* Posts by John H Woods

2412 posts • joined 14 Nov 2007

US govt says it has cracked killer's iPhone, legs it from Apple fight

John H Woods
Silver badge

"Eventually there will exist an ACTUALLY uncrackable device" --- JeffyPooh

I think there are some quantum principles which could feasibly be exploited to yield a device that you couldn't crack even with prolonged unfettered physical access, so I think you're right. Not sure it will ever be possible with non-quantum methods.

0
0
John H Woods
Silver badge

Re: Where are all the Noobies now?

Depends if you're counting me :-) you did have a go at me for presenting the maths implied by the key length -- my defence was that I was only responding to people who suggested AES256 could be brute-forced. Neither of us think this has been cracked (if it has) by brute forcing a 256bit key, do we?

2
0
John H Woods
Silver badge

Re: A Kick in the Nuts

"Like I said before, if you have deep pockets you could probably clone the phone" -- Danny14

And like many of us said before, it's not that simple. Cloning memory is easy, but cloning other chippery is hard. Sure if you have deep enough pockets it can be done, but I don't think you really understand just how deep they have to be. And 256 bit encryption CANNOT be brute forced. Broken, perhaps, but this break will NEVER be by brute force.

5
2
John H Woods
Silver badge

Re: And now this is the worst

"Every government on the planet now knows that iPhones can be hacked"

Everyone with a clue knew this already. What was being resisted was (a) a tool that could be routinely used (e.g. during police stop & search or temporary unauthorized access to a phone) and (b) a legal precedent. This is a 100% win for Apple.

32
1

William Hague: Brussels attacks mean we must destroy crypto ASAP

John H Woods
Silver badge

Dear William Hague

It's worrying that you are either ignorant and/or lying.

32
2

Ransomware now using disk-level encryption

John H Woods
Silver badge

Fantasy hard drive (or array) ...

... 3 position physical (key?) switch on drive (or array)

(1) looks to the BIOS/OS like a normal drive (or array) but keeps, inaccessibly and invisibly, all previous versions of files; perhaps also ignores destructive operations such as partitioning and formatting

(2) all versions above become visible but drive is read-only

(3) disk accessible as normal for partitioning, formatting or just maintenance (e.g. deleting of old versions of files).

I'm not sure that my drive usage is typical but it seems to me that ordinary file store disk usage would not be greatly increased by keeping all previous versions of files - by far the biggest chunk of my diskspace is taken up by files that are their initial version.

Even if this were not practical for operational disks or arrays, surely it's achievable for disk-based back-up solutions?

2
1
John H Woods
Silver badge

Re: Nothing good will come of all this

"but this scumware risks helping the US Government message on backdooring encryption" --- Pascal Monett

Maybe only until people realise that these people will never use the approved backdoored algorithms.

3
0

Six charged for 'hacking' lottery terminals to spew only winning tickets

John H Woods
Silver badge

Do the math ...

OK ...

I googled Mega Millions, it seems there are 5 numbers between 1 & 75, and 1 number between 1 & 15. The chances of getting all six is therefore one in 15 * 75! / ( (75-5)! * 5!) which is about 1 in 259 million (258,890,850)

The probability that you won't win is therefore (258,890,849 / 258,890,850 ) per play or about 0.99999999613. The probability that nobody will win in a draw with N plays is this number to the power of N. Where N is a million, that is 99.6%, but where N is a billion it is only 2%, so it doesn't seem that unlikely. Interestingly, that's nearly the exact opposite of your guess --- if 1 billion plays were made then the jackpot would get won 98% of the time!

If you want to work out what N is to so that the jackpot is won about 30% of the time, you need to work out what power you'd need to raise the non-win probability to to get 0.7 (i.e. a 70% chance no one wins a given draw). This is log (0.7) / log (258,890,849 / 258,890,850) which is about 92.3 million.

It doesn't seem at all unlikely to me that a 44 state lotto might get this many plays, it's probably only what, one play per average 2 head of population?

