Rush Limbaugh just said Apple will not hand over decryption keys to Obama / NSA / Federal goons...

3 10 15 | limbaugh

[Swordmaker]

Of what value to me is a decryption key in the hands of Apple? I would have no expectation of privacy in such a case.

Apple doesn't have YOUR decryption key. The device itself encrypts the date to 256 AES standard using your passcode entangled with the UUID of the device before Apple ever gets any of your data if you choose to store it on the iCloud. Apple cannot decipher it either. They then anonymize it, split it into four pieces, mix it with other users according to an algorithm, and then add their own 256 bit AES encryption. If the NSA demands what they hold, all they'd get is so much gobble-do-gook which would have to be further decrypted and without YOUR key, it would take 10²⁰⁷ YEARS to try all possible keys to get at your data. Since it is estimated that they Universe will have died by heat death in 10¹⁸⁷ years, I think the question of what you have in your data would be a bit moot by then, don't you?

[Swordmaker]

Sorry Rush but I say BS. NSA has had Rotten Apple’s encryption keys since almost day one. Now they are just trying to get Apple to publicly acknowledge that they “gave” it to them.

YOU don't know what you are talking about. That makes you a prevaricator. The NSA document dated October 11, 2007, stated they had to have "close access" to an iPhone to install their software. Close Access means possession of the phone at some time before or after delivery. There are no general backdoor encryption keys. Even Apple cannot access the users' data. You just really want to believe that Apple is lying about this because you suffer from a severe case of MAPS:

Swordmaker's and Kathy's proposed diagnosis for the new ICD-10 addenda:

90210 iOS Munchausen's Apple-Plexy Syndrome (MAPS), The overwhelming compulsion to post negative, judgmental, aggressive, and false commentary on any website thread related to Apple products wherever found, including phobic reaction to projected Apple user euphoria. First and subsequent encounters.

[Swordmaker]

Snowden doesn't use a Iphone because of their privacy concerns.

Samsung's vaunted Knox security got it a US government contract. . . and two weeks later it was discovered that Samsung was keeping the KEY to access to Knox in an insecure Library in an unencrypted text format that anyone could easily find. LOL! It was as secure as wet tissue paper!

Apple's keys are kept in a HASH inside it's Secure Element which is part of the PROCESSOR and the hash has to be recalculated each time it is entered and compared to the hash that is stored in the Secure Element which cannot be accessed from outside the iPhone, nor is it ever transmitted from the iPhone. That hash then unlocks the phone, but the key itself is entangled with the 256 bit UUID of the iPhone itself to use as a KEY to encrypt the data contents on the iPhone. Apple itself never gets that hash and cannot decrypt your data. They ARE secure.

Android phones are not. . . even Samsung phones with Knox Security. Perhaps Samsung has solved that problem with the Samsung Galaxy S6.

[Theoria]

Thanks for the Samsung summary....now back to Apple.

Did/Has Apple presented/fixed the DROPOUTJEEP concerns?

[Star Traveler]

Apple doesn’t cooperate with “malicious hackers”, like the NSA ... :-) ...

— — —

Early reports of the DROPOUTJEEP program made it appear as if every iPhone user was vulnerable to this — which simply can’t be the case. Physical access to a device was required which would preclude the NSA from simply ‘flipping a switch’ to snoop on any user. And Apple patches security holes with every version of iOS. The high adoption rate of new versions of iOS also means that those patches are delivered to users very quickly and on a large scale.

The jailbreak community, for instance, knows that once a vulnerability has been used to open up the iPhone’s file system for modification, it’s been ‘burned’ and will likely be patched by Apple quickly. And the process of jailbreaking fits the profile of the capabilities the NSA was detailing in its slide.

Applebaum’s talk at the 30th Chaos Communication Congress walked listeners through a variety of the programs including DROPOUTJEEP. He noted that the claims detailed in the slide indicated that either Apple was working with the NSA to give them a backdoor, or the NSA was just leveraging software vulnerabilities to create its own access. The Apple statement appears to clear that up — pointing to vulnerabilities in older versions of iOS that have likely since been corrected.

I do also find it interesting that Apple’s statement uses extremely strong wording in response to the NSA program. “We will continue to use our resources to stay ahead of malicious hackers and defend our customers from security attacks,” the statement reads, “regardless of who’s behind them.”

http://techcrunch.com/2013/12/31/apple-says-it-has-never-worked-with-nsa-to-create-iphone-backdoors-is-unaware-of-alleged-dropoutjeep-snooping-program/

[House Atreides]

“Sorry Rush but I say BS. NSA has had Rotten Apple’s encryption keys since almost day one. Now they are just trying to get Apple to publicly acknowledge that they “gave” it to them.”
*******************************************************************************************************

FReepers have a saying they sometimes use...”You can’t make this stuff up”.

