Tim Cook Tells White House to Embrace 'No Backdoors' Encryption Policy in Meeting

[antonis]

Since Steve is six feet under you'll never know if the government originally pulled that sealed NDA letter much earlier, as stated earlier plenty of companies/upper-management were forced into gov't spying or face jail/treason charges. You can throw around calling Tim(& other CEOs) a hypocrite but what would you rather have happen either Apple cease to exist in 2007-2012 or a government agency seizing the company/nationalizing by firing the board of directors until finding a puppet CEO/board?

I highly doubt any company would cease to exist denying something that was against the US constitution, to begin with. This is just an excuse that they have to make, for marketing reasons. The newspapers that posted Snowden's leaks (Guardian at first, and then with the cooperation of NYT) didn't cease to exist. NSA would never dare to force the richest company in the world (aka apple) to close cause, if they did, their actions would be revealed (remember, nobody knew anything about the matter back then) and Snowden's leaks would be nothing compared to the waves of reactions such an event would trigger.

Don't get me wrong, here; Tim didn't do anything worse than any other IT company (of course this does not make him innocent, as well). It's just that he didn't do anything better, either. And, personally, I would expect more especially from apple. Have you ever heard or seen apple's "1984" ad shown at first Mac's presentation ? It was about the "bad big brother" (presumably Microsoft) that apple would rescue the users from.

Who could have imagined back then, that apple would now be part of this "bad big brother"...

 

[Fender2112]

Can I have a pony?

 

[SteveW928]

... what would you rather have happen either Apple cease to exist in 2007-2012 or a government agency seizing the company/nationalizing by firing the board of directors until finding a puppet CEO/board?

Maybe we aren't so far from finding out...
New York Bill Would Force Apple and Other Manufacturers to Decrypt Smartphones
https://www.macrumors.com/2016/01/13/new-york-backdoor-decryption-bill/

If they say, you can't sell your product here unless... what will the companies do?

The rest of the tech community. Software developers aren't stupid people. They would notice very quickly if Apple tried to do this. And it would become a PR disaster for Apple and destroy their brand.

It depends on if they are looking, how hard, and if they're even able to. In the last year or two, we've seen major exploits to core code libraries that have been around for YEARS. Or, what about XCodeGhost?

Plus, if much of this is setup via man-in-the-middle attack, where any services going through these companies are encrypted to the company... unencrypted and scanned... then re-encrypted, no one will even know unless it gets revealed somehow. The service can't operate if the data stays encrypted... it's a matter of what's being done with it while it's decrypted.

I highly doubt any company would cease to exist denying something that was against the US constitution, to begin with.

The Constitution isn't in very good shape anymore... it's being misinterpreted, and it's rather irrelevant if the gov't doesn't abide by it. Have you been paying attention the last several years? Heard of CISA? It's now law.

 

[KnighsTalker]

Backdoors, we don't need no stinking backdoors... Unless of course we're talking about the government. Some of us know all to well how much the government really loves "stinking backdoors!"

 

[happyfrappy]

I highly doubt any company would cease to exist denying something that was against the US constitution, to begin with. This is just an excuse that they have to make, for marketing reasons. The newspapers that posted Snowden's leaks (Guardian at first, and then with the cooperation of NYT) didn't cease to exist. NSA would never dare to force the richest company in the world (aka apple) to close cause, if they did, their actions would be revealed (remember, nobody knew anything about the matter back then) and Snowden's leaks would be nothing compared to the waves of reactions such an event would trigger.

Don't get me wrong, here; Tim didn't do anything worse than any other IT company (of course this does not make him innocent, as well). It's just that he didn't do anything better, either. And, personally, I would expect more especially from apple. Have you ever heard or seen apple's "1984" ad shown at first Mac's presentation ? It was about the "bad big brother" (presumably Microsoft) that apple would rescue the users from.

Who could have imagined back then, that apple would now be part of this "bad big brother"...

