Security. Don't Be Misled | WIRED]

From: Timothy Holborn <timothy.holborn@gmail.com>
Date: Thu, 25 Feb 2016 07:12:38 +0000
Message-ID: <CAM1Sok14xuFB4Pp3qMZEcXOLu+fjcAQcj-zAYWgt43ASwXskTg@mail.gmail.com>
To: David Booth <david@dbooth.org>, public-credentials@w3.org
the critical questions I had in mind was whether a comprehensive use-case
existed for credentials to provide accountable prevlidged access to devices
/ operating systems made inoperable existed where no other existing
technology is able to perform a similar, accountable solution.

if each agent in the trust chain were enabled with credentials inclusive of
access records, et.al. that may be provided comprehensively to parties
involved with a court order, including defence lawyers, et.al.

then i do not see how the merits of the claims being made today are similar
to any such claims made of credentials were not available.

therein, is this a political debate, a scientific debate or one that
relates to the way in which we make choices about who to trust and why...?


On Thu, 25 Feb 2016 3:21 AM David Booth <david@dbooth.org> wrote:

> On 02/24/2016 10:21 AM, Timothy Holborn wrote:
> > Without considering the technical concept explicitly described as
> > 'backdoor', is the following a true statement?
> >
> > "“It would be great if we could make a backdoor that only the FBI could
> > walk through,” says Nate Cardozo, an attorney with the Electronic
> > Frontier Foundation. “But that doesn’t exist. And literally every single
> > mathematician, cryptographer, and computer scientist who’s looked at it
> > has agreed.”
> >
> > Source: http://www.wired.com/2016/02/apple-fbi-privacy-security/
> Since I am not a security expert I won't comment on that question.
> But on as a side note, it seems to me that Apple could make a simple
> change to IOS to make it *impossible* for them to do what the FBI is
> asking them to do, even if the court orders them to comply.
> If I have understood correctly, the FBI wants Apple to push to the phone
> a new version of IOS that would disable the
> delete-all-data-after-10-failed-unlock-attempts feature, thereby
> enabling the FBI to use a brute force attack to unlock the phone.  But
> if Apple updated IOS to require a phone to be *already* unlocked in
> order to install IOS updates, then it would be impossible for Apple to
> do that.
> In fact, if Apple is currently able to disable the
> delete-all-data-after-10-failed-unlock-attempts feature by pushing an
> IOS update to a locked phone then it seems to me that that is a
> significant security hole already, which really should be patched.
> Do others agree, or have I misunderstood something?
> David Booth
Received on Thursday, 25 February 2016 07:13:17 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 11 July 2018 21:19:27 UTC