It seems that you have absolutely no problem making things up left and right.

[Star Traveler]

There’s one REAL EASY WAY to prevent any problems from the NSA ... don’t give your IPhone to them ... LOL ...

AND ... if you think you left your iPhone just “laying around” and the NSA made off with it ... and then snuck it back into you house ... just ERASE and REINSTALL ... problem solved! ... :-) ...

— — —

NSA iPhone hack is uninteresting
http://www.thesafemac.com/nsa-iphone-hack-is-uninteresting/

The story of NSA’s remote access iPhone hack, called DROPOUTJEEP, has been spreading through online news media like wildfire. There is much hand-wringing and anxiety over the NSA getting its fingers into the security of iOS. Some sources are using this as an excuse to attack the security of iOS. The evidence behind these claims is scanty, however.

As far as I can tell, the sum total of public knowledge about this hack is the leaked government document shown at right. This is sparse information indeed to be basing any serious news stories on. These days, though, any story containing the “NSA” acronym is pounced on with wild abandon, facts be darned.

There is a great deal of focus on the capabilities listed in this document, and the fact that iOS remote hacks are supposed to be “impossible” (or, at least, not currently known). However, a key piece of information from that document has been completely ignored in every news story I have seen. I’m talking about the following paragraph:

The initial release of DROPOUTJEEP will focus on installing the implant via close access methods. A remote installation capability will be pursued for a future release.

What does this mean, and why is it important? A “close access method” refers to installing the software on a device using physical access. In other words, if a government agent can get his/her hands on your iPhone, then they can install the DROPOUTJEEP software in order to spy on you. This is obviously not something that most people will need to be concerned about. The government is not going to go to the expense of covertly gaining physical access to your phone unless they have good reason to be very interested in you.

There’s really nothing new about installing software in this manner on an iPhone. It has been possible for some time to jailbreak an iPhone, and then hide that jailbreak from the user, for the purpose of installing something undesirable on the phone. I’ve seen scattered reports of such things for a while. The FinFisher spyware, to give a concrete example, has been known to have this capability for some time now. It’s not particularly surprising that the US government has gotten in on the game… rather, it would be surprising if they hadn’t.

Remote installation would be substantially cheaper and a much larger threat. If an iOS device could be compromised by an attacker remotely, without any need for physical access or even proximity, would be a serious security issue. However, there’s no known method for remotely hacking an iOS device at this time, and this document outright states that this capability is not yet a part of DROPOUTJEEP. The fact that the document says this will be “pursued for a future release” does not mean that this was ever actually pursued, or that it was ever achieved if it was pursued.

Lack of evidence is, of course, not proof that remote access isn’t possible. However, it’s important to be realistic here. There is absolutely no reason to believe that the NSA has remote access to every iPhone, as some reports have implied. The NSA is not the mythologically all-powerful organization that it has been made out to be by the popular media. If we begin to assume that anything is possible for the NSA, without requiring any evidence, we might as well begin wearing tinfoil hats.

[kevkrom]

The way Apple’s system is set up, even if they handed over their own keys, it doesn’t matter, because each device (newer ones at least) has a “secure enclave” that handles its own encryption with its own individual key.

[Swordmaker]

Of course NSA may not have cracked them, but you can be sure they are working their supercomputers hard as are the Mossad and the FSB.

Each separate KEY has to be cracked individually. There are no master keys. Apple permits a key to be anyone of the 227 characters accessible from the keyboard and a key can be up to 256 characters in length. That means that an initial Key can be 227²⁵⁶. However, on an iPhone the input key the user inputs is entangled with the UUID (Universal Unique ID) of the device which can be a 128 character or 256 character hexadecimal number.

Taking only the smaller UUID possibility of 128 characters, and using a 16 character input passcode from the user to entangle together according to a algorithm. That would provide a 144 character KEY. Ergo, the key could be 207¹⁴⁴ possible combinations. Resolve that to 2.07¹⁴⁶. That is far larger than a Googol of possible combinations. Using a super computer capable of checking 100,000 possible combinations per second, the super computer would be able check approximately 3 Trillion combinations (3¹²) per year. To try all possible combinations at that rate, would take 2.07¹³⁴ YEARS!

207,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000 years.

The NSA's supercomputer might get lucky and hit some keys in a few years. . . but the odds are against them. . . and remember they have to do this with each individual key. Easier to torture you for your key.

