SN 938: Apple Says No

Beep boop - this is a robot. A new show has been posted to TWiT…

What are your thoughts about today’s show? We’d love to hear from you!

I both agree with and understand Apple’s position on the whole issue of the government demanding that we break encryption, but more and more of our lives are on our phones, so I feel like, in the future, that’s where the evidence will be.
The dangers around the false positives are not unfounded, so weakening encryption would be problematic, but it’s all very well us complaining about mass surveillance. Then, when someone like the Manchester Arena bombing or a school shooting happens, we wish something could have been done to prevent the loss of life.
In most cases, law enforcement might have all the tools they need for the low-level stuff, including a lone shooter. Still, where the attacks are organized, there is an argument that if we could see into WhatsApp and iCloud Photos and things like that, then maybe we could prevent the loss of life and ensure that none of the suspects harm anyone. But then, we get into the privacy issue and the fact that most people’s conversations are so mundane as to be uninteresting to law enforcement.
I’m not sure that I agree with the slippery slope argument, which seems like the same logic that is being used to say that AI will bring about the end of the world because, surely, everything is a slippery slope, and by that logic, no technology would ever be invented, and we’d be stuck in caves with nothing to amuse us.
I also can’t help thinking that it serves Apple’s business purposes to be able to say that they care about users’ privacy.
On the whole web browser’s ability to examine the DOM using Javascript, you might have just given airtime to a fake security researcher. Of course, the entire DOM needs to be in the clear. You have Javascript text-to-speech and screen readers that need to be able to read the HTML. Not to mention that password managers couldn’t fill in your password if you obfuscate the input fields.

Say it with me. It is NOT possible to selectively have encryption (at least not any that is more than security theatre.) Either we have safety for everyone’s content, or no one’s content. It’s binary. (If not initially, then always in the end, because who watches the watchers.) Choose your future: Do you want a government that surveils your every bowel movement, or do you want a future where you still have some small specs of privacy.

1 Like

I do actually agree with you

With regard to the browser add-in vulnerability.

Why was Steve surprised that the IRS site holds the social security number in plain text on the page? It is the same with banking apps, they show your account number and name.

Once you have logged onto the website, it will display your identity (and I assume the social security number is the unique identifier in the USA), so you know you are logged on as yourself and are seeing the information you should be seeing.

It is poor design, that the add-ins get access to this information, but then, some add-ins need this sort of access, E.g. password managers. And things like Google storing the password is bad.

Which is why the argument is so important. This is where all our sensitive and confidential information is being stored these days. The last thing we need is a way for the bad guys to have a way to break encryption. Backdooring the encryption (i.e. stop using working encryption and put up something that is broken and allows “authorities” to view traffic or information at rest) only works for a few hours, or maybe a few weeks. But those backdoor keys will leak quickly.

Just look at the UK over the last month, at least 3 police forces “accidentally” put their full employee information online - officers’ and civilians names, addresses, pay grades, ranks etc. - for anyone to see, and you think we should trust them with the keys to everybody’s private information? How are you going to trust them with all of your information, when they can’t even keep their own confidential information private?

And this only inconeniences the law abiding citizens. It won’t affect those trading questionable material or communicating nefarious information. Secure encryption is already out there and can’t be taken back, so criminals will contiue to use secure storage and communications for their illegal information - it is already illegal, so breaking another law is no skin off their nose - whilst the rest of us are stuck with worthless “fauxcryption” that allows anyone, from the police, security agencies, hackers and Mrs. Miggins at number 52 doing neighbourhood watch full access to our data.

I know weakening encryption is problematic, and I’ll agree with you. Still, my issue is that all I hear from those currently in the industry is that this can’t be done safely, and sometimes I can’t help thinking that, as bright as Facebook, Apple, and Google’s engineers are, they’d be able to come with something if they put their heads together.

And regarding maths being immutable, wasn’t the earth supposed to be flat until it was discovered to be spherical?

It’s not a math problem, it’s a social problem. Assuming you can encrypt everything so there is a back door, who do you trust to open that back door and for what reasons. Humans being what they are, corruption will always creep in, and that back door will be misused for all sorts of “off brand” accesses. Politicians will sneak a peek at what their opposition is up to, banks will sneak a peek at what other banks are doing, industrial businesses will conduct espionage on their competition, and on down the line…

Backdoor systems always operate on a secret, and that secret will always escape. In the history of humanity, there has always been someone who will sell out, become power hungry, or just think they know better than everyone else.

1 Like

They might be bright web developers, but they are cryptographers. There are a few dozen people world-wide who really understand the topic in enough depth. This is why one of the crypto libraries had problems, the guy maintaining it retired and there were no programmers with cryptography who could understand it and there were no cryptographers with sufficient secureprogramming knowledge that could take on the work.

The devs at Apple, Facebook and Google know enough that this cannot be done.

The problem is, those that know about cryptography and those that know enough about cryptograhy to implement it in actual systems know that what is being asked can’t work. But the people who are asking for this to be done have never studied mathematics, never studied cryptography and haven’t got a clue what they are talking about, other than soundbytes like “think of the children” are saying it can and must be done.

Who are you going to believe? Mathematicians who have studied the subject for decades or a politician trying to curry favour with voters, who failed algebra at school? I think the Australian PM summed it up nicely, when someone pointed out that the Laws of Mathematics wouldn’t allow this, he said something along the lines of Australian Laws are the only laws that count and the laws of mathematics could go take a long walk off cliff… :man_facepalming:

It is possible, with quantum computers, that this will become irrelevant and all existing encryption can be easily broken, which is why mathematicians are working on quantum secure encryption now.

The other problem is, the mathematics of secure encryption already exists. If you define a new, broken encryption that has a back door, you are only putting honest citizens at risk. Real criminals will take the math and run and set up their own secure servers to communicate with one another and store their images securely. And if they wait a few days or weeks, they’ll be able to get their hands on the backdoor key to the broken encryption that the masses are using and be able to spy on honest citizens, just like government agencies.

This was tried back in the 1990s, with the Clipper Chip, which the US government wanted to mandate was built into every motherboard, it would provide encryption with a back door… Only the secret for opening the Clipper chip had leaked long before the chip went into production!

The same arguments were used back then for why it was necessary and the same sorts of experts said it was pointless and dangerous. It seems that governments and activits around the world are turning Santayana’s grave into a perpetual motion machine.

Yes, some considered it flat, until Mathematics had advanced enough to be able to prove it was round. That work was done by Pythagoras of Samos and Erastothenes of Kyrene over 2,300 years ago.