Guardian UK was raided by UK security services, they demanded the computer+HDD or oversee the destruction of the hardware as a half-assed attempt to silence further local published content on UK soil(they had to rely upon their US office after the fact). Writers at Guardian/NYT were subject to excessive monitoring/spying, a newspaper didn't cease to exist but the actions by UK/US is far worse than what happened to writers who got insider info during Watergate & Vietnam. Take a look at Sharyl Attkisson something was done to her work computer and the investigation by the government blamed it on a stuck key on a MacBook Pro--getting a stuck key is rare & most people would know a stuck key vs hacked by remote desktop/unknown 3rd party tool such as Hacking Team. News vs tech company is comparing apples to oranges but in the modern world most news is afraid of hard hitting reports in fear of losing access to exclusive politician/WH interviews. The day Tim Russert died it was when the media lost its spine, Bob Schieffer was then the last political host to push tough questions.

I'd like you to say that to LavaBit's founder, the founder was forced into closing the company to focus upon suing the government--post Snowden leaks you still had companies told to just reset passwords if an account was either accessed/hacked by a foreign government until recently Google & others started a notification upon log-in.

Apple like Microsoft was stuck in a much more sticky situation, large enough mainstream marketshare with cloud services and politicians likely threatened their education/research/gov't contracts which may have influenced Apple to move away from the XServe/Corp market. I'm not saying the government would force Apple to close but if you cut off revenue flow like sanctions against a country it will damage a company in the long term and with the actions you've seen in Congress it wouldn't be shocking some fear mongering on Sunday politics shows as a method for voter outrage.

I've seen that Apple commercial, yet also had relatives and friends who came from former Communist countries and actions done by the US gov't is exactly what they always feared back in their home country.

Maybe we aren't so far from finding out...
New York Bill Would Force Apple and Other Manufacturers to Decrypt Smartphones
https://www.macrumors.com/2016/01/13/new-york-backdoor-decryption-bill/

If they say, you can't sell your product here unless... what will the companies do?

Plenty of states and Congress are pressuring this issue on the local weekend TV talk shows/radio shows, sadly politicians such as Rand Paul & Ron Wyden are spun as tinfoil wearing loons... worst part of that is the NSA spied on Congress leading up to Israels' PM visit & speech. If a government agency needs to spy on an allied country leader who is going to make a speech is extremely troubling.

 

[antonis]

Guardian UK was raided by UK security services, they demanded the computer+HDD or oversee the destruction of the hardware as a half-assed attempt to silence further local published content on UK soil(they had to rely upon their US office after the fact). Writers at Guardian/NYT were subject to excessive monitoring/spying, a newspaper didn't cease to exist but the actions by UK/US is far worse than what happened to writers who got insider info during Watergate & Vietnam. Take a look at Sharyl Attkisson something was done to her work computer and the investigation by the government blamed it on a stuck key on a MacBook Pro--getting a stuck key is rare & most people would know a stuck key vs hacked by remote desktop/unknown 3rd party tool such as Hacking Team. News vs tech company is comparing apples to oranges but in the modern world most news is afraid of hard hitting reports in fear of losing access to exclusive politician/WH interviews. The day Tim Russert died it was when the media lost its spine, Bob Schieffer was then the last political host to push tough questions.

I'd like you to say that to LavaBit's founder, the founder was forced into closing the company to focus upon suing the government--post Snowden leaks you still had companies told to just reset passwords if an account was either accessed/hacked by a foreign government until recently Google & others started a notification upon log-in.

Apple like Microsoft was stuck in a much more sticky situation, large enough mainstream marketshare with cloud services and politicians likely threatened their education/research/gov't contracts which may have influenced Apple to move away from the XServe/Corp market. I'm not saying the government would force Apple to close but if you cut off revenue flow like sanctions against a country it will damage a company in the long term and with the actions you've seen in Congress it wouldn't be shocking some fear mongering on Sunday politics shows as a method for voter outrage.

I've seen that Apple commercial, yet also had relatives and friends who came from former Communist countries and actions done by the US gov't is exactly what they always feared back in their home country.



Plenty of states and Congress are pressuring this issue on the local weekend TV talk shows/radio shows, sadly politicians such as Rand Paul & Ron Wyden are spun as tinfoil wearing loons... worst part of that is the NSA spied on Congress leading up to Israels' PM visit & speech. If a government agency needs to spy on an allied country leader who is going to make a speech is extremely troubling.

This is true, Guardian was raided by GCHQ agents and forced to destroy their hard disks containing E.Snowden's files. But that was done in UK where the laws regarding journalism independence are more weak. Much more weak. That was why Guardian continued to post from US with the NYT's cooperation. They were protected by the US constitution.