PS: didn't down vote you, because almost nobody can calculate probabilities like this intuitively, hence things like the birthday problem.

0
0

Tracy Emin dons funeral shroud, marries stone

John H Woods
Silver badge

Re: I love it when the amateur art critics come out to play

"Apparently what gives value to the painting/piece is the artist has attached a story to the painting giving it meaning" -- Triggerfish

basically says that modern art is a machine for generating art criticism ... possibly true ... but some *contemporary* art is extremely good.

3
0

Watch six tiny robo-ants weighing 100g in total pull a 1,769-kg family car

John H Woods
Silver badge

Re: "they form into long chains and synchronize their footsteps"

It's amazing what a tiny brain can do --- check out a miniature spider called Portia.

0
0

Former US anti-terror chief tears into FBI over iPhone unlocking case

John H Woods
Silver badge

Re: Kind of what I said a couple weeks ago.

1. No. They'd hack the hardware, possibly reading the security key from the processor with electron microscopy, side channel attacks etc. Brute forcing AES256 is limited "only by available compute power" but you couldn't fit the required compute power into the visible universe. There may be another way to break it but it isn't brute forcing.

2. Yes.

17
1

Feds tell court: Apple 'deliberately raised technological barriers' to thwart iPhone warrant

John H Woods
Silver badge

Re: Free Speech argument.

"As a corporate entity rather than a person" -- Candy

You might be surprised to learn that US law doesn't always make that distinction. But surely you'd have been more surprised that Apple's lawyers would make that argument if it were obviously invalid.

1
0
John H Woods
Silver badge

Re: The mat and potatoes

"Even though I get downvoted to hell and back, I maintain... if a court orders them to do it (after the argument has gone to the highest possible) ... they should damn well do it, or Cook should be thrown in jail." -- msknight

Err ... you do know that Apple are behaving in an entirely legal manner by appealing the judgment?

If your argument is that, once SCOTUS says they should do it, they should, you are wasting your time here -- Apple have already said they would comply with the law. Apple's whole point is that the law needs clarification and that should happen at a legislative level (SCOTUS / Congress) rather than be established by precedent in an individual case: as we all know, hard cases make bad law.

7
0
John H Woods
Silver badge

@bazza

"If the supremes do make such an order then presumably everyone would welcome the decision? Isn't that what the Supreme Court for, handing down decisions that everyone accepts?" --- bazza

The last SCOTUS decision that was relevant here, in 1977, was that the All Writs Act had limits and could not be used to place unreasonable burdens on third parties.

Apple's argument is effectively that the FBI is trying to create law, rather than use existing law; and that this is a job for law-makers not law-enforcers. Sure many of us would be horrified if SCOTUS made the order to which you refer. But at least we'd know that this was now the official USA position.

In the end your argument is self contradicting: it is almost that no one should ever risk anything going to the Supremes in case the decision goes against them. I'm sure you can see there's a problem with such a stance.

6
0

What's next? FBI telling us to turn iPhones into pocket spy bugs? It'll happen, says Apple exec

John H Woods
Silver badge

"Then there's that whole 'warrant' thing people keep missing" -- Jeff Lewis

If you were right, the court of the first instance missed it is as well: because if it were a simple "warrant thing" then that court would never have needed to rely on the All Writs Act, as failure to comply with a warrant would put Apple in contempt of court.

People who say "This should be as simple as a warrant" are expressing an opinion that could potentially be justified by argument (I haven't yet seen a compelling one, but it's possible). People who say "This is as simple as a warrant issue" are just plain old wrong, and any other authoritative assertions that they make can be safely ignored.

7
0

Knackered Euro server turns Panasonic smart TVs into dumb TVs

John H Woods
Silver badge
Joke

If you want a nice big dumb TV ....

... buy a projector ;-)

3
1
John H Woods
Silver badge

Re: Time for my new Expression

"One could, of course, have argued that the OP is observing the good ship Panasonic on it's voyage to the downhill from a fixed point near the hilltop and so when he looks down he sees it red-shifted as it races away from him" -- 's water music

Bugger, I knew someone would get me with an alternative frame of reference!

