Hmm, who's right, /g/? famous hacker, or Daniel "Muh Open Source" Nobodykski?
who cares, they #talk like #faggots
>>53052021
/g/'s too busy comparing their riced out desktops to care about real technology like encryption, security postures or attack surfaces
>>53052055
did you see the grugq use any hashtags? #blindpeopleproblems
>>53052084
Encryption's pretty useless when the whole OS is "cloud"-based, and sends all your data to Apple.
>>53052153
Exactly, and same with Android. AOSP is basically the only way to have a secure-ish phone anymore.
>>53052153
if it's so useless, why hasn't the fbi just you know, hacked into icloud?
don't be dumb, anon-kun.
>>53052021
THE FBI ISN'T ASKING APPLE FOR A BACKDOOR
they only want to be able to brute-force passwords. it's like asking someone to disable fail2ban, not compromise the crypto in sshd
>using lagdroid
>>53052185
>Hacking into something you just request information from
>>53052178
This. And that's why I use Android.
>>53052185
I really hope this is an ironic joke, in which case, I applaud. :P
PROTIP: every single iphone since 5s has hardware encryption chips installed making strong encryption efficient
NOT every android phone can be the same, since google DROPPED the requirement because device manufacturers cited muh reasons, and encryption/secure boot is not even enabled by default on many android devices
>>53052211
See: >>53052153
>>53052208
They cant dumbass. The Feds have every Warrant available, but Apple doesnt have any information to hand over. Its Encrypted.
>>53052211
>using anything but a Nexus device
>>53052208
do a night class on hooking into a database from java, pajeet, and you might understand how incorrect your basis is
>>53052208
if the information was there, maybe they would have requested it. but it isn't, so they didn't.
you don't have to use icloud if you use ios, you know?
>>53052227
this whole mess is based around the fact that they already have the icloud data, but the shooter turned off cloud backup 6 weeks prior to the shooting
so no, encryption is not useless if you're not uploading shit
>>53052247
yeah, a nexus 4 that doesn't even get the latest kernel so i'm forced to live with several glaring security vulnerabilities like the one in gnulibc. fuck that, at least every ios device back to the 4s still gets updates today
>>53052189
4/6-digits numbers are quite easy to bruteforce once you have nothing slowing it down
>>53052235
Pic related
>>53052275
This is true, no arguments here.
>>53052285
>once you have nothing slowing it down
yeah but guess what, dummy? there is something slowing it down, it's called a hardware throttle.
see:>>53052084
>>53052021
Nothing prorietary is secure. The reason Apple makes this court order is so that their bluff is not caught in public. "Oh yeah, we had a backdoor all along... ooops" if they did not have a backdoor then they would go... "Sure FBI, we will do our best..." and then release the code and go "can anyone help us? We are just too secure"
>>53052277
Android does not use glibc, and glibc doesn't live inside the kernel you retard
>>53052303
while i am entertained by your post, i don't see any factual data to back up any of those claims
>>53052302
even if you take over 100ms per passcode, going through all 10000 possible combinations for a 4-digit passcode takes 20 minutes
Why doesn't the FBI just use this?
https://iclouddnsbypass.com/
It does work
>>53052342
but there's a 10 attempt limit before all data gets securely erased.
if the fags were smart, they would have given their icloud password to al-ackbari somewhere and said "after i'm in heaven with my virgins, log in and remotely erase my iphone for me"
>>53052277
You are so dumb, glibc has nothing to do with kernel. N4 isn't EOL yet so you should be getting security updates if there are any. What's your build #?
>>53052084
what is the max amount of time it could take to bruteforce with an 80ms delay between each attempt?
>>53052390
that's only IF you enable it, and if Apple doesn't remove the 10-attempt limit and timeouts
>>53052404
>N4 isn't EOL yet
Looks like the updates stop at 5.1.1, unless Google is backporting security updates to Lollipop (which is possible I guess)
https://developers.google.com/android/nexus/images
>>53052469
>that's only IF you enable it,
>implying it's not enabled
why else would they have trouble bruteforcing it? the pros at the fbi aren't the typical 4chan wannabe
>>53052084
>>53052021
>>53052337
That's the magic of proprietary hardware! It's in the sauce. Yet somehow a black market for stolen iPhones still magically exists. I don't know who to believe!
>>53052354
why is nobody talking about the icloud dns vulnerability yet? shit's ancient
>to be more protected you have to OPEN source
Are there really white people this fucking retarded?
I dont see how any software used by the fbi to hack phones would ever be secure. The FBI has already proven that they can't even keep their own private information private.
Also since when can the government demand free services from businesses? Mandating that Apple writes a program exclusively for the government to allow them to brute force devices isn't all that different from mandating that all taco bells offer free food to police officers.
>>53052535
Muh security through obscurity
>>53052502
that black markey for spare parts exists for an obvious reason... are you suggesting they should implement a unique ID identifier so a screen only works with ONE particular serial number-HW identifier and it refuses to work if it does nt detect THAT particular serial number?
if positive, you are fucking retarded and im not surprised you lurk /g/.