In any case, I don't think a company with Apple's size and global influence would face any real danger. The fact that they were the last to join also says a lot. Besides, Tim Cook has repeatedly complained about NSA's tactics along with Google and Yahoo as "something that hurts company's marketing and finances outside US, especially in Europe and Asia". Of course, nobody can blame him for worrying about the financial damage the NSA tactics do to apple. But he is also not the champion of human rights, either. Just another CEO with company's income in mind.

 

[thasan]

"by government"? How are you sure the people in the loop there include no bad guys? So simple-minded!

thats why i used "theoretically"

 

[gnasher729]

Bingo, if the government wants to put backdoors into everything they'd have to arrest/disappear anyone with an encryption/linguistics background only to deal with banning overseas devices which aren't "crippled".

The RSA algorithm is widely known:

If p is a prime, and 1 ≤ a < p, then a^(p - 1) = 1 (modulo p). (Fermat's Little Theorem, stated in 1640).

If p is a prime of the form p = 3k + 2, and y = x^3 (modulo p), then x = y^(2k + 1) (modulo p): That is because y^(2k + 1) = (x^3)^(2k + 1) = x^(6k + 3) = x^((p-1) + (p-1) + 1) = x^(p-1) * x^(p-1) * x = 1 * 1 * x = x (modulo p).

If pq is the product of two large prime numbers p and q, both of the form 3k+2, and we are given x and the product pq, then we can easily calculate y = x^3 modulo pq. The only known way to find x is to factor the product pq = p * q, calculate y modulo p and y modulo q, use the method above to calculate x modulo p and x modulo q, and use the Chinese Remainder Theorem (published by Sun Tzu some time in the third to fifth century) to calculate x.

And that's the whole of RSA: You calculate two large primes p and q of the form 3k+2, use the pair (p, q) as the private key and the product pq as the public key, and that's it. To send an encrypted message x, you use the public key to calculate y = x^3 (modulo pq). To decrypt the message y, you need the private key (p, q) and use the algorithm above to calculate x. And if p and q are large, say 2048 bits (about 600 digits) then there is no way on earth to find p and q from pq. The bad news is that now the government must arrest/disappear any MacRumors readers.
[doublepost=1452961662][/doublepost]

Plus, if much of this is setup via man-in-the-middle attack, where any services going through these companies are encrypted to the company... unencrypted and scanned... then re-encrypted, no one will even know unless it gets revealed somehow. The service can't operate if the data stays encrypted... it's a matter of what's being done with it while it's decrypted.

Wrong in the case of iMessage. The way that iMessage works: Your phone has created an encryption key that anyone can use to encrypt data that only your phone can read. If I send you an iMessage, then Apple sends your encryption key to my phone, my phone encrypts the message, and sends the encrypted message via Apple to your phone; only your phone can decrypt it. Apple could create a man in the middle attack: Ask your phone for your encryption key. Send _Apple's_ encryption key to my phone. My phone encrypts the message with Apple's encryption key. Apple decrypts and stores the iMessage, encrypts it again with your key and sends it to your phone. The problem is that any hacker sending a message can find out which encryption key was used to encrypt the data, and we would find out that I didn't encrypt the message with _your_ encryption key. There's no need for "revealing" anything, it would be obvious (to anyone knowing how to look for it).

 

[zioxide]

The RSA algorithm is widely known:

If p is a prime, and 1 ≤ a < p, then a^(p - 1) = 1 (modulo p). (Fermat's Little Theorem, stated in 1640).

If p is a prime of the form p = 3k + 2, and y = x^3 (modulo p), then x = y^(2k + 1) (modulo p): That is because y^(2k + 1) = (x^3)^(2k + 1) = x^(6k + 3) = x^((p-1) + (p-1) + 1) = x^(p-1) * x^(p-1) * x = 1 * 1 * x = x (modulo p).

If pq is the product of two large prime numbers p and q, both of the form 3k+2, and we are given x and the product pq, then we can easily calculate y = x^3 modulo pq. The only known way to find x is to factor the product pq = p * q, calculate y modulo p and y modulo q, use the method above to calculate x modulo p and x modulo q, and use the Chinese Remainder Theorem (published by Sun Tzu some time in the third to fifth century) to calculate x.