2
0
John H Woods
Silver badge

Re: Time for my new Expression

"It's still called the red shift effect, regardless of which way it's going though."

You'll be pleased to know I've given you -1 upvotes. And to be really pedantic, it's called the Doppler effect :-)

9
0
John H Woods
Silver badge

Re: Time for my new Expression

"Panasonic are going downhill so fast, when you look at the floor you can see the red shift" --- Ian Emery

<pedant_mode>blue</pedant_mode>

6
4

FBI says NY judge went too far in ruling the FBI went too far in forcing Apple to unlock iPhone

John H Woods
Silver badge

"Hoooly shit, seriously? That's like the Pope's Divine Cheat Code Chair, only this applies to actual fucking law! If the court puts it into writing, it happens? Seriously?" --- ShadowDragon8685

Whilst I largely agree with your amusing take on this, there are two mitigating circumstances preventing it becoming a tool for draconian imposition of arbitrary burdens:

(a) the caveats, in the Act itself, of "necessary or appropriate" and "agreeable to the usages and principles of law"

(b) a 1977 Supreme Court Ruling that "... the power of federal courts to impose duties upon third parties is not without limits; unreasonable burdens may not be imposed"

0
0
John H Woods
Silver badge

"How is this any different from a warrant for telephone records or financial records where the telephone company or accountant are not complicit - nor alleged to be complicit - in any alleged wrong doing or financial malfeasance ?" -- Deltics

If it were no different, the All Writs Act would not have had to have been invoked because Apple would be in contempt of court for not complying with a warrant.

14
1
John H Woods
Silver badge

The FBI argues that Orenstein looked at the question too broadly and focused on possible future abuse rather than the actual case he was considering. And then effectively accuses him of overreach by saying his ruling "goes far afield of the circumstances of this case and sets forth an unprecedented limitation on federal courts' authority.

That argument would seem to be self defeating: the first part says that it is only about this one individual device (case) and pretends no precedent would be set. The second part is a concern that a precedent has been set (albeit the opposite one to the one they wanted) by a judgment in the same particular case.

21
0

GCHQ: Crypto's great, we're your mate, don't be like that and hate

John H Woods
Silver badge

"If I understood correctly the extracts of Hannigan's speech he is asking for crypto software which falls over if you don't follow a strict procedure, or some such 'human" cause of failure. So you can have your secure crypto but ..."

They already have everything they need to go after targets. No crypto is secure against endpoint compromise and all the old school spycraft (shoulder surfing, infiltration, honeypots) still works; all the new school spycraft (hidden cams, tempest, decoding audio to narrow down password search spaces) still works; and all the bang-up-to-date spycraft (keyloggers, hardware compromise, certificate compromise, rng tampering) still works.

I totally support them going after targets. I shall totally resist the dragnet.

9
0
John H Woods
Silver badge

Re: chutzpah indeed

"legislation going through Parliament at this very moment which says "houses", plural, in fact every single household in the land, and beyond." --- 2+2=5

More to the point, they were already doing it even before legislation was proposed, let alone passed, that they should be able to do so.

3
0

Essex cop abused police IT systems to snoop on his in-laws

John H Woods
Silver badge

Re: Why

"Thirdly let the nerds who can say hand on heart that they haven't seen/found more that they should have been entitled to via DB/SA access cast the first stone." --- Gordon 10

Some time ago, walking the dogs at night, I looked up and saw my rather attractive air stewardess neighbour walk naked past her bedroom window. I'm pretty sure this does not give me an excuse to stand outside her house looking up in the hope of a repeat performance.

You might need to acquant yourself with the concept of mens rea.

"Lots of uninformed commentardery on this thread." --- Gordon 10

Well, some, at any rate.