[itsahoot]

Get everyone to believe they have secured communication, make big $...Resulting in a massive treasure trove of data. Make a deal with gov to keep their little secret quite with the promise of biggov favors...

All that will/has happened whether people believed it or not.

[Swordmaker]

Has their been an uptick in iPhone sales to ISIS/the Middle East? If not, then they are cracked.

Strangely, Terrorists prefer to use Android. That actually may be because of the Snowden leak. . . which would be hilarious, because it simply isn't true. . . and the Android phones are leaky like sieves and totally insecure. I am wondering if that was not the intent in leaking that in the first place. Push the bad guys onto the most insecure platform to facilitate access to what ever they are up to?

[Swordmaker]

As far as how hard various agencies’ supercomputers are working ... I believe I will be dead long before they hack into what I have encrypted just from yesterday ... :-) ...

Most likely your protons and neutrons will have dissolved into their component quarks by the time they get half way through the process. . .

[PIF]

You may be correct. So there is a huge upsurge of iPhone buying by the FSB ... who’d thunk.

33.9 petaflops is the fastest public supercomputer, however, I would imagine that NSA’s a quite a bit faster. I don’t know were the 33.9 petaflops fits in your math.

NSA breaks codes not by simply trying various numeric/alphabetic combinations, but by using extremely sophisticated algorithms, or at least that was what the NSA code heads told me a long time ago. They wouldn’t tell me more as I was not cleared, but at the time there was no code (crypto cypher) in use anywhere that they had not broken. There were codes then - notably the Russian one day pads that had no master key. So either they fell down on the job at some point for some reason, or they are misleading the public about what code they have or have not broken.

If NSA had or had not broken the iPad/iPhone they would not tell anyone; however, they might play with civilian tech heads with their press releases. Easier to allow the FSB/ISIS et. al. to think they are still secure ... than to torture anyone.

[MrB]

Not long ago, some lefty sheriff(?) was complaining that the iPhone’s encryption was a “pedophile enabler”.

The assumption underlying that accusation is that anyone in the gov’t just is, by virtue of being in gov’t, inherently trustworthy to the point that we should have NO problem letting them look through our private information.

[Swordmaker]

Did/Has Apple presented/fixed the DROPOUTJEEP concerns?

DROPOUTJEEP was NSA's answer to the iPhone circa 2007— derived from an original document dated October 08, 2007 to be precise—and that is the latest paper that Snowden released on the subject. That paper specified that DROPOUTJEEP "will focus on implanting the implant via close access" to implement DROPOUTJEEP on a iPhone of 2007 vintage. The "will" implies this was a PROPOSED software to be developed, not that it was actually developed. Note at the bottom of the page that Snowden released are the words: Status: (U) in development

The "close access" also meant they had to have actual physical possession of the iPhone either before or after delivery to install their software (it was unspecified whether it would also entail any hardware, but they claim cost is $0, so I suspect only software). At the time of the paper, it was NOT a remote exploit, but they would pursue one in the future. There are no backdoors on the iPhone.

In other words, DROPOUTJEEP was an NSA exploit that added an unauthorized function to the OS that sent data to the NSA on certain iPhones that NSA had intercepted and added their software to, it was not a general vulnerability to be fixed.

ALL of this hype about the iPhone being compromised by NSA originated from this single document released by Eric Snowden. There are no further documents to indicate that they were successful in developing DROPOUTJEEP beyond a proposal to a working exploit. . . or if they did, were able to successfully deploy it on any iPhones. If they had, I think Snowden would have found them and released them along with it, since the date on this document is October 10, 2008, a year later and it is not shown as completed, a year AFTER the proposal was made.

I do know that not one instance of DROPOUTJEEP has EVER been seen on an iPhone in the wild. NOT ONCE. NOT EVER. Nor has anything with such a capability ever been found on an iPhone. . . nor has any App with such a capability been found in the iPhone App Store.

[Swordmaker]

The initial release of DROPOUTJEEP will focus on installing the implant via close access methods. A remote installation capability will be pursued for a future release.

Even the Safe Mac article missed the most important parts of the whole paper that Snowden released. "The initial release of DROPOUTJEEP will focus on. . . " is a dead giveaway that they are talking about something that does not yet exist. In addition down at the bottom of the page of the copied sheet, there is an entry that says "Status in development".

The access date on the whole paper is October 10, 2008, the original paper is a year before that, October 8, 2007. . . and there were no follow up documentation that Snowden found. I think that indicates that it was either not approved, not completed or unsuccessful by one year later.