And that's the whole of RSA: You calculate two large primes p and q of the form 3k+2, use the pair (p, q) as the private key and the product pq as the public key, and that's it. To send an encrypted message x, you use the public key to calculate y = x^3 (modulo pq). To decrypt the message y, you need the private key (p, q) and use the algorithm above to calculate x. And if p and q are large, say 2048 bits (about 600 digits) then there is no way on earth to find p and q from pq. The bad news is that now the government must arrest/disappear any MacRumors readers.
[doublepost=1452961662][/doublepost]

Wrong in the case of iMessage. The way that iMessage works: Your phone has created an encryption key that anyone can use to encrypt data that only your phone can read. If I send you an iMessage, then Apple sends your encryption key to my phone, my phone encrypts it, and sends the encrypted message via Apple to your phone; only your phone can decrypt it. Apple could create a man in the middle attack: Ask your phone for your encryption key. Send _Apple's_ encryption key to my phone. My phone encrypts with Apple's encryption key. Apple decrypts and stores the iMessage, encrypts it again with your key and sends it to your phone. The problem is that any hacker sending a message can find out which encryption key was used to encrypt the data, and we would find out that I didn't encrypt the message with _your_ encryption key. There's no need for "revealing" anything, it would be obvious (to anyone knowing how to look for it).

Great post. Glad to see someone else on here who actually understands how encryption works.

 

[gnasher729]

Currently, while encryption is very very good, we can still detect when something is encrypted. The holly grail of encryption is where the message is both encrypted, and the encrypted transmission is indistinguishable from noise.

Why would you transmit noise? Transmitting something indistinguishable from noise means most likely you are transmitting encrypted data. You'd want encrypted data that is indistinguishable from real data.
[doublepost=1452962549][/doublepost]

Don't worry about the back door when the front door is wide open. Remember the Fappening where Apple leaked customers' orifice pictures all over the internet.

There has never been any evidence that Apple leaked anything.

Fact of life is that you need to secure your data with secure passwords, and if you are a person where many people would spend lots of time to get access to your data, then your passwords must be even more secure.

 

[zioxide]

There has never been any evidence that Apple leaked anything.

Fact of life is that you need to secure your data with secure passwords, and if you are a person where many people would spend lots of time to get access to your data, then your passwords must be even more secure.

Yup. That happened because of social engineering and dumb celebrities failing to properly secure their accounts. Turns out you shouldn't use stuff like "What city were you born in?" as a "security question" when you are a world famous celebrity and the city you were born in is listed on your wikipedia page.

The only blame you can give Apple is the fact that they were still using security questions to secure customers accounts. Security questions are notoriously insecure.

 

[oneMadRssn]

Why would you transmit noise? Transmitting something indistinguishable from noise means most likely you are transmitting encrypted data. You'd want encrypted data that is indistinguishable from real data.

Not transmit noise, transmit data in a way that an outside observer would be unable to distinguish it from noise. If you're transmitting data, encrypted or not, an observer knows you are transmitting something. This in of itself is useful information. The observer can make a copy of it for later, even if its enrypted, to derypt later once the key is known or a vulnerability is discovered. If the transmission is indestinguishable from noise, the observer wouldn't know what to copy, nor would the observer even know anything is being transmitted.

 

[bbeagle]

Encryption is useless when talking about NSA as they are above these.

Really? The NSA is some omnipotent God, that they can break anything or coerce anyone? Really? Just who needs a reality check?

 

[antonis]

Really? The NSA is some omnipotent God, that they can break anything or coerce anyone? Really? Just who needs a reality check?

Yes, really. Edward Snowden said that many times. Do you think that they got all this trouble installing interception mechanisms all over the world's internet central nodes, so they will be stopped by an ssl encrypted message ? If anyone could have an excuse of being unsuspecting or ignorant about these things before, nobody has an excuse after Snowden's leaks.

Just check the NSA's PRISM project and how it bypasses encryption. I'm sorry, but this is the world we are living in, and we have to deal with it if anything is to be changed.

 

[SteveW928]

In any case, I don't think a company with Apple's size and global influence would face any real danger.

