Apple, FBI, and hacking iPhones

There's no 6 digit minimum in iOS 9, you can still use a 4 digit pin if you want to, they just highly encourage the 6 digit one, thats why its the default option when you are putting in the pin in the first place.

brute forcing the storage itself would be futile, even for the NSA, even if they had all the computer power in the world at their finger tips to try to crack the encryption on the drive

 

well sure, its all a balance like i said, and I'm pretty sure this case will push that balance in the direction of security even if that means a few people lose all access to their data as a result.

 

No, not at all, the data is encrypted, apple just has a key as well, that is why they can give the information to the FBI.

Edit: I'm saying that after this the data on iCloud will more than likely be encrypted the same as the data on your phone, so even they can't get to it.

 

Correct. What's scary to me is how often this isn't the case, especially with cloud data.

it's encrypted on transmission, I'm not sure if it is at rest or not. I believe the problem is Apple has a master key. Also, see your comment above.

 

and there is always the fact that you aren't ever forced to use the cloud, you can do your backups locally and encrypt them as well if you like.

but i guess all of that is for naught if you use TouchID, as apparently the government can force you to unlock your phone with your fingerprint, even if they can't compel you to give them your passcode. but all the only matters when it comes to the government, for the typical person, using TouchID is vastly better than either using an insecure code, or no code at all, which i think the majority of people still don't.

Though that is part of the reason why a lot of people want apple to build in like a "burn" finger for touchID, so that you could add a finger that would wipe the phone if you used it on the touchID sensor.

 

Government can compel you to give your passcode, they just have little recourse (contempt?) if you refuse. By contrast, they can physically take your finger and touch it to your sensor if you get cute about complying with an order to unlock by touchID

 

The way around this is to just shut down/reboot your phone. This is one reason why you're forced to type in a passcode on reboot.

 

The way around this is for all of the data to be encrypted and the service just passes around metadata and deletes it once it's done.

Message services can be encrypted completely end to end and the service won't have access to any data and can toss metadata once the delivery is finished. Dropbox could encrypt everything before it sends it with your key the company doesn't have.

Things like hosted emails are tougher as you have to give your key to the service to unlock the email for you.

 

A secure enclave that loses encryption keys on flashing is probably Apple's future solution. An alternative is increasing the rounds of password based encryption key derivation so that each attempt actually takes 1+ seconds to process. This of course introduces ui issues but it is technically the most secure option as bruteforcing is made radically harder. Any firmware based method introduces potential security flaws. Increasing the key derivation time is not bypassable.

 

Aha, that changes things. I do not like it when governments and their agencies demand backdoors and everyone pretends it is fine.

This is a strange case and for security reasons I understand the use of a backdoor. But then you look at the unlimited gathering of data and metadata and claims of increased security contrasted by failures to prevent acts of violence and terrorism you start to have doubts. As if Sauron's big eye in the LOTR has bad eyesight but still insists on seeing everything in Mordor. f**k Sauron for being stupid, find a better solution.

 

Never have chance to use those Apple things. they are decent as hell people said.