Follow Slashdot stories on Twitter


Forgot your password?
Get HideMyAss! VPN, PC Mag's Top 10 VPNs of 2016 for 55% off for a Limited Time ×

Comment Re:What Happens When you Forget Your Password? (Score 1) 388

There is no way that any apple owner would be OK with the idea that if they ever forget their password, their phone is bricked. So what do they do when the owner contacts them asking for a password reset?

If they forget their password, all the data on it is (theoretically securely) erased and the phone is factory reset.

But what if the phone was the only source of that information?
Then what if the phone got sat on wrong and broken? Much worse than losing the password, but the same loss of data.

And to the original observation...
There is no way that any apple owner would be OK with the idea that their phone would not be usable if they forgot to charge it for a whole week.
There is no way that any apple owner would be OK with the idea if it falls out their window on the highway and gets run over three times, their phone is bricked.

However since it's not bricked if they forget their password, it's a moot point. Though sometimes I think that more people would be more careful with their passwords if more bad things happened when they forgot them or accidentally gave them to other people. Like if peoples' bank accounts got drained or people got fired for... oh... wait...

Comment Re:Sorry, no exceptions to mathematics. (Score 1) 388

I would create multiple usernames/passwords that are allowed to unlock the system. E.g. Multi login. They keystore that secures the encryption on the device would then have to be doubly encrypted with two seperate encryption keys on the device using a public key of the 2nd user available on iCloud. The second encrypted store could be uploaded to iCloud and only decoded by that 3rd party who would then have access to decrypt the duplicated information.

You could do PK key exchange via bluetooth or something more personal to prevent against MITM attacks.

The device would then need a time delay to prevent that designated user from logging onto your phone through casual day to day usage. The device should only be accessable 30 days after not being used and would require the user to access iCloud to fetch and decrypt the store. The device would still be protected by encryption but may be decrypted by a designated person(s) so long as the designated person is nominated upfront.

I feel that there are a lot of holes in this plan...

Comment Re:joek (Score 1) 101

A different consideration can be summed up in the idea that PCI Compliance makes a company "impossible to be hacked" in the same sense that being an "important and secure government agency" makes the FBI "impossible to be hacked". A frequent view is that PCI DSS means nothing at all because even fully-compliant companies can be hacked.

The middle ground is the concept that PCI Compliance just makes the company less likely to be breached and the recognition that common sense isn't all that common (despite the sads this causes for people who would think "don't store PII unencrypted" should be akin to "don't stab yourself in the eye with a fork in an attempt to improve your vision"). PCI compliant companies can (and will) still be hacked. This is more of a question of "Is the PCI standard a proper balance to reduce the threat, and were these companies -really- PCI compliant, or just saying they were and so we need to revisit how we are addressing this one way or another?"

Comment Re:The deed is done (Score 2) 610

From one point of view, it could be said that I did not say the encryption scheme would be broken in that case. It would be the misappropriation of "legitimate" keys used to access the back door of the encryption system.

From another point of view, if the point of the encryption is to prevent any but explicitly-authorized entities - as defined by the data holder and assumed to not include the pool of "and whoever has backdoor keys to the encryption system" - from accessing the data, the very existence of a backdoor breaks the encryption scheme (though not the cipher-generation algorithm) to a degree as it both creates an unknown third party "authorized entity" and a larger attack surface against which a successful attack can compromise the security of your data.

The encryption scheme, taken as a whole, is the entirety of everything from the key storage to (in)secure hardware to the strength of the key against various attacks to the cipher algorithm and stuff in between and around. So the algorithm that generates the encrypted result and reverses that process may be "very secure", but the scheme as a whole can have other faults. Like "password written on a post it note and stuck to the back" or "intercept the self-destruct process to be allowed to brute-force 10,000 4-digit possibilities" to "offload the stored key and use knowledge of the pin-to-key process to extract the key by brute force on an external system".

Encryption cipher algorithms as we know them today is not "unbreakable". It's just "currently so hard to break that it cannot feasibly be assumed to be doable in a useful time period." But a sticky note with the password renders even an "unbreakable" quantum cipher useless in short order. So you protect the key.

If you are the only one in control of the key, you can make your own choices (within some limitations) on where that key exists and who/what has access to it. The moment there is a back door, you no longer have control over the fully-inclusive key set to your data and the people who do have proven that there is a strong potential for their backdoor key to become compromised, thus compromising the security of your data.