1
0

Norman Conquest, King Edward, cyber pathogen and illegal gambling all emerge in Apple v FBI

John H Woods
Silver badge

Re: Off course Apple must help law enforcement

"Given the encrypted state of the phone they are trying to access, Apple should immediately assist the police in setting up a system that can be used to brute force the encryption. That is the best that can be done given the state of the phone. If the bad guy has chosen a good password this might take a long time." -- Steen Larsen

Let us enjoy the full majesty of your uninformed ad hoc reckon

0
0
John H Woods
Silver badge

"You may want to point to a legal precedent instead of making stuff up"

In case he can't be bothered with your somewhat rude reply, I looked it up for you: Bernstein v Dept. of Justice

3
0

Apple: FBI request threatens kids, electricity grid, liberty

John H Woods
Silver badge

"Really, it's not that different to a safe manufacturer cracking a safe" --- Pen-y-gors

Did you somehow miss all the coverage and comments? It's ok if you did, but you should either catch up or shut up.

3
1

Fifth time's the charm as SpaceX pops satellite into orbit

John H Woods
Silver badge

Re: Missing the point...

"Doing the same thing over and over again and actually getting a different result on its own is praised...as persistence." -- Charles 9

Indeed. In fact the stupid statement about insanity bugs me even when it isn't mistakenly attributed to Einstein. Ther original quote (in an NA pamphlet) is about making the same mistakes over and over again. Almost nothing that is worth achieving can be achieved without some measure of doing the same thing over and over again.

1
0

No more Nookie for Blighty as Barnes & Noble pulls out

John H Woods
Silver badge

I had a nook ...

... it could read almost any format, I could play puzzle games on it and even browse some of the less frantic websites. In fact it was too useful and I carried it everywhere, eventually resulting in it being trodden on by a horse.

If you have one, and this is going to affect you, I suggest you root it like I did, you've got little to lose, and a very cheap e-ink Android device to gain.

5
0

Samsung is now shipping a 15TB whopper of an SSD. Farewell, spinning rust

John H Woods
Silver badge

Correct - raid5 at this scale is a TERRIBLE idea :-)

1
0

There's a courier here says he's got 50TB of cloud data for you

John H Woods
Silver badge

"If my sums are right, it's way less than 100MB/sec" -- Adam52

A Snowball weighs about 23kg and could easily be checked as hold baggage on a plane. It would take a few hours to extract its 50TB over its 10Gb/s port. So by speeding up the shipping a bit you can probably get it anywhere it could be useful within a day, giving you about 600MB/s equivalent making it well over 100x faster than a T3 line.

Executed expeditiously, moving physical storage is faster than networking: always has been, and I think always will be. The Snowball is heavy (ruggedness & self contained PSU, etc) and is only about 2TB/kg, whereas plain old SSDs are > 10x the data per mass. A 747 full of SSDs travelling LON->NYC is probably a Snowball per second.

1
0

Bruce Schneier: We're sleepwalking towards digital disaster and are too dumb to stop

John H Woods
Silver badge

Re: It's gonna be difficult...

AC says: "not their fault, not many of them have engineering backgrounds"

Sorry but I disagree entirely. Most engineers, if tasked with learning relevant parts of national law; company procedures; business modelling; or technology currently outwith our experience, would simply settle down to learn what they could about it. Where they still didn't understand, they would identify someone who could advise, and ask them.

Nobody is asking legislators to know about Yagi antennas, microwave propagation, packet level protocols, database schemas, etc. Not having an engineering background must not be considered a be-all-and-end-all excuse for refusing to come to grips with matters for which one is responsible. We expect legislators to be able to consider medicolegal affairs without having a medical (or legal) background; social affairs without psychological qualifications; transport and infrastructure without civil engineering knowledge.

It is perfectly reasonable to expect legislators to be able to learn, to be able to consult, to be able to listen. The apparent fact that many of them can't means that they are unfit for their roles; no excuses.

PS: and yes, I would say the same applies to managers.

19
0

$17 smartwatch sends something to random Chinese IP address

John H Woods
Silver badge

Re: Optional

"Well, I for one, don't. Why? Just cos." -- Electron Shepherd

LOLLO

2
0

GDS gets it in the neck from MPs over Rural Payments Agency farce

John H Woods
Silver badge

Re: Internal IT

Is GDS even good enough to act in an advisory role?