>>53052285
I hate PINs as much as the next guy but you can set 12+ digits for a mean cracking time of ~300+ years given the hardware limitations. people might have to face that reality, that 4 digits are not secure for anything
>>53052302
the boot/unlock crypto is deliberately slow. the quoted guy above means that cracking 4 digits will take a few minutes even on that chip if there's no punitive delay/10 wrong guess wipe
>>53052451
you need 12+ digits
>>53052574
>implying it doesn't work
Any issues found can just be fixed faster by someone actually paid to work on it, and not some volunteer wanting to change all references of 'slave' on github. kthx
America has become pussified.
It's a fucking felony to open someone else's mail before the receiver gets it. Literally nobody can fuck with your mail unless they have a warrant. That's because 200 years ago people wouldn't stand for bullshit like "well our government should have the right to open our mail because we're just peons, what do we know?".
Today we're talking about having backdoors added to fucking everything and people are saying "well muh terrorists I ain't got nothin' to hide".
>>53052491
because they don't want to risk losing the data in case the 10-failure wipe is enabled, and they probably can't get through in 5 attempts unless they want the timeout to kick in
>>53052617
Apples software bugs always take years to fix. While all FOSS OS security issues are quickly found, publicized, and dealt with by the type of security buy the type of paranoid security nut that uses a FOSS OS.
>>53052754
thanks for clarifying my point
>>53052830
yep
take heartbleed for example
>existed since the inception of openSSL
>once discovered took only months to fix/updates not pushed, meanwhile servers all over the world are being pwned
>>53052872
The 10-failure wipe is an optional setting, and Apple can presumably disable it, along with the timeout. If they do that, the FBI/whoever will have no problem getting in a day maximum with a 6-digit passcode.
>>53052984
they can't disable it if the user set it, moron
>>53052672
the government can get a warrant to look through a serial murderer's mail
>>53053043
people who do shooty shooty things usually don't give a shit about that sort of thing
>>53053057
The problem isn't access. It's encryption. They can access their, but if it's written in code, there's no obligation to have someone unscramble it.
>>53053115
are you trying to say that it's not set?
if it was not set, then anybody could have bruteforced it the day they recoverd it. but since it is set, they can't risk it.
>>53053181
*their mail
>>53053187
Could have, but you're missing the fact that the timeouts ("iPhone locked for 1 minute, 5 minutes", etc) still remain
>>53052882
It was patched in hours by pretty much any relevant distribution, even niche distros patched it in days
Meanwhile Microsoft vulns take a whole month to be patched through patch tuesday, Apple just doesn't give a fuck and won't merge patches from upstream until a year or so
Uuh... guys.
>>53053424
oh my, how unexpected.
>>53053424
>Apple can update the SE firmware, it does not require the phone passcode, and it does not wipe user data on update. Apple can disable the passcode delay and disable auto erase with a firmware update to the SE. After all, Apple has updated the SE with increased delays between passcode attempts and no phones were wiped.
https://blog.trailofbits.com/
O....Oh... lawdy.
>>53053531
they only did it because consumers whined about muh error 53. the only reason you got error 53 was because you're a cheapskate and got unofficial hardware put into your phone. it's TPM, tamper resistant hardware, wtf did they expect to happen?
>>53053531
> After all, Apple has updated the SE with increased delays between passcode attempts and no phones were wiped.
Which required the fucking phone to be unlocked to accept the update. I think it might even require the iCloud password.
This is really, stupidly fucking simple. YES, there are ways to update the low level firmware. NO, there are no ways to do that without either
* Unlocking the phone
* Wiping the data.
>>53053531
Once again, this is a random guy *guessing* that it might be technically feasible. He has no affiliation with Apple and no knowledge of their systems.
>>53053585
so basically consumers and the threat of a class action lawsuit, not a court order by the government, was the reason apple purpousfully broke their security
>>53053619
and the threat of a class action lawsuit * by a bunch of EULA-breaking cheapskates*
>>53053619
>>53053634
Except there's no security being broken - you still can't use the fingerprint reader anymore because it wasn't cryptographically paired with the secure enclave.
All Apple did was unbrick the phones. No security has changed here.
>>53053614
>Apple can update the SE firmware, it does not require the phone passcode
>it does not wipe user data on update.
Did you even read the article you fucking sperg?
>>53053618
SUPREME DAMAGE CONTROL
>>53052021
Well, the thing is, as long as the source code isn't publicly available (i.e. not open source), there's no way to independently verify the software is actually secure. You basically have to take the vendor's word for it.
Now, open source software is not by definition more secure, but the public can at least independently verify its security, because everyone is able to look at the source code. The thing is, it has to actively be audited by people to actually make sure it's verifiably secure.
TL;DR Closed source doesn't allow independent code audits; open source does. People should therefore always consider open source software, as long as the project is actively being developed *and* audited.
The FBI court order, combined with all the public scrutiny into iOS security, is only going to push Apple to double down on hardening its devices over the next few years, so that Apple is utterly helpless to comply with future government demands.
>>53053877
you still have to trust people who say they know what they're talking about when they claim the code they reviewed is secure
>>53054025
Yes, but open source enables far more eyes to look at the code.
From a theoretical point of view, open source is the better system, *but* there are still too few independent code audits in spite of the source code being available. I would really like more projects to start bug bounty programs to stimulate more and more people to inspect the source code. In fact, I'd like the government to also organise/fund such programs for large projects we all use (e.g. the Linux kernel).