I think a lot of information gathering and control often involves various means of blackmail, and nearly everyone's got dirt. But if the US gov't really wanted to take Apple down, it wouldn't be all that hard. A few court cases here... a few targeted judgements or restrictions there... and the biggest and most effective propaganda machine the world has ever seen.

Turns out you shouldn't use stuff like "What city were you born in?" as a "security question" when you are a world famous celebrity and the city you were born in is listed on your wikipedia page. ... The only blame you can give Apple is the fact that they were still using security questions to secure customers accounts. Security questions are notoriously insecure.

Or, your answer to, "What city were you born in?" is something like: kcs26TsD7CMOfH8KYZmB
But yea, why any companies are still using stupid stuff like that is kind of crazy.

Yes, really. Edward Snowden said that many times. Do you think that they got all this trouble installing interception mechanisms all over the world's internet central nodes, so they will be stopped by an ssl encrypted message ? If anyone could have an excuse of being unsuspecting or ignorant about these things before, nobody has an excuse after Snowden's leaks.

Just check the NSA's PRISM project and how it bypasses encryption. I'm sorry, but this is the world we are living in, and we have to deal with it if anything is to be changed.

I'm no expert on the area, but I think there is a lot of specialized hardware involved. Just like companies like Cisco and such are putting a lot more time into building limiting and packet inspecting equipment, rather than increasing speed.

I think the only way you're relatively safe is if you end-to-end encrypt or VPN with an un-compromised service or system... how how to know which? And, *most* of our data isn't going point to point like that, but to our through some kind of service, where it gets decrypted for some purpose, and that's the easy place to get access.

All I know is that if there is some way, they'll do it.

 

[happyfrappy]

Man-in-the-middle packet inspection has been done for years via ISPs who traffic shape or cache which boosted Cisco R&D beyond gov't programs. After the Enron/Worldcom meltdowns it created the SOX Act to require companies to maintain a digital archives of internal server/LAN/internet usage which in turn fueled Cisco and other network hardware maker profits.

The RSA algorithm is widely known

RSA was originally deployed for e-commerce if I remember from most 90s era tech magazines, some security researchers still point at the possibility of a backdoor since the gov't funded/influenced it just like Tor but unless a code audit happens it leaves conspiracy theorists wetting their pants.
In my opinion RSA is far different than independently developed hardware or software encryption. I'd rather see a higher bit-rate RSA used for e-commerce/health records but we all know gov't either drags their feet or waits until the worst happens(ex: finally chipping credit cards)

 

[antonis]

I think a lot of information gathering and control often involves various means of blackmail, and nearly everyone's got dirt. But if the US gov't really wanted to take Apple down, it wouldn't be all that hard. A few court cases here... a few targeted judgements or restrictions there... and the biggest and most effective propaganda machine the world has ever seen.



Or, your answer to, "What city were you born in?" is something like: kcs26TsD7CMOfH8KYZmB
But yea, why any companies are still using stupid stuff like that is kind of crazy.



I'm no expert on the area, but I think there is a lot of specialized hardware involved. Just like companies like Cisco and such are putting a lot more time into building limiting and packet inspecting equipment, rather than increasing speed.

I think the only way you're relatively safe is if you end-to-end encrypt or VPN with an un-compromised service or system... how how to know which? And, *most* of our data isn't going point to point like that, but to our through some kind of service, where it gets decrypted for some purpose, and that's the easy place to get access.

All I know is that if there is some way, they'll do it.

Agreed to all of the above. It's just that Snowden's leaks mention that not all CEOs reacted the same way. E.g. Microsoft was the first to offer backdoors to their systems (among IT companies, since phone carriers had accepted NSA's tactics way before them). Microsoft even wrote code for NSA so they can decrypt hotmail and outlook messages in real time, in order to support PRISM project.

Apple was outside of all these up until 2012. Heck, Snowden said that they can now even turn iphones to microphones without the user even knowing.

 

[zioxide]

Apple was outside of all these up until 2012. Heck, Snowden said that they can now even turn iphones to microphones without the user even knowing.

Didn't that require them intercepting the physical device in order to install a root kit?

 

[antonis]

Didn't that require them intercepting the physical device in order to install a root kit?

Not if the official s/w allows it (for the - so called - "good guys") in the first place