Comment Re:The deed is done (Score 4, Insightful) 610

The problem is that cryptography is mathematics and doesn't know the difference between criminals and innocent people.

It also doesn't know the difference between law enforcement requests to unlock the phone and criminal requests.

If they can get into a criminal's phone, they can get into anybody's phone. If they can get into anybody's phone, any criminal who gets the key can get into anybody's phone. As to "how likely is it for the criminals to get the keys?"... well, pretty much every system (FBI, DHS, Apple, etc) that could theoretically hold the keys has been breached at some point. Holding that capability also makes a huge target. So "Very Likely", even to the point that when things were previously unlockable, hackers were doing so already.

Thus it comes down to "Do you want to allow criminals to access your iPhone so that law enforcement can also access a criminal's iPhone?" at that level. And in the event that a smart criminal had an indication that Apple could defeat the encryption and lockout, they'd just store the important data in a place that no company controlled or had access to.

Comment Re:How do they know (Score 2) 95

The linked article is a short version of the Reuters article that is much more informative.

To address the concerns of European authorities, the Internet giant will soon start polishing search results across all its websites when someone conducts a search from the country where the removal request originated, a person close to the company said.

That means that if a German resident asks Google to de-list a link popping up under searches for his or her name, the link will not be visible on any version of Google's website, including, when the search engine is accessed from Germany.

The company will filter search results according to a user's IP address, meaning people accessing Google from outside Europe will not be affected, the person added.

So once again Anti-Geoblocking/Anti-Georestriction VPN becomes the solution for folks.

Comment Re:1-to-1 loss, bad math (Score 2) 261

True. It does not change the general premise of the post.

The entire premise behind the device is to protest the claim that was made and believed that sent him to jail and has him owing millions in debt. As TFA states: "The most important message, however, is that the millions of dollars in losses the industry claims from him and the other TPB founders are just as fictitious as the number displayed on the Kopimashin."

It even goes so far as to say that the piracy is a net GAIN for the industry, and this could potentially make sense. Take the doughnut example:

The friend offers ten doughnuts to ten people and three of them like the doughnut a lot, so end up each ordering a dozen doughnuts at the store at full price. Ten doughnuts loss, 36 doughnuts paid for. PROFIT! Loss leaders, free samples... all the same concept, and one that the industry is not understanding.

A lot of words to say I agree with you. ;)

Comment Re:1-to-1 loss, bad math (Score 1) 261

The 8,000,000 copies it makes every day costs the record industry $10m/day in losses. ...

This implies an 80-cents loss per copy,

Given the title of the post, I hope the irony is not lost on anyone.

(Though because I know it will be: Eight million copies creating ten million loss is $1.25 per copy. The order of the numbers is important in division.)

Comment Re:Moment? (Score 1) 139

Drivers are "required" to be alert today, yet that doesn't stop them from texting, putting on makeup, reading books (!) and lots of other things that divide their attention - they surely aren't going to pay *more* attention to their driving when the car is doing all of the work.

That makes it sound like "drivers" is all-inclusive. Probably as long as these requirements exist, the companies making the cars will only allow them to be operated by people who will not do that. It's not as if you can go to a dealership and buy a self-driving car, after all. Though of course the requirements will be taken as seriously as the penalties for not meeting them and as the likelihood of being caught. Penalties to likely include bad press as well as legal implications.

Comment Re:Moment? (Score 1) 139

The problem is that the driver is not going to be alert -- drivers are barely alert even with fully manual cars, they surely are not going to be paying attention while stopped at a light, they are going to be playing Angry Birds.

Which simply means that the requirements will require alert drivers and no angry birds. This leads to the concept that California still considers the technology to be "In Development" and not for the average SMSing driver or general consumption. Which also leads to the implication that these requirements will be changed in the future when the technology is no longer in a testing phase.

To forestall responses that "It'll never change", I'll point out that very few open-stretch, long-haul freeways still have a speed limit of 55.

Comment Re:Moment? (Score 1) 139

An example would be the car sitting at a red light in a construction zone with new signals strung up and when an unrelated light turns green, the autonomous car releases the brakes and starts to move forward against a red for its lane. An alert individual can override and re-apply the brakes immediately similar to if they had a lapse of clarity and a moment of confusion and avoid crossing fully into opposing traffic.

Slashdot Top Deals

The system was down for backups from 5am to 10am last Saturday.