1
0
John H Woods
Silver badge

Re: What could possibly go wrong?

"If GDS could cultivate a little humility, and hone their ability to listen, they might improve their record of successful delivery" -- BurnT'offering

^^THIS. Consultancy, my first ever boss told me, is a listening business. Stop trying to interrupt your clients with the solutions you want to sell them. If you think you've already got something to sell them before you've finished listening to them, you're already on the path to deliver them something they don't want --- and if you're doing your job properly you can't possibly have anything useful to tell them in the first meeting, because you simply haven't had time to think about it.

5
0

'Boss, I've got a bug fix: Nuke the whole thing from orbit, rewrite it all'

John H Woods
Silver badge

Re: Well, this article'll cause some arguments, eh?

"Once you start to use gotos because of lack of an exception mechanism in C, use it clearly. The lack of proper comments is appalling too - if you attempt to do somthing "smart", explain it."

Absolutely agreed. In fact if I had to pick the very worst thing about this code I'd say that the label err: is incorrectly named, everything that happens here seems to me (not a C programmer) about freeing resources. There seem to me to be three exit conditions: (a) success (b) packet length error (c) certificate length error. It looks to me like the first test looks for (b) error, the second for (c) then there is a block between the two snippets that is executed if those tests don't detect their errors.

Now I understand, from your comment and a quick Google, that there is no true exception handling in C, so we sometimes use the goto. So can't it work like this? (go easy on me, I'm not a coder)...

/* trap wrong packet length */

if (CBS_len(&cert_list) < 3) {

SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE, SSL_R_BAD_PACKET_LENGTH);

ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);

goto finalise;

}

/* trap cert length mismatch */

if (!CBS_get_u24_length_prefixed(&cert_list, &cert)) {

SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE, SSL_R_CERT_LENGTH_MISMATCH);

ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);

goto finalise;

}

/* code that gets executed if the exceptions above aren't encountered */

/* free resources */

finalise:

EVP_PKEY_free(pkey);

X509_free(x);

sk_X509_pop_free(sk, X509_free);

return (ret);

I'm not normally a fan of the goto and I might have preferred a nested conditional or maybe setting a variable to contain the current error type (or null if no error) and then branching on that lower down, depending on the prevailing style of the other code. But I understand they might have a place where there is no native exception handling.

3
0

Security real talk time: So what exactly do we mean by 'backdoor'?

John H Woods
Silver badge

Re: In a way it is an existing backdoor the FBI is looking to exploit

"Remember a backdoor, is exactly that, it is an entrance that gives full access to a house in exactly the same way as the front door." -- Roland6

Does the same key open both doors? Or is, as I believe as intended in the metaphor, the security of the backdoor weaker (or even non existent)?

0
0
John H Woods
Silver badge

Re: At the risk of being labelled a something-or-other...

"Every time. No shorthand. No lingo" -- AC

Whilst I get the import and largely agree with what you are saying, this is just not practical. Firstly, there's the issue of convenience. You've still got to talk about RAM, SSDs, CPUs etc. without having to spell it out. Secondly, there's the issue of being unable to prescribe, or proscrobe, language. Lay people are going to (continue to) use the term 'backdoor', whether we think they should or not. The best we can do is make sure that they know what it is.

My definition: "An always intentional and typically secret means of bypassing or weakening normal access control mechanisms"

2
0

We survived a five-hour butt-numbing Congress hearing on FBI-Apple ... so you don't have to

John H Woods
Silver badge

Re: Yes, you CAN remove the "non-volatile memory".