NO ONE, to my knowledge has ever pointed this out, yet this one single paper is the source of all the hoopla about iPhones being compromised by the NSA. There is no other source for that claim.

[Swordmaker]

33.9 petaflops is the fastest public supercomputer, however, I would imagine that NSA’s a quite a bit faster. I don’t know were the 33.9 petaflops fits in your math.

It doesn't matter. Multiply the speed of your supercomputer by a thousand. . . and you only knock three zeros off that huge number. Multiply the speed by a million and only six zeros get knocked off. That is the problem with brute force cracking of hard keys. . . which is the only way to crack these kind of cyphers. No matter HOW fast your supercomputer the number of possibilities is simply too great to try in the amount of time to make it practical.

There is a sculpture on the CIA grounds that has three encryptions on it. Two have been broken. The third has eluded all attempts to be broken by their experts. So the claim that all codes can be broken is false. To break a cypher requires sufficient time and sufficient exemplar data. IF you have neither, it will not be broken. Sorry, they can claim what they want, but it is a mathematical impossibility to claim that algorithms can break exceedingly large AES keys. They are misleading the public on what they are capable of doing.

One type of code is totally unbreakable. That is the code book type cypher in which every character or word is substituted for a page number, line number, word number, and letter number in the word, from a large book. Both you and your intended recipient have a copy of the book of which there are only two copies in the world. Each time you use a letter, it is taken from a different page, line, word , and position. There is absolutely no way to break that. . . unless the one wishing to break the code has somehow gotten a copy of the book. Want to make it even more complicated? Set a rule that on each day of the week, alter the numbers by an algorithm known only to the two of you.

[Swordmaker]

NSA breaks codes not by simply trying various numeric/alphabetic combinations, but by using extremely sophisticated algorithms, or at least that was what the NSA code heads told me a long time ago. They wouldn’t tell me more as I was not cleared, but at the time there was no code (crypto cypher) in use anywhere that they had not broken. There were codes then - notably the Russian one day pads that had no master key. So either they fell down on the job at some point for some reason, or they are misleading the public about what code they have or have not broken.

Those algorithms are based on what humans do in picking passcodes. . . and based on certain assumptions about limited choices. But you are overlooking the fact that Apple's passcodes are entangled with the UUID of the device. That gets around such algorithms. . . by randomizing the possibilities.

[PIF]

The code book type cypher is a common Russian cypher broken in the 60s - set by various times depending on which unit in which Russian Army was doing what, where and when. We did it routinely. So that bit of info is not true. To make a point, we called up a Russian armor unit on Christmas and wished them Merry Xmas using their current (code book type) cypher ... talk about stirring up a hornet’s nest ...

The three encryptions - The CIA made the claim, not NSA. CIA does not break codes. That’s NSA’s mission - it breaks and creates the codes for the CIA, DOD etc.

The claim for breaking all existing codes was in the late 60s, as I said. So what was true then, may not be true now. However, where there are codes to be broken, that world is filled with FUD. No one in the Intel biz, especially code breakers, will tell you what they can and cannot do, and if they do, then there is an angle to it you don’t see.

NSA and the CIA love to mislead on all levels - it is part of their craft.

UUIDs were first used by the mil. Doing what I don’t know, but in using them, then they know how to break them. However, they were likely first used in the various spy satellite programs when they had to dump the data in areas where it could be intercepted. Now, I imagine much of that data is transferred from each spy satellite to the USAF’s X-37B and so returned to earth.

“Those algorithms are based on what humans do in picking passcodes ...” Who told you? And if they did, why are either of you still alive? That’s not the sort of info that would be bandied about in public, and if true, is likely classified Top Secret Crypto Codeword Eyes Only.

Fun to imagine a corporation can do what specialized agency with over 60 years of experience, bottomless financial and manpower resources cannot ... but then stranger things have happened ...

[dragnet2]

There is a sculpture on the CIA grounds that has three encryptions on it. Two have been broken.

I think there are four encrypted messages, three have been deciphered or solved and they say one has not. Of course long ago I heard the agency with the "Key" in it's symbol cracked it but denied doing so saying they simply gave up. No sale IMO. Their associates at NRO with the motto “Nothing is beyond our reach” probably didn't buy it either.

BTW the clandestine X-37, so secret they won't even say what's it's purpose it. But rest assured it's a super spook spacecraft...very classified.

Some say it can image and listen through reinforced walls from orbit. Or reprogram Chinese satellites, spoofing them with images which their satellites were not even programed to image. Like sending back detailed pics of their own military installations. And X-37 can transmit data to the surface via lasers. Funny stuff.