"So, just to clarify (this is not my field of expertise) and to wrap my mind around this: it would be possible to remove the memory chips from the phone and make a 1:1 copy of the data stored on the chips - but that would not bring you any closer to decrypting1) the data, so in this case it's pointless?" --allthecoolshortnamesweretaken

My usual explanation of brute forcing AES256:

Keyspace 2^256, average time to find key 2^255=6e+76. Allow a nanosecond per attempt (that's almost unfeasibly fast) and you need 6e+67 seconds. Allow ten million of those machines and you are at 6e+60 seconds. Find an as yet unknown algorithmic weakness in AES256 and award yourself a trillion trillion trillion fold speed up, and you get to 6e+24 seconds --- which is about 15 million times the current age of the universe (4.3e+17 seconds or thereabouts).

AES256 may not be invulnerable (and it probably isn't) but standard (i.e. non-quantum etc) brute forcing of the keyspace is simply never going to be possible.

5
0
John H Woods
Silver badge

Re: Trey

"It's an extreme analogy from Trey, but it is valid. "-- bazza

I disagree. I think the analogy is seriously flawed but if we must stick with it, it is more like this:

We have always been allowed to remove bullets from corpses for forensic purposes. These new fangled bullets wont come out without disintegrating, so they'll be forensically worthless. The bullet manufacturer does not have a tool to extract the bullets intact. Maybe they could create one? The trouble is that it would allow other people to remove other bullets from corpses, allowing the possessors of such a tool to commit crimes (more exactly destroy the evidence of the crimes they have committed).

Analogies have their uses, but the frantic - and largely [1] fruitless - search for a good analogy to describe the current situation makes me concerned that many of the people engaging in the discussion are simply not equipped to do so.

[1] the only reasonable analogy, IMHO, is the one presented by Richard12 above: the safe manufacturer can only open this one safe by creating a tool that would open very many of the safes they have already sold. But for the analogy to work, this tool has to be one that, once created, is easily stolen or copied.

11
0

Photographer hassled by Port of Tyne for filming a sign on a wall

John H Woods
Silver badge
Joke

Re: Not all security is like that, I'm not

"What I would instead do is quietly turn up a long way away on my bicycle (no ANPR records for a bike) and quietly photograph the place using a camera with a long lens peeping out through a hole in a bag. Even if I couldn't do this, a camera in a shoulder bag with a remote shutter release is not going to arouse the notice of security guards if all the photographer does is walk past without obviously taking photos (whilst snapping away with the concealed camera)." Dr Dan Holdsworth

Wait a minute there, fella ... This is information of use to a terrorist!

1
0
John H Woods
Silver badge

Re: Birds Eye?

"Or is it the peas? I never trusted peas." --- Huw D

they have a habit of winding up on the floor: escapeas

10
0
John H Woods
Silver badge

Re: Unfortunately...

"So go on, enlighten me. What offense has been committed... " -- AC

"Is there any comeback for what this actually is - namely illegal seizure..." -- Martin Milan

(Note: IANALBIPOOTI)

Pretty sure the law you're looking for is Trespass to Goods It's a tort, so the police cannot be involved, but I think the victim has a pretty clear case for a compensation claim. Wonder if any of the no-win no-fee guys fancy having a go?

7
0

Poor recruitment processes are causing the great security talent drought

John H Woods
Silver badge

Re: HR Dept

HR should simply not be involved in recruiting in anything but procedural details -- checking driving licences, security clearances, credit check etc. The idea that any of them should participate in, let alone conduct, any interview in which the technical (suit)ability of a candidate is addressed is ... well, it's beyond stupid.

29
0

Institute of Directors: Make broadband speeds 1000x faster than today's puny 2020 target

John H Woods
Silver badge

^^^^ strong contender ...

... for COTW and it's only Monday.

4
0

Phorm suspends its shares from trading amid funding scrabble

John H Woods
Silver badge

Guys ...

... 40 comments and no "Kill it, kill it with fire" or "Take off and nuke it from orbit" --- what's happened?

2
0

Dead Steve Jobs owed $174 by San Francisco parking ticket wardens

John H Woods
Silver badge

yes ...

... ironically if you use the phrase petito principii the people who misuse "begging the question" ask why you feel you have to use Latin

1
0

Forums

Biting the hand that feeds IT © 